Callback handler settings

Use this page to configure callback handler settings which determine how security tokens are acquired from messages headers.

You can configure callback handler settings when you are editing a default cell or server binding. You can also configure custom bindings for tokens and message parts that are required by the policy set.

Avoid trouble Avoid trouble: [Updated in June 2011] Before you specify values for the Keystore and Key properties on this page, you must understand that the keystore/alias information that you provide for the generator, and the keystore/alias information that you provide for the consumer are used for different purposes. The main difference applies to the alias for an X.509 callback handler: [Updated in June 2011]
jun2011
gotcha
[Updated in July 2011]
Generator
When used in association with an encryption generator, the alias supplied for the generator is used to retrieve the public key to encrypt the message. A password is not required. The alias that is entered on a callback handler associated with an encryption generator must be accessible without a password. This means that the alias must not have private key information associated with it in the keystore. When used in association with a signature generator, the alias supplied for the generator is used retrieve the private key to sign the message. A password is required.
Consumer
When used in association with an encryption consumer, the alias supplied for the consumer is used retrieve the private key to decrypt the message. A password is required.

When used in associated with a signature consumer, the alias supplied for the consumer is used strictly to retrieve the public key that is used to resolve an X.509 certificate that is not passed in the SOAP security header as a BinarySecurityToken. A password is not required.

The alias that is entered on a callback handler associated with an signature consumer must be accessible without a password. This means that the alias must not have private key information associated with it in the keystore.

New or updated for this feature pack See the topic Key information settings for more information about the key identifier, X.509 issuer/serial, and thumbprint.

[Updated in July 2011]
jul2011
To view this administrative console page when you are editing a default cell binding, complete the following actions:
  1. Click Services > Policy sets > Default policy set bindings.
  2. Click the WS-Security policy in the Policies table.
  3. Click the Authentication and protection link in the Main message security policy bindings section.
  4. Click the name_of_token link in the Protection tokens section or the Authentication tokens section.
  5. Click the Callback handler link.
To view this administrative console page when you are configuring custom bindings for tokens and message parts that are required by the policy set, complete the following actions:
  1. Click Applications > Enterprise applications .
  2. Select an application that contains Web services. The application must contain a service provider or a service client.
  3. Click the Service provider policy sets and bindings link or the Service client policy sets and bindings in the Web Services Properties section.
  4. Select a binding. You must have previously attached a policy set and assigned a custom binding.
  5. Click the WS-Security policy in the Policies table.
  6. Click the Authentication and protection link in the Main message security policy bindings section.
  7. Click the name_of_token link in the Protection tokens section or the Authentication tokens section.
  8. Click the Callback handler link.

The Callback Handler displays fields differently for different tokens being configured. Depending on whether you are configuring generator or consumer tokens for protection or you are configuring inbound or outbound tokens for authentication, the sections and fields on this panel display some or all of the fields explained in this topic, as noted in the description of each field.

Class name

The fields in the Class name section are available for all types of token configuration.

Select the class name to use for the callback handler. Select the Use built-in default option for normal operation. Use the Use custom option only if your are using a custom token type

Use built-in default

Specifies that the default value is used for the class name. Use the default value (shown in the field) for the class name when you select this radio button. This name is based on the token type and whether the callback handler is for a token generator or a token consumer. This option is mutually exclusive to the Use custom option.

Use custom

Specifies that a custom value is used for the class name. Select this radio button and enter the name in the field to use a custom class name.

No default value is available for this entry field. Use the information in the following table to determine this value:

Token Type Consumer or Generator Callback Handler Class Name
UsernameToken consumer com.ibm.websphere.wssecurity.callbackhandler.UNTConsumeCallbackHandler
UsernameToken generator com.ibm.websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler
X509Token consumer com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallbackHandler
X509Token generator com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler
LTPAToken/LTPAPropagationToken consumer com.ibm.websphere.wssecurity.callbackhandler.LTPAConsumeCallbackHandler
LTPAToken/LTPAPropagationToken generator com.ibm.websphere.wssecurity.callbackhandler.LTPAGenerateCallbackHandler
SecureConversationToken consumer com.ibm.ws.wssecurity.impl.auth.callback.SCTConsumeCallbackHandler
SecureConversationToken generator com.ibm.ws.wssecurity.impl.auth.callback.WSTrustCallbackHandler

This button is mutually exclusive to the Use built-in default option.

Certificates

The fields in the Certificates section are available if you are configuring a protection token. For a consumer token, you can use the Trust any certificate or the Certificate store options to configure the certificate. For a generator token, you can click a certificate from the listing or click the New button to add one.

Certificates – Trust any certificate

Specifies, if the protection token has a certificate configured, a to trust any certificate and not define the certificate store. Select this option to trust each certificate. This option is mutually exclusive to the Certificate store option and is only applicable to the token consumer.

Certificates – Certificate store

Specifies, if the protection token has a certificate configured, the certificate store to be trusted. Select this option to trust each certificate store specified in the entry field. This option is mutually exclusive to the Trust any certificate option. When you select this option, the New button is enabled so that you can configure a new certificate store. You can also add a second certificate store to the Trusted anchor store entry field when you click Certificate store. The Trusted anchor store field is only applicable to the token consumer.

Basic authentication

The fields in the Basic authentication section are available if you are configuring an authentication token that is not an LTPA Propagation token.

User name

Specifies the user name that you want to authenticate.

Password

Specifies the password to be authenticated. Enter a password to authenticate in this entry field.

Confirm password

Specifies the password that you want to confirm.

Keystore

The fields in the Keystore section are available if you are configuring a protection token.

In the Keystore name list, you can click Custom to define a custom keystore, click one of the externally defined keystore names, or click None if no keystore is required.

Keystore – Name

Specifies the name of the centrally managed keystore file that you want to use.

Click the name of a centrally managed keystore name from this menu or enter one of the following values:
NodeDefaultKeyStore
NodeDefaultTrustStore
NodeLTPAKeys
None
Specifies to not use a centrally managed keystore file.
Custom
Specifies to use the centrally managed keystore file. Click the Custom keystore configuration link to configure custom keystore and key settings.

Keystore – Custom keystore configuration

Specifies a link to create a custom keystore. Click this link to open a panel where you can configure a custom keystore.

Key

The fields in the Key section are available if you are configuring a protection token.

Name

Specifies the name of the key to use. Enter the name of the key to be used in this required field.

Alias

Specifies the alias name of the key that you want to use. Enter the alias of the name of the key to use in this required field.

Password

Specifies the password for the key that you want to use.

You cannot set a password for public keys for asymmetric encryption generator or asymmetric signature consumer.

Confirm password

Specifies the confirmation of the password for the key that you want to use. Enter the password that you entered in the Password field to confirm.

Do not provide a key confirm password for public keys for asymmetric outbound encryption or inbound signature.

Custom properties

The fields in the Custom properties section are available for all types of token configuration.

You can add custom properties needed by the callback handler here using name-value pairs.

To implement signer certificate encryption when using the JAX-WS programming model, add the custom property com.ibm.wsspi.wssecurity.token.cert.useRequestorCert with the value true on the callback handler of the encryption token generator. This implementation uses the certificate of the signer of the SOAP request to encrypt the SOAP response. This custom property is used by the response generator.

Name

Specifies the name of the custom property to use.

Custom properties are not initially displayed in this column. Click one of the following actions for custom properties:

Button Resulting Action
New Creates a new custom property entry. To add a custom property, enter the name and value.
Delete Removes the selected custom property.

Value

Specifies the value of the custom property to use. With the Value entry field, you can enter or delete the value for a custom property.




Subtopics
Related tasks
Defining binding information for policy sets
Managing policy sets using the administrative console
Related reference
Protection token settings (generator or consumer)
Application policy sets collection
Application policy set settings
Search attached applications collection
Policy set bindings settings
New or updated for this feature pack Key information settings
WS-Security authentication and protection
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 1:23:07 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=uwbs_wsspsbch
File name: uwbs_wsspsbch.html