Login mapping configuration settings
Use this page to specify the Java™ Authentication and Authorization Service (JAAS) login configuration settings that are used to validate security tokens within incoming messages.
- Click
- Under Additional properties, click Login mappings.
- Click either New to create a new login mapping configuration or click the name of an existing configuration.
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv
- Under Additional properties, click Login mappings.
- Click either New to create a new login mapping configuration or click the name of an existing configuration.
- Click .
- Under Modules, click .
- Under Web Services Security Properties, click Web services: Server security bindings.
- Click Edit under Request receiver binding.
- Click Login mappings.
- Click either New to create a new login mapping configuration or click the name of an existing configuration.
Authentication method
Specifies the method of authentication.
- BasicAuth
- Uses both a user name and a password.
- IDAssertion
- Uses only a user name, but requires that additional trust is established on the receiving server using a TrustedIDEvaluator mechanism.
- Signature
- Uses the distinguished name (DN) of the signer.
- LTPA
- Validates a token.
JAAS configuration name
Specifies the name of the Java Authentication and Authorization Service (JAAS) configuration.
- system.wssecurity.IDAssertion
- Enables a version 6.x application to use identity assertion to map a user name to a WebSphere Application Server credential principal.
- system.wssecurity.Signature
- Enables a version 6.x application to map a distinguished name (DN) in a signed certificate to a WebSphere Application Server credential principal.
- system.LTPA_WEB
- Processes login requests that are used by the web container such as servlets and JavaServer Pages (JSP) files.
- system.WEB_INBOUND
- Handles logins for web application requests, which include servlets and JavaServer Pages..
- system.RMI_INBOUND
- Handles logins for inbound Remote Method Invocation (RMI) requests.
- system.DEFAULT
- Handles the logins for inbound requests made by internal authentications and most of the other protocols except web applications and RMI requests.
- system.RMI_OUTBOUND
- Processes RMI requests that are sent outbound to another server when the com.ibm.CSIOutboundPropagationEnabled property is true. This property is set in the CSIv2 authentication panel. To access the panel, click CSIv2 Outbound authentication. To set the com.ibm.CSIOutboundPropagationEnabled property, select Security attribute propagation. . Expand RMI/IIOP security, then click on
- system.wssecurity.X509BST
- Verifies an X.509 binary security token (BST) by checking the validity of the certificate and the certificate path.
- system.wssecurity.PKCS7
- Verifies an X.509 certificate with a certificate revocation list in a PKCS7 object.
- system.wssecurity.PkiPath
- Verifies an X.509 certificate with a public key infrastructure (PKI) path.
- system.wssecurity.UsernameToken
- Verifies basic authentication (user name and password).
- Click .
- Expand Java Authentication and Authorization Service, then click System logins.
- ClientContainer
- Specifies the login configuration that is used by the client container application, which uses the CallbackHandler API that is defined in the deployment descriptor of the client container.
- WSLogin
- Specifies whether all applications can use the WSLogin configuration to perform authentication for the WebSphere Application Server security run time.
- DefaultPrincipalMapping
- Specifies the login configuration used by Java 2 Connectors (J2C) to map users to principals that are defined in the J2C authentication data entries.
- Click .
- Expand Java Authentication and Authorization Service, then click Application logins.
Do not remove these predefined system or application login configurations. Within these configurations, you can add module class names and specify the order in which WebSphere Application Server loads each module.
Callback handler factory class name
Specifies the name of the factory for the CallbackHandler class.
You must implement the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory class in this field.
Token type URI
Specifies the namespace Uniform Resource Identifiers (URI), which denotes the type of security token that is accepted.
If binary security tokens are accepted, the value denotes the ValueType attribute in the element. The ValueType element identifies the type of security token and its namespace. If Extensible Markup Language (XML) tokens are accepted, the value denotes the top-level element name of the XML token.
If the reserved words are specified previously in the Authentication method field, this field is ignored.
Information | Value |
---|---|
Data type: | Unicode characters except for non-ASCII characters, but including the number sign (#), the percent sign (%), and the brackets ([ ]). |
Token type local name
Specifies the local name of the security token type, for example, X509v3.
If binary security tokens are accepted, the value denotes the ValueType attribute in the element. The ValueType attribute identifies the type of security token and its namespace. If Extensible Markup Language (XML) tokens are accepted, the value denotes the top-level element name of the XML token.
If the reserved words are specified previously in the Authentication method field, this field is ignored.
Nonce maximum age
Specifies the time, in seconds, before the nonce timestamp expires. Nonce is a randomly generated value.
You must specify a minimum of 300 seconds for the Nonce maximum age field. However, the maximum value cannot exceed the number of seconds specified in the Nonce cache timeout field for either the cell level or the server level.
- Click .
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv
If you specify the BasicAuth method, but do not specify values for the Nonce maximum age field, the Web Services Security run time searches for a Nonce maximum age value on the server level. If a value is not found on the server level, the run time searches the cell level. If a value is not found on either the server level or the cell level, the default is 300 seconds.
Information | Value |
---|---|
Default | 300 seconds |
Range | 300 to Nonce cache timeout seconds |
Nonce clock skew
Specifies the clock skew value, in seconds, to consider when WebSphere Application Server checks the freshness of the message. Nonce is a randomly generated value.
- Click .
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv
You must specify a minimum of zero (0) seconds for the Nonce Clock Skew field. However, the maximum value cannot exceed the number of seconds that is specified in the Nonce maximum age field on this Login mappings panel.
Information | Value |
---|---|
Default | 0 seconds |
Range | 0 to Nonce Maximum Age seconds |