The default binding information is defined in the ws-security.xml file
and can be administered by either the administrative console or by scripting.
Important: There is an important distinction between Version 5.x
and Version 6 and later applications. The information in this article supports
version 5.x applications only that are used with WebSphere Application Server
Version 6.0.x and later. The information does not apply to Version 6 and later
applications.
Certain applications can share certain binding information. This information
includes truststores, keystores, and authentication methods (token validation).
WebSphere Application Server provides support for default binding information.
Administrators can define binding information at:
Applications can refer to this binding information.
You can define the following binding information in the ws-security.xml file:
- Trust anchors (truststore)
- Trust anchors contain key store configuration information that
has the root-trusted certificates. Trust anchors are used for certificate
path validation of the incoming X.509-formatted security
tokens.
- The Trust Anchor Name is used in the binding file (ibm-webservices-bnd.xmi and ibm-webservicesclient-bnd-xmi when
Web services is running as a client) to refer to the trust anchor defined
in the default binding information. The trust anchor name must be unique in
the trust anchor collection.
- Collection certificate store
- The collection certificate store specifies a list of untrusted,
intermediate certificates and is used for certificate path validation of incoming
X.509-formatted security tokens. The default provider is IBMCertPath.
- The Certificate Store Name is used in the binding file (ibm-webservices-bnd.xmi and ibm-webservicesclient-bnd-xmi when
Web services is running as a client) to refer to the certificate store defined
in the default binding information. The Certificate Store Name must be unique
to the collection certificate store collection.
- Key locators
- Key locators specify implementation of the com.ibm.wsspi.wssecurity.config.KeyLocator
interface. This interface is used to retrieve keys for signature or encryption.
Customer implementations can extend the key locator interface to retrieve
keys using other methods. WebSphere Application Server provides implementations
to retrieve a key from the key store, map an authenticated identity to a key
in the key store, or retrieve a key from the signer certificate (mapping and
retrieving actions are used for encrypting the response).
- The Key Locator Name is used in the binding file (ibm-webservices-bnd.xmi and ibm-webservicesclient-bnd-xmi when
Web services is running as a client) to refer to the key locator defined in
the default binding information. The Key Locator Name must be unique to the
key locators collection in the default binding information.
- Trusted ID evaluators
- Trusted ID evaluators are an implementation of the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator
interface. This interface is used to make sure the identity (ID)-asserting
authority is trusted. Additionally, you can extend the trusted identity evaluator
to validate the trust. WebSphere Application Server provides a default implementation
for validating trust based on a predefined list of identities.
- The Trusted ID Evaluator Name is used in the binding file (ibm-webservices-bnd.xmi)
to refer to the trusted identity evaluator defined in the default binding
information. The Trusted ID Evaluator Name must be unique to the Trusted ID
Evaluator collection.
- Login mappings
- Login mappings define the mapping of the authentication
method to the Java Authentication and Authorization Service (JAAS) login configuration.
The mappings are used to authenticate the incoming security token embedded
in the Web services security SOAP message header. The JAAS login configuration
is defined in the administrative console under Security > Secure administration,
applications, and infrastructure > Java Authentication and Authorization Service
> Application logins.
- WebSphere Application Server defines the following authentication methods:
- BasicAuth
- Authenticates user name and password.
- Signature
- Maps the subject distinguished name (DN) in the certificate to a WebSphere
Application Server credential.
- IDAssertion
- Maps the identity to a WebSphere Application Server credential.
- LTPA
- Authenticates a Lightweight Third Party Authentication (LTPA) token.
After identity authentication, the associated credential is
used in the downstream call.
- This method can be extended to authenticate custom security tokens by
providing a custom JAAS login configuration and by using the com.ibm.wsspi.wssecurity.auth.module.WSSecurityMappingModule to
create the principal and credential required by WebSphere Application Server.
- If LoginConfig (AuthMethod)
is defined in the IBM extension deployment descriptor (ibm-webservices-ext.xmi),
but there are no login mapping bindings (ibm-webservices-bnd.xmi)
defined for the AuthMethod, Web services security
run time uses the login mapping defined in the default binding information.
WebSphere Application Server
In
the WebSphere Application Server, each server has a copy of the
ws-security.xml file
(containing default binding information for Web services security). There
is no cell-level copy of the
ws-security.xml file, which is only
available in the WebSphere Application Server Network Deployment installation.
To navigate to the server-level default binding in the administrative console,
complete the following steps:
- Click Servers > Application Servers > server1.
- Under Security, click Web Services: Default bindings for Web Services
Security.
Figure 1. Web services security application-level bindings and server-level
default binding information
Web services security run time uses the binding information
in the application Enterprise JavaBeans (EJB) module or Web module binding
file (ibm-webservices-bnd.xmi or ibm-webservicesclient-bnd.xmi if
Web services is acting as a client on the server) if the binding information
is defined in the application-level binding file. For example, if key locator
K1 is defined in both the application-level binding file and the default binding
file (ws-security.xml), the K1 in the application-level binding file
is used.