Use the Web services client editor within an assembly tool to include
the binding information, that describes how to run the security specifications
found in the extensions, in the client enterprise archive (EAR) file.
About this task
Important: There is an important distinction between
Version 5.x and Version 6 and later applications. The information in
this article supports Version 5.x applications only that are used with
WebSphere Application Server Version 6.0.x and later. The information
does not apply to Version 6.0.x and later applications.
When
configuring a client for Web services security, the bindings describe how
to run the security specifications found in the extensions. Use the Web services
client editor within an assembly tool to include the binding information in
the client enterprise archive (EAR) file.
You can configure the client-side
bindings from a pure client accessing a Web service or from a Web service
accessing a downstream Web service. This document focuses on the pure client
situation. However, the concepts, and in most cases the steps, also apply
when a Web service is configured to communicate downstream to another Web
service that has client bindings. Complete the following steps to edit the
security bindings on a pure client (or server acting as a client) using an
assembly tool:
Procedure
- Import the Web services client EAR file into an assembly tool.
When you edit the client bindings on a server acting as a client, the
same basic steps apply. Refer to the assembly tool documentation for additional
information.
- Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective.
Click Window > Open Perspective > J2EE.
- Click Application Client Projects > application_name >
appClientModule > META-INF.
- Right-click the application-client.xml file, select Open
with > Deployment descriptor editor. The Client Deployment
Descriptor is displayed.
- Click the WS Extension tab.
- On the WS extension tab, select the Port QName Bindings that you
want to configure. The Web services security extensions are configured
for outbound requests and inbound responses. You need to configure the following
information for Web services security extensions. These topics are discussed
in more detail in other sections of the documentation.
Request sender
configuration details
- Details
- Integrity
- Confidentiality
- Login Config
- BasicAuth
- IDAssertion
- Signature
- LTPA
- ID assertion
- Add created time stamp
Response receiver configuration details
- Required integrity
- Required confidentiality
- Add received time stamp
- On the WS binding tab, select the Port Qualified Name Binding that
you want to configure. The Web services security bindings are configured
for outbound requests and inbound responses. You need to configure the following
information for Web services security bindings. These topics are discussed
in more details in other sections of the documentation.
Security request
sender binding configuration
- Signing information
- Encryption information
- Key locators
- Login binding
- Basic auth
- ID assertion
- Signature
- LTPA
Security response receiver binding configuration
- Signing information
- Encryption information
- Trust anchor
- Certificate store list
- Key locators
What to do next
Important: When configuring the security request sender
binding configuration, you must synchronize the information used to perform
the specified security with the security request receiver binding configuration,
which is configured in the server EAR file. These two configurations must
be synchronized in all respects because there is no negotiation during run
time to determine the requirements of the server.
For example, when
configuring the encryption information in the security request sender binding
Configuration, you must use the public key from the server for encryption.
Therefore, the key locator that you choose must contain the public key from
the server configuration. The server must contain the private key to decrypt
the message. This example illustrates the important relationship between the
client and server configuration. Additionally, when configuring the security
response receiver binding configuration, the server must send the response
using security information known by this client security response receiver
binding configuration.
The following table shows the related configurations
between the client and the server. The client request sender and the server
request receiver are relative configurations that must be synchronized with
each other. The server response sender and the client response receiver are
related configurations that must be synchronized with each other. Note that
the related configurations are end points for any request or response. One
end point must communicate its actions with the other end point because run
time requirements are not negotiated.
Table 1. Related configurations
Client configuration |
Server configuration |
Request sender |
Request receiver |
Response receiver |
Response sender |