Use this page to specify how to acquire the security token that is inserted in the Web services security header within the Simple Object Access Protocol (SOAP) message. The token acquisition is a pluggable framework that leverages the Java Authentication and Authorization Service (JAAS) javax.security.auth.callback.CallbackHandler interface for acquiring the security token.
When used in associated with a signature consumer, the alias supplied for the consumer is used strictly to retrieve the public key that is used to resolve an X.509 certificate that is not passed in the SOAP security header as a BinarySecurityToken. A password is not required.
The alias that is entered on a callback handler associated with an signature consumer must be accessible without a password. This means that the alias must not have private key information associated with it in the keystore.
When an X.509 certificate that is not passed in the SOAP security header as a BinarySecurityToken, a SecurityTokenReference will appear in the KeyInfo element within the Signature element in the SOAP security header that will be used to resolve the X.509 certificate. The methods that can be used are Key identifier, X.509 issuer name and issuer serial, and Thumbprint. The consumer will accept any of these three methods for resolving an X.509 certificate outside the message when a keystore/alias is configured for an X.509 token consumer associated with a signature consumer.
Because only one alias can be configured on the X.509 token consumer, the WS-Security run time can resolve only one certificate outside a message. For example, if the X.509 token consumer is configured for certificate A, if client A sends the keyIdentifier for certificate A, the certificate can be retrieved. However, if client B sends the keyIdentifier for certificate B, the certificate cannot be retrieved and the message will be rejected.
When an X.509 certificate is sent in the SOAP security header as a BinarySecurityToken, if there is a keystore/alias configured on the X.509 token consumer associated with a signature consumer, the certificate that is configured on the consumer will be compared against the one that is passed in the message. If they do not match, the message will be rejected. This behavior is different than JAX-RPC. The certificate associated with the alias configured on the X.509 token consumer is not used to evaluate trust on the inbound certificate. Only the trust store and cert stores are used for that purpose.
com.ibm.wsspi.wssecurity.consumer.callbackHandlerKeystoreLimitsAccess=false
See the topic Key information settings for
more information about the key identifier, X.509 issuer/serial, and
thumbprint.
Specifies the name of the callback handler implementation class that is used to plug in a security token framework.
MyCallbackHandler(String username, char[] password, java.util.Map properties)
The LTPATokenCallbackHandler is used to generate either a LTPA or a LTPA_PROPAGATION token. When the LTPATokenCallbackHandler is used to generate a LTPA token, you can supply basic authentication information to obtain the required LTPA token. However, when LTPATokenCallbackHandler is used to generate a LTPA_PROPAGATION token, basic authentication information can not be used to generate the token, and therefore should not be supplied.
The LTPATokenCallbackHandler is used to generate either a LTPA or a LTPA_PROPAGATION token. When the LTPATokenCallbackHandler is used to generate a LTPA token, you can supply basic authentication information to obtain the required LTPA token. However, when LTPATokenCallbackHandler is used to generate a LTPA_PROPAGATION token, basic authentication information can not be used to generate the token, and therefore should not be supplied.
The callback
handler implementation obtains the required security token and passes
it to the token generator. The token generator inserts the security
token in the Web services security header within the SOAP message.
Also, the token generator is the plug-in point for the pluggable security
token framework. Service providers can provide their own implementation,
but the implementation must use the com.ibm.websphere.wssecurity.wssapi.token.SecurityToken
interface. The Java Authentication and Authorization Service (JAAS)
Login Module implementation is used to create the security token on
the generator side and to validate (authenticate) the security token
on the consumer side, respectively.
Select this option if you have identity assertion defined in the IBM extended deployment descriptor.
This option indicates that only the identity of the initial sender is required and inserted into the Web services security header within the SOAP message. For example, the application server sends only the user name of the original caller for a Username TokenGenerator. For an X.509 token generator, the application server sends the original signer certification only.
Select this option if you have identity assertion defined in the IBM extended deployment descriptor and you want to use the Run As identity instead of the initial caller identity for identity assertion for a downstream call.
This option is valid only if you have Username TokenGenerator configured as a token generator.
Specifies the user name that is passed to the constructors of the callback handler implementation.
These implementations are described in detail under the Callback handler class name field description in this article.
Specifies the password that is passed to the constructor of the callback handler.
Specifies the name of the key store configuration defined in the keystore settings in secure communications.
Specifies the password that is used to access the keystore file.
Specifies the location of the keystore file.
Use ${USER_INSTALL_ROOT} in the path name because this variable expands to the product path on your machine. To change the path used by this variable, click Environment > WebSphere variables and click USER_INSTALL_ROOT.
Specifies the type of keystore file format