File name: uwbs_tokenconsumern.html
Token consumer configuration settings
Use this page to specify the information for the token consumer.
The information is used at the consumer side only to process the security
token.
To view this administrative console page for the server level, complete
the following steps:
- Click Servers > Application servers > server_name .
- Under Security, click Web services: Default bindings for Web services
security.
- Under Default consumer bindings, click Token consumers > token_consumer_name or
click New to create a new token consumer.
To view this administrative
console page for Version 6 and later applications on the application level,
complete the following steps:
- Click Applications > Enterprise applications > application_name .
- Click Manage modules > URI_name.
- Under Web Services Security Properties, you can access
the signing information for the following bindings:
- For the Response generator (sender) binding, click Web services: Server
security bindings. Under Response generator (sender) binding, click Edit
custom. Under Required properties, click Token consumers.
- For the Response consumer (receiver) binding, click Web services: Client
security bindings. Under Response consumer (receiver) binding, click Edit
custom. Under Required properties, click Token consumers.
- Click New to specify a new configuration or click the name of an
existing configuration to modify its settings.
Before specifying additional properties, specify a value in the Token consumer
name, the Token consumer class name, and the Value type local name fields.
Token consumer name
Specifies the name of the token consumer configuration.
For example,
the token consumer name might be sig_tcon for signing.
Part reference
Specifies a reference to the name of the security token that is
defined in the deployment descriptor.
On the application level, when the security token is not specified in the
deployment descriptor, the Part reference field is not displayed.
Certificate path
Specifies the trust anchor and the certificate store.
You can select the following options:
- None
- If you select this option, the certificate path is not specified.
- Trust any
- If you select this option, any certificate is trusted. When the received
token is incorporated, the certificate path validation is not processed.
- Dedicated signing information
- If you select this option, you can specify the trust anchor and the certificate
store. When you select the trust anchor or the certificate store of a trusted
certificate, you must configure the collection certificate store before setting
the certificate path.
Trust anchor
You can specify a trust anchor for
the following bindings on the following levels:
Binding name |
Server level or application level |
Path |
Default consumer binding |
Server level |
Click Servers > Application servers > server_name .
Under
Security, click Web services: Default bindings for Web services security.
Under
Additional properties, click Trust anchors.
|
Certificate store
You can specify a certificate
path configuration for the following bindings on the following levels:
Binding name |
Server level or application level |
Path |
Default consumer binding |
Server level |
- Click Servers > Application servers > server_name .
- Under security, click Web services: Default bindings for Web services
security.
- Under Additional properties, click Collection certificate store.
|
Trusted ID evaluator reference
Specifies the reference to the Trusted ID evaluator class name
that is defined in the Trusted ID evaluators panel. The trusted ID evaluator
is used for determining whether the received ID is trusted.
You can select the following options:
- None
- If you select this option, the trusted ID evaluator is not specified.
- Existing evaluator definition
- If you select this option, you can select one of the configured trusted
ID evaluators.
You can specify a certificate path configuration for the
following bindings on the following levels:
Binding name |
Server level or application level |
Path |
Default consumer binding |
Server level |
- Click Servers > Application servers > server_name.
- Under security, click Web services: Default bindings for Web services
security.
- Under Additional properties, click Trusted ID evaluators.
|
- Binding evaluator definition
- If you select this option, you can specify a new trusted ID evaluator
and its class name.
When you select a trusted ID evaluator reference, you must configure the
trusted ID evaluators before setting the token consumer.
The Trusted ID evaluator field is displayed in the default binding configuration
and the application server binding configuration.
Verify nonce
Specifies whether the nonce of the user name token is verified.
This option is displayed on the cell, server, and application levels. This
option is valid only when the type of incorporated token is the user name
token.
Verify timestamp
Specifies whether the time stamp of user name token is verified.
This option is displayed on the cell, server, and application levels. This
option is valid only when the type of incorporated token is the user name
token.
Value type local name
Specifies the local name of value type for the consumed token.
This product has predefined value type local names for the user name token
and the X.509 certificate security token. Use the following local names for
the user name token and the X.509 certificate security token. When you specify
the following local names, you do not need to specify the Uniform Resource
Identifier (URI) of the value type:
- Username token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
- X509 certificate token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509
- # X509 certificates in a PKIPath
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1
- A list of X509 certificates and CRLs in a PKCS#7
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7
- Lightweight Third Party Authentication (LTPA)
- LTPA_PROPAGATION
Important: For Lightweight Third Party Authentication
(LTPA), the value type local name is LTPA. If you enter LTPA for
the local name, you must specify the http://www.ibm.com/websphere/appserver/tokentype/5.0.2
URI value in the Value type URI field as well. For LTPA token propagation,
the value type local name is LTPA_PROPAGATION. If you enter LTPA_PROPAGATION for
the local name, you must specify the http://www.ibm.com/websphere/appserver/tokentype
URI value in the Value type URI field as well.For the other predefined value
types (Username token, X509 certificate token, X509 certificates in a PKIPath,
and a list of X509 certificates and CRLs in a PKCS#7), the value for the local
name field begins with http://. For example, if you are specifying
the username token for the value type, enter http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken in the value type local name field and then you do not need to enter a value
in the value type URI field.
When you specify a custom value type for custom tokens, you can specify
the local name and the URI of the Quality name (QName) of the value type.
For example, you might specify Custom for the local name and http://www.ibm.com/custom for
the URI.
Value type URI
Specifies the namespace URI of the value type for the integrated
token.
When you specify the token consumer for the user name token or the X.509
certificate security token, you do not need to specify this option. If you
want to specify another token, specify the URI of the QName for the value
type.
The application server provides the following predefined value type URIs:
- For the LTPA token: http://www.ibm.com/websphere/appserver/tokentype/5.0.2
- For the LTPA token propagation: http://www.ibm.com/websphere/appserver/tokentype
|
