File name: uwbs_tokengeneratorn.htmlToken generator configuration settings
Use this page to specify the information for the token generator.
The information is used at the generator side only to generate the security
token.
To view this administrative console page for the server level, complete
the following steps:
- Click Servers > Application servers > server_name .
- Under Security, click Web services: Default bindings for Web services
security.
- Under Default generator bindings, click Token generators > token_generator_name or
click New to create a new token generator.
- Click Applications > Enterprise applications > application_name .
- Under Related items, click Manage modules> URI_name .
- Under Additional properties, you can access the token generator information
for the following bindings:
- For the Request generator (sender) binding, click Web services: Client
security bindings. Under Request generator (sender) binding, click Edit
custom.
- For the Response generator (sender) binding, click Web services: Server
security bindings. Under Response generator (sender) binding, click Edit
custom.
- Click New to create a new token generator or click the name of
an existing token generator name to specify its settings.
To view this administrative console page for the application level, complete
the following steps:
- Click Applications > Enterprise applications > application_name .
- Click Manage modules > URI_name .
- Under Web Services Security Properties, click Web
services: Client security bindings.
- Under Request generator (sender) binding, click Edit custom.
- Under Additional properties, click Token generators > New.
Before specifying additional properties, specify a value in the Token
generator name and the Token generator class name fields.
Token generator name
Specifies the name of the token generator configuration.
For example,
the token generator name might be sig_tgen for signing.
Token generator class name
Specifies the name of the token generator implementation class.
This class must implement the com.ibm.wsspi.wssecurity.token.TokenGeneratorComponent
interface.
Certificate path
Specifies the certificate revocation list (CRL) that is used for
generating a security token wrapped in a PKCS#7 token type with CRL.
When the token generator is not for a PKCS#7 token type, you must select None.
When the token generator is for the PKCS#7 token type and you want to package
CRL in the security token, select Dedicated signing information and
specify the CRL for the collection certificate store.
You can specify a certificate store configuration for the following bindings
on the following levels:
Binding name |
Cell level, server level, or application
level |
Path |
Default generator bindings |
Server level |
- Click Servers > Application servers > server_name.
- Under Security, click Web services: Default bindings for Web services
security.
- Under Additional properties, click Collection certificate store.
|
Using the collection certificate store, you can configure a related certificate
revocation list by clicking Certificate revocation list under Additional
properties.
Add nonce
Indicates whether nonce is included in the user name token for
the token generator. Nonce is a unique cryptographic number that is
embedded in a message to help stop repeat, unauthorized attacks of user name
tokens.
On the application level, if you select the
Add nonce option, you
can specify the following properties under Additional properties:
Table 1. Additional
nonce properties
Property name |
Default value |
Explanation |
com.ibm.ws.wssecurity.config.token.
BasicAuth.Nonce.cacheTimeout
|
600 seconds |
Specifies the timeout value, in seconds, for the nonce
value that is cached on the server. |
com.ibm.ws.wssecurity.config.token.
BasicAuth.Nonce.clockSkew
|
0 seconds |
Specifies the time, in seconds, before the nonce time
stamp expires. |
com.ibm.ws.wssecurity.config.token.
BasicAuth.Nonce.maxAge
|
300 seconds |
Specifies the clock skew value, in seconds, to consider
when the application server checks the timeliness of the message. |
These properties are available on the administrative console at the
cell and server level. However, on the application level, you can configure
the properties under Additional properties.
This option is displayed on the cell, server, and application levels. This
option is valid only when the generated token type is a user name token.
Add timestamp
Specifies whether to insert the time stamp into the user name token.
This option is displayed on the cell, server, and application levels. This
option is valid only when the generated token type is a user name token.
Value type local name
Specifies the local name of the value type for the generated token.
For a user name token and an X.509 certificate security token, this product
provides predefined value types. When you specify the following local names,
you do not need to specify the Uniform Resource Identifier (URI) of value
type.
- Username token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
- X509 certificate token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509
- X509 certificates in a PKIPath
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1
- A list of X509 certificates and CRLs in a PKCS#7
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7
- Lightweight Third Party Authentication (LTPA)
- LTPA_PROPAGATION
Important: For LTPA, the value type local name
is LTPA. If you enter LTPA for the local name, you must
specify the http://www.ibm.com/websphere/appserver/tokentype/5.0.2 URI value
in the Value type URI field as well. For LTPA token propagation, the value
type local name is LTPA_PROPAGATION. If you enter LTPA_PROPAGATION for
the local name, you must specify the http://www.ibm.com/websphere/appserver/tokentype
URI value in the Value type URI field as well. For the other predefined value
types (Username token, X509 certificate token, X509 certificates in a PKIPath,
and a list of X509 certificates and CRLs in a PKCS#7), the value for the local
name field begins with http://. For example, if you are specifying
the user name token for the value type, enter http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken in the Value type local name field and then you do not need to enter a value
in the Value type URI field.
When you specify a custom value type for custom tokens, you can specify
the local name and the URI of the quality name (QName) of the value type.
For example, you might specify Custom for the local name and http://www.ibm.com/custom for
the URI.
Value type URI
Specifies the namespace URI of the value type for the generated
token.
When you specify the token generator for the user name token or the X.509
certificate security token, you do not need to specify this option. If you
want to specify another token, specify the URI of the QName of the value type.
The application server provides the following predefined value type URIs:
- For the LTPA token: http://www.ibm.com/websphere/appserver/tokentype/5.0.2
- For the LTPA token propagation: http://www.ibm.com/websphere/appserver/tokentype
|
