Use the attributes parameter for the setPolicyType and setBinding commands to specify additional configuration information for the WSSecurity policy and binding configurations. Application and system policy sets can use the WSSecurity policy and binding configuration.
Before you use the commands in this topic, verify that you are using the most recent version of the wsadmin tool. The policy set management commands that accept a properties object as the value for the attributes or bindingLocation parameters are not supported on previous versions of the wsadmin tool. For example, the commands do not run on a Version 6.1.0.x node.
If the attributes parameter is not specified for the getPolicyType or getBinding command, the command returns all properties. If a partial property name is passed to the getPolicyType or getBinding command, the command returns all properties with names that start with the partial property name. For example, If SignatureProtection is passed to the getPolicyType command, the command returns all properties with names that start with "SignatureProtection", which might include SignatureProtection.response:int_body.SignedParts.Body,SignatureProtection.response:int_body.SignedParts.Header_0.Name, and SignatureProtection.response:int_body.SignedParts.Header_0.Namespace.
<sp:AsymmetricBinding> <wsp:Policy> <sp:InitiatorSignatureToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy /200512/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorSignatureToken> <sp:RecipientSignatureToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy /200512/IncludeToken/AlwaysToInitiator"> <wsp:Policy> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientSignatureToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> </wsp:Policy> </sp:AsymmetricBinding><sp:AsymmetricBinding> <wsp:Policy> <sp:InitiatorSignatureToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy /200512/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorSignatureToken> <sp:RecipientSignatureToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy /200512/IncludeToken/AlwaysToInitiator"> <wsp:Policy> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientSignatureToken> </wsp:Policy> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> </sp:AsymmetricBinding>
AsymmetricBinding.Layout = Strict AsymmetricBinding.AlgorithmSuite.Basic256 = true AsymmetricBinding.RecipientSignatureToken.X509Token_0.IncludeToken = http://docs.oasis-open.org /ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToInitiator AsymmetricBinding.InitiatorSignatureToken.X509Token_0.WssX509V3Token10 = true AsymmetricBinding.InitiatorSignatureToken.X509Token_0.IncludeToken = http://docs.oasis-open.org /ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient AsymmetricBinding.RecipientSignatureToken.X509Token_0.WssX509V3Token10 = true
<sp:SupportingTokens> <wsp:Policy wsu:Id="request:custom_auth"> <spe:CustomToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <spe:WssCustomToken uri=http://bar.com/MyCustomToken localname="tokenv1"> </spe:WssCustomToken> </wsp:Policy> </spe:CustomToken> </wsp:Policy> </sp:SupportingTokens
SupportingTokens.request:custom_auth.CustomToken_0.WssCustomToken.uri=http://bar.com /MyCustomToken SupportingTokens.request:custom_auth.CustomToken_0.IncludeToken=http://docs.oasis-open.org /ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient SupportingTokens.request:custom_auth.CustomToken_0.WssCustomToken.localname=tokenv1
<wsp:Policy wsu:Id="response:int_body"> <sp:SignedParts> <sp:Body/> </sp:SignedParts> </wsp:Policy>The previous wsu:Id example returns the following properties:
SignatureProtection.response:int_body.SignedParts.Body = true
<wsp:Policy wsu:Id="request:conf_body"> <sp:EncryptedParts> <sp:Body/> <sp:Header Name="MyElement" Namespace="http://foo.com/MyNamespace" /> </sp:EncryptedParts> </wsp:Policy>The previous Header example returns the following properties:
EncryptionProtection.request:conf_body.EncryptedParts.Header_0.Name=MyElement EncryptionProtection.request:conf_body.EncryptedParts.Header_0.Namespace=http:// foo.com/MyNamespace
<wsp:Policy wsu:Id="request:int_body"> <sp:SignedElements> <sp:XPath>SomeXPathExpression</sp:XPath> <sp:XPath>SomeOtherXPathExpression</sp:XPath> </sp:EncryptedElements> </wsp:Policy>The previous XPath example returns the following properties:
SignatureProtection.request:int_body.SignedElements.XPath_0=SomeXPathExpression SignatureProtection.request:int_body.SignedElements.XPath_1=SomeOtherXPathExpression
Use the X509Token_n notation to represent this property because multiple X509Token elements can exist. For an example, see the AsymmetricBinding assertion.
Use the CustomToken_n notation to represent this property because multiple CustomToken elements can exist. For an example, see the SupportingTokens assertion.
Use the getBinding command to review a properties object with the properties that are configured in your current WSSecurity binding configuration. You can also use the administrative console to configure your WSSecurity bindings. Use the information center topics for configuring WSSecurity bindings with administrative console for more information.
The properties defined in this section reflect the hierarchy of the binding schema. Each part of the property name is a lowercase version of the schema type. For example, the application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname property follows the hierarchal format. The attributes begin with application or bootstrap. Attributes that begin with application represent bindings that are associated with the main WS-Security policy. Attributes that begin with bootstrap represent bindings that are associated with the WS-Security bootstrap policy, where the WS-Security policy uses Secure Conversation.
application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler. certpathsettings.certstoreref.reference application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler. certpathsettings.trustanchorref.reference application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname application.securityinboundbindingconfig.tokenconsumer_0.classname application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname application.securityinboundbindingconfig.tokenconsumer_0.name application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri
Additionally, some properties in the security binding file return a value of true when queried. To set these properties, set the value to true to include the property, or set the value to an empty string ("") to remove the property. For example, the time stamp, nonce, and trustAnyCertificate properties follow this pattern.
application.securityinboundbindingconfig.tokenconsumer_0=""The previous example removes all properties that begin with the application.securityinboundbindingconfig.tokenconsumer_0 property name.
The following examples display several sets of properties to configure for your binding. This list does not include all properties to configure for the WSSecurity binding. Use this information as a reference to determine how to form specific property names.
application.securityinboundbindingconfig.signinginfo_0.signingkeyinfo_0 .reference=con_signkeyinfo application.securityinboundbindingconfig.signinginfo_0.signingpartreference_0 .reference=request:int_body application.securityoutboundbindingconfig.signinginfo_0.signingpartreference_0 .reference=response:int_body application.securityoutboundbindingconfig.signinginfo_0.signingpartreference_0.timestamp=true
application.securityinboundbindingconfig.encryptioninfo_0.encryptionpartreference .nonce=true application.securityinboundbindingconfig.encryptioninfo_0.encryptionpartreference .reference=request:conf_body application.securityoutboundbindingconfig.encryptioninfo_0.encryptionpartreference .nonce=true application.securityoutboundbindingconfig.encryptioninfo_0.encryptionpartreference .timestamp=true
application.securityoutboundbindingconfig.tokengenerator_0.name=gen_signtgen application.securityoutboundbindingconfig.tokengenerator_0.classname=com.ibm.ws.wssecurity.wssapi.token .impl.CommonTokenGenerator application.securityoutboundbindingconfig.tokengenerator_0.valuetype.uri= application.securityoutboundbindingconfig.tokengenerator_0.valuetype.localname=http://docs.oasis-open.org /wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.classname=com.ibm.websphere.wssecurity .callbackhandler.X509GenerateCallbackHandler application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.alias=soaprequester application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.keypass={xor}PDM2OjEr application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.name=CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.path=${USER_INSTALL_ROOT} /etc/ws-security/samples/dsig-sender.ks application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.storepass={xor}PDM2OjEr application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.type=JKS application.securityoutboundbindingconfig.tokengenerator_0.jaasconfig.configname=system.wss.generate.x509
application.securityoutboundbindingconfig.tokengenerator_1.name=gen_usernametoken application.securityoutboundbindingconfig.tokengenerator_1.classname=com.ibm.ws.wssecurity .wssapi.token.impl.CommonTokenGenerator application.securityoutboundbindingconfig.tokengenerator_1.valuetype.uri= application.securityoutboundbindingconfig.tokengenerator_1.valuetype.localname=http://docs .oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.classname=com.ibm .websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.basicAuth.userid=user1 application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.basicAuth.password=myPassword application.securityoutboundbindingconfig.tokengenerator_1.securityTokenReference.reference=request:uname_token application.securityoutboundbindingconfig.tokengenerator_1.jaasconfig.configname=system.wss.generate.unt
application.securityinboundbindingconfig.tokenconsumer_0.name=con_unametoken application.securityinboundbindingconfig.tokenconsumer_0.classname=com.ibm.ws.wssecurity.wssapi .token.impl.CommonTokenConsumer application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname=http://docs.oasis-open.org /wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri= application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname=com.ibm.websphere .wssecurity.callbackhandler.UNTConsumeCallbackHandler application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname=system.wss.consume.unt application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference=request:uname_token
application.securityinboundbindingconfig.actor=http://myActor.com application.securityoutboundbindingconfig.actor=http://myActor.com
application.securityinboundbindingconfig.certstorelist.collectioncertstores_0 .name=DigSigCertStore application.securityinboundbindingconfig.certstorelist.collectioncertstores_0 .provider=IBMCertPath application.securityinboundbindingconfig.certstorelist.collectioncertstores_0 .x509certificates_0.path=${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer
application.securityinboundbindingconfig.keyinfo_0.classname=com.ibm.ws.wssecurity.wssapi .CommonContentConsumer application.securityinboundbindingconfig.keyinfo_0.name=con_signkeyinfo application.securityinboundbindingconfig.keyinfo_0.tokenreference.reference=con_tcon application.securityinboundbindingconfig.keyinfo_0.type=STRREF
application.securityinboundbindingconfig.trustanchor_0.keystore.path=${USER_INSTALL_ROOT} /etc/ws-security/samples/dsig-receiver.ks application.securityinboundbindingconfig.trustanchor_0.keystore.storepass={xor}LDotKTot application.securityinboundbindingconfig.trustanchor_0.keystore.type=JKS application.securityinboundbindingconfig.trustanchor_0.name=DigSigTrustAnchor
application.securityoutboundbindingconfig.timestampexpires.expires=5
Use the previous reference information with the setPolicyType and setBinding commands to modify your policy and binding configuration data.
AdminTask.setPolicyType('-policySet myPolicySet -policyType WSSecurity -attributes "[[enabled true][provides Some_amount_of_security][SignatureProtection.request:app_signparts.SignedElements.XPath_0 SignatureProtectionV2]]"')
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[server server1][node node01]]" -attributes "[[application.securityinboundbindingconfig.keyinfo_0.name dec_server_keyinfo] [application.securityinboundbindingconfig.keyinfo_0.classname com.ibm.ws.wssecurity.wssapi.CommonContentGenerator] [application.securityinboundbindingconfig.keyinfo_0.type STRREF]]"')
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[application PolicySet][attachmentId 999]]" -attributes "[[application.securityinboundbindingconfig.keyinfo_0.name dec_app_keyinfo] [application.securityinboundbindingconfig.keyinfo_0.classname com.ibm.ws.wssecurity.wssapi.CommonContentGenerator] [application.securityinboundbindingconfig.keyinfo_0.type STRREF]]" -attachmentType application -bindingName myBindingName')
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "" -attributes "[application.securityinboundbindingconfig.trustanchor_0.name DigSigTrustAnchor2]"')