To set up bindings for message protection with JAX-WS applications,
you must create a custom binding. Complete this task to set the bindings
for a Kerberos token as defined in the OASIS Web Services Security
Specification for Kerberos Token Profile Version 1.1.
Before you begin
You must configure Kerberos for IBM WebSphere Application
Server. For more information, see Kerberos (KRB5) authentication mechanism
support for security. In addition, you must configure the Kerberos
token policy set for JAX-WS applications. For more information, see
Configuring the Kerberos token policy set for JAX-WS applications.
About this task
You
can leverage existing frameworks including the policy set and bindings
for JAX-WS applications.
You can configure a symmetric protection
token or an authentication token. Both symmetric protection token
and authentication token configurations use similar configuration
data. However, you do not need to configure the authentication token
if you intend to use a Kerberos symmetric protection token. For whichever
token type you use, configure the token generator and the token consumer
as indicated in the following list:
- Symmetric protection token
- Token generator
- Token consumer
- Authentication token
- Token generator
- Token consumer
Use the administrative console to configure the application-specific
bindings to use a Kerberos token in web services message protection.
Procedure
- Expand .
- Click .
- From the Web Services Properties heading, click Service
provider policy sets and bindings to configure the service
bindings or click Service client policy sets and bindings to
configure the client bindings.
- Select the resource to attach to the Kerberos token policy
set and select . To configure the Kerberos token policy set, see Configuring the Kerberos token policy set for JAX-WS applications.
- Click Assign bindings and select
the application-specific binding or select New Application
Specific Binding to create a new binding. To
create a new binding, complete the following actions.
- Enter a name for the new binding in the Binding
configuration name field and optionally enter a description
for the binding in the Description field.
- Click Add and select WS-Security to
specify a new policy set.
- Click .
- Optional: Define a symmetric protection
token for the token generator.
Important: If
you configure a symmetric protection token for the token generator,
you must define a complimentary symmetric protection token for the
token consumer.
- From the Protection tokens heading, click New and
select Token Generator.
- Specify the name of the protection token in the Name field.
- Select Custom from the values in the Token type menu
list.
- Specify the local name value in the Local name field.
For
interoperability with other web services technologies, specify the
following local name:
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ.
If you are not concerned with interoperability issues, you can specify
one of the following local name values:
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120
These alternative values depend on the specification level
for the Kerberos token that is generated by the Key Distribution Center
(KDC). For more information about when to use these values, see Protection
token settings (generator or consumer).
- Do not specify a value for the Namespace URI field.
- Select the wss.generate.KRB5BST value from
the JAAS login menu list.
If you have previously defined your own Java Authentication and Authorization Service
(JAAS) login module, you can select your login module to handle the
Kerberos custom token. To define a custom JAAS login module, click , specify an alias for the new module, and click
Apply.
For more information, see Login module settings for Java Authentication
and Authorization Service.
Attention: Although the information
in the "Login module settings for Java Authentication
and Authorization Service" topic refers to security and not Web
Services Security, the configuration for a login module for Web Services
Security is identical to security.
- Specify the token generator custom properties for the target service
name, host, and realm.
The combination of the target service name
and host values forms the Service Principal Name (SPN), which represents
the target Kerberos service principal name. The Kerberos client requests
the initial Kerberos AP_REQ token for the SPN. Specify the following
custom properties.
Table 1. Target service
custom properties. Use these properties to specify the
token generator information.Name |
Value |
Type |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceName |
Specify the name of the target service. |
Required |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost |
Specify the host name that is associated with
the target service in the following format: myhost.mycompany.com |
Required |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm |
Specify the name of the realm that is associated
with the target service. |
1 |
To use Kerberos token security
in a cross or trusted realm environment, you must provide a value
for the targetServiceRealm property.
To
specify multiple custom property name and value pairs, click New.
- Click Apply.
- From the Additional bindings heading, click Callback
handler.
- From the Class Name heading, select the Use custom option
and specify com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler in
the associated field.
- From the Basic Authentication heading, specify the appropriate
values for the User name, Password,
and Confirm password fields.
The user name
specifies the default user ID that is passed to the constructor of
the callback handler; for example, kerberosuser.
- Specify the token generator custom properties for Kerberos client
principal name and password to initiate the Kerberos login.
These
custom properties control the prompt and establish the token based
on the credential cache. Specify the following custom properties.
Table 2. Kerberos login custom properties. Use this property to specify the token generator information.Name |
Value |
Type |
com.ibm.wsspi.wssecurity.krbtoken.loginPrompt |
Enables the Kerberos login when the value is True.
The default value is False. |
Optional |
To specify multiple custom property name and value
pairs, click New.
- Click Apply and OK.
When you return to the Authentication and
protection panel in the next step, a new protection token is defined
for the token generator. To edit the configuration for this new token,
click its name on the panel.
- Optional: Return to the Authentication and
protection panel to define a symmetric protection token for the token
consumer. To return to the Authentication and protection
panel, click the Authentication and protection link after the
messages section of the panel.
Important: If you configure
a symmetric protection token for the token consumer, ensure that you
have previously defined a complimentary symmetric protection token
for the token generator.
- From the Protection tokens heading, click New and
select Token Consumer.
- Specify the name of the protection token in the Name field.
- Select Custom from the values in the Token type menu
list.
- Specify the local name value in the Local name field.
For
interoperability with other web services technologies, specify the
following local name:
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ.
If you are not concerned with interoperability issues, you can specify
one of the following local name values:
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120
These alternative values depend on the specification level
for the Kerberos token that is generated by the Key Distribution Center
(KDC). For more information about when to use these values, see Protection
token settings (generator or consumer).
- Do not specify a value for the Namespace URI field.
- Select the wss.consume.KRB5BST value from
the JAAS login drop-down menu.
If you have previously defined your
own Java Authentication and Authorization Service
(JAAS) login module, you can select this login module to handle the
Kerberos custom token. To define a custom JAAS login module, click , specify an alias for the new module, and click
Apply.
For more information, see Login module settings for Java Authentication
and Authorization Service.
Attention: Although the information
in the Login module settings for Java Authentication
and Authorization Service topic refers to security and not Web Services
Security, the configuration for a login module for Web Services Security
is identical to security.
- Click Apply.
- From the Additional bindings heading, click Callback
handler.
- From the Class Name heading, select the Use custom option
and specify com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler in
the associated field.
- Click Apply and OK.
When you return to the Authentication and
protection panel in the next step, you will see a new protection token
defined for the token consumer. To edit the configuration for this
new token, click its name on the panel.
- Optional: Return to the Authentication and
protection panel to define an authentication token configuration for
the token generator. To return to the Authentication and
protection panel, click the Authentication and protection link
after the messages section of the panel.
Authentication tokens are
sent in messages to prove or assert an identity.
Important: If you configure an authentication token for the
token generator, you must define a complimentary authentication token
for the token consumer.
- From the Authentication tokens heading, click New and
select Token Generator.
- Specify the name of the authentication token in the Name field.
- Select Custom from the values in the Token
type menu list.
- Specify the local name value in the Local name field.
For
interoperability with other web services technologies, specify the
following local name:
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ.
If you are not concerned with interoperability issues, you can specify
one of the following local name values:
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120
These alternative values depend on the specification level
for the Kerberos token that is generated by the Key Distribution Center
(KDC). For more information about when to use these values, see Authentication
generator or consumer token settings.
- Do not specify a value for the Namespace URI field.
- Select the wss.generate.KRB5BST value from
the JAAS login menu list.
If you have previously defined your own Java Authentication and Authorization Service
(JAAS) login module, you can select this login module to handle the
Kerberos custom token. To define a custom JAAS login module, click , specify an alias for the new module, and click
Apply.
For more information, see Login module settings for Java Authentication
and Authorization Service.
Attention: Although the information
in the Login module settings for Java Authentication
and Authorization Service topic refers to security and not Web Services
Security, the configuration for a login module for Web Services Security
is identical to security.
- Specify the token generator custom properties for the target service
name, host, and realm.
The combination of the target service name
and host values forms the Service Principal Name (SPN), which represents
the target Kerberos service principal name. The Kerberos client requests
the initial Kerberos AP_REQ token for the SPN. Specify the following
custom properties.
Table 3. Target service
custom properties. Use these custom properties to specify
the token generator information.Name |
Value |
Type |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceName |
Specify the name of the target service. |
Required |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost |
Specify the host name that is associated with
the target service in the following format: myhost.mycompany.com |
Required |
com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm |
Specify the name of the realm that is associated
with the target service. |
Optional |
To specify multiple custom property name and value
pairs, click New.
- Click Apply.
- From the Additional bindings heading, click Callback
handler.
- From the Class Name heading, select the Use custom option
and specify com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler in
the associated field.
- From the Basic Authentication heading, specify the appropriate
values for the User name, Password,
and Confirm password fields.
The user name
specifies the default user ID that is passed to the constructor of
the callback handler. For example: kerberosuser
- Specify the token generator custom properties for Kerberos client
principal name and password to initiate the Kerberos login.
These
custom properties control the prompt and establish the token based
on the credential cache. Specify the following custom properties name
and value pairs.
Table 4. Kerberos login
custom properties. Use the custom properties to specify
the token generator information.Name |
Value |
Type |
com.ibm.wsspi.wssecurity.krbtoken.loginPrompt |
Enables the Kerberos login when the value is True.
The default value is False. |
Optional |
com.ibm.wsspi.wssecurity.krbtoken.clientRealm |
Specify the name of the Kerberos realm associated
with the client |
2 |
When implementing Web Services
Security in a cross or trusted Kerberos realm environment, you must
provide a value for the clientRealm property.
If
an application generates or consumes a Kerberos V5 AP_REQ token for
each web services request message, set the com.ibm.wsspi.wssecurity.kerberos.attach.apreq custom
property to true in the token generator and
the token consumer bindings for the application
To specify multiple
custom property name and value pairs, click New.
- Click Apply and OK.
When you return to the Authentication and
protection panel in the next step, you will see a new authentication
token is defined for the token generator. To edit the configuration
for this new token, click its name on the panel.
- Optional: Return to the Authentication and
protection panel to define an authentication token configuration for
the token consumer. To return to the Authentication and
protection panel, click the Authentication and protection link
after the messages section of the panel.
Important: If
you configure an authentication token for the token consumer, ensure
that you have previously defined an authentication token for the token
generator.
- From the Authentication tokens heading, click New and
select Token Consumer.
- Specify the name of the authentication token in the Name field.
- Select Custom from the values in the Token
type menu list.
- Specify the local name value in the Local name field.
For
interoperability with other web services technologies, specify the
following local name:
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ.
If you are not concerned with interoperability issues, you can specify
one of the following local name values:
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
- http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120
These alternative values depend on the specification level
for the Kerberos token that is generated by the Key Distribution Center
(KDC). For more information conditions under which to use these values,
see the related link for the "Authentication generator or consumer
token settings" topic.
- Do not specify a value for the Namespace URI field.
- Select the wss.consume.KRB5BST value from
the JAAS login drop-down menu.
If you have previously defined your
own Java Authentication and Authorization Service
(JAAS) login module, you can select this login module to handle the
Kerberos custom token. To define a custom JAAS login module, click , specify an alias for the new module, and click
Apply.
For more information, see Login module settings for Java Authentication
and Authorization Service.
Attention: Although the information
in the Login module settings for Java Authentication
and Authorization Service topic refers to security and not Web Services
Security, the configuration for a login module for Web Services Security
is identical to security.
- Click Apply.
- From the Additional bindings heading, click Callback
handler.
- From the Class Name heading, select the Use custom option
and specify com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler in
the associated field.
- Click Apply and OK.
When you return to the Authentication and
protection panel in the next step, you will see a new authentication
token is defined for the token consumer. To edit the configuration
for this new token, click its name on the panel.
What to do next
You can optionally define key bindings for the request
message protection and response message protection. If you choose
to derive a key from the Kerberos token, configure the derived key
information when you configure the key information for signature and
encryption.
Return to the steps in the Configuring the Kerberos
token for Web Services Security topic to ensure you have completed
the steps for configuring the Kerberos token.