Why and when to perform this task
This task describes the steps that are needed to specify the token consumer on the application level. The information is used on the consumer side to incorporate the security token.Complete the following steps to configure the token consumer on the application level:
Steps for this task
property name="trustedId_0", value="CN=Bob,O=ACME,C=US" property name="trustedId_1, value="user1"
If the distinguished name (DN) is used, the space is removed for comparison. See the programming model information in the documentation for an explanation of how to implement the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface. For more information, see Default implementations of the Web services security service provider programming interfaces.
The trusted ID evaluator configuration is available only for the token consumer on the server-side application level.
URI | Local name | Description |
---|---|---|
A namespace URI is not applicable. | Specify http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 as the local name value. | Specifies the name of an X.509 certificate token |
A namespace URI is not applicable. | Specify http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1 as the local name value. | Specifies the name of the X.509 certificates in a PKI path |
A namespace URI is not applicable. | Specify http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7 as the local name value. | Specifies a list of X509 certificates and certificate revocation lists (CRL) in a PKCS#7 |
Specify http://www.ibm.com/websphere/appserver/tokentype/5.0.2 as the URI value. | Specify LTPA as the local name value. | Specifies a binary security token that contains an embedded Lightweight Third Party Authentication (LTPA) token. |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() A client sends a username token to the server. The custom token consumer on the server uses the security token service to authenticate the user name information. The username token is used to create a new token type such as a Security Assertion Markup Language (SAML) token. You can use the identity from the SAML token for authentication and authorization verification in WebSphere Application Server. |
If you want to specify another token, you must specify both the local name and the URI. For example, if you have an implementation of your own custom token, you can specify CustomToken in the Local name field and http://www.ibm.com/custom
To access the panel, click Security > Global security. Under Authentication, click Authentication protocol > CSIv2 outbound authentication. To set the com.ibm.CSI.rmiOutboundLoginEnabled property, select the Custom outbound mapping option. To set the com.ibm.CSIOutboundPropagationEnabled property, select the Security attribute propagation option. To modify this JAAS login configuration, see the JAAS configuration panel for system logins.
Result
You have configured the token consumer for the application level.What to do next
You must specify a similar token generator configuration for the application level.Related concepts
Default implementations of the Web services security service provider
programming interfaces
Related tasks
Configuring the collection certificate store for the consumer binding
on the application level
Configuring token consumer on the application level
Securing Web services for Version 6 and later applications based on
WS-Security