This procedure describes how to configure the message-level
WS-Security policy set and bindings for a stand-alone security token.
The token can be an LTPA token or a UsernameToken.
Before you begin
This task assumes that the service provider and client
that you are configuring are in the JaxWSServicesSamples application.
Refer to
Accessing Samples ![[Updated in February 2013]](../../deltaend.gif)
feb2013
for
more information on how to obtain and install this application. You
should use the following trace specification on your server. These
specifications enable you to debug any future configuration problems
that might occur.
*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all:
com.ibm.ws.wssecurity.*=all: com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all:
com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:
If
LTPA tokens will be used, application security must be enabled on
the application servers used for both the client and the service.
Procedure
- Create the custom policy set.
- In the administrative console, click Services
> Policy sets > Application Policy sets.
- Click New.
- Specify Name = OneTokenPolicy.
- Click Apply.
- Under Policies, click Add
> WS-Security.
- Edit the custom policy set
- Remove digital signature, encryption, and timestamp.
- In the administrative console, clickWS-Security >
Main Policy.
- Deselect Message level protection.
- Click Apply.
- Add the UsernameToken or LTPA token.
- Under Policy details, click Request
token policies.
- Select Add Token Type.
- If you want to use a UsernameToken, select UserName.
If you want to use an LTPA token, select LTPA.
Token
name=myToken.
- Click OK.
- Configure the client to use the OneTokenPolicy policy set.
- In the administrative console, click Applications
> Application types > WebSphere enterprise applications > JaxWSServicesSamples
> Service client policy sets and bindings.
- Select the web services client resource (JaxWSServicesSamples).
- Click Attach Policy Set.
- Select OneTokenPolicy .
- Create a custom binding for the client.
- Select the web services resource again.
- Click Assign Binding.
- Click New Application Specific Binding to
create an application-specific binding
- Specify the bindings configuration name. name:
oneTokenClientBinding
- Click Add > WS-Security
- If the Main Message Security Policy Bindings'
panel does not display, select WS-Security.
- Edit the custom binding for the client.
- Edit the identity token generator to send the identity
username.
- Click request:myToken.
- Click Apply.
- Click Callback handler. User
name=(yourUserid) Password=(yourPassword)
Avoid trouble: This is a userid/password that is valid
on the user registry on the provider's system. If you are using LTPA
tokens, the userid/password must be valid on both the consumer and
provider registries.
gotcha
- (Optional) If configuring a UsernameToken, add the following
WS-Security custom properties:
*com.ibm.wsspi.wssecurity.token.username.addNonce=true
*com.ibm.wsspi.wssecurity.token.username.addTimestamp=true
These
custom properties are added because they are specified on the UsernameToken
consumer default general bindings. If we do not specify those properties
here, you will either need to remove those properties from the default
provider general bindings or create application-specific bindings
for the provider that does not include those properties.
- Click OK.
- Click Save
- Configure the provider to use the OneTokenPolicy policy
set.
- In the administrative console, click Applications
> Application types > WebSphere enterprise applications > JaxWSServicesSamples
> Service provider policy sets and bindings
- Select the web services provider resource (OneTokenPolicy)
- Click Attach Policy Set.
- Select OneTokenPolicy
Note: Since
no bindings are attached to the provider application, it will use
the default provider general bindings for the token consumers.
- (Optional) If you want to create a Caller configuration
for the provider, create custom bindings for the provider.
- Select the web services provider resource again.
- Click Assign Binding
- Click New Application Specific Binding to
create an application-specific binding
- Specify Bindings configuration name:oneTokenProvBinding
- Click Add > WS-Security
- If the Main Message Security Policy Bindings'
Panel does not display, select WS-Security
- (Optional) If a Caller configuration will be created, edit
the custom bindings for the provider.
- Click Caller > New. Name:
myCaller.
- If using a UsernameToken, enter the following:
- Caller identity local name:http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
- If using an LTPA token, enter the following:
- Caller identity local name: LTPAv2
- Caller identity local URI: http://www.ibm.com/websphere/appserver/tokentype
- Click OK.
- Click Save to save your configuration
changes.
- Restart the client provider.
- Stop the client and the provider
- Restart the client and the provider
- Test the Service.
- Point your web browser at the JaxWSServicesSamples: http://localhost:9080/wssamplesei/demo
Avoid trouble: Make sure you provide the correct hostname
and port if your profile is not on the same machine or the port is
not 9080.
gotcha
- Select Message Type Synchronous Echo
- Make sure Use SOAP 1.2 is not
selected
- Enter a message and click Send Message.
The sample application should reply with JAXWS==>Message.
Results
The JaxWSServicesSamples web services application is configured
to generate and consume a UsernameToken or LTPA token in the request
message.