ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wsseccfplugtoken.htm

142 lines
16 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure a pluggable token for Web services security</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="wsseccfplugtoken"></a>Configure a pluggable token</h6>
<p>This topic describes how to configure the request sender to create security tokens in the Simple Object Access Protocol (SOAP) message and how to configure the request receiver to validate the security tokens found in the incoming SOAP message. You can use the authentication method defined in the login bindings and login mappings to generate security tokens in the request sender and validate security tokens in the request receiver.</p>
<p>WebSphere Application Server - Express supports pluggable security tokens. See the following topics for more information:</p>
<ul>
<li><a href="wssecplugtoken.htm">Pluggable token support</a></li>
<li><a href="wssecplugtokgen.htm">Generating a pluggable token</a></li>
<li><a href="wssecplugtokval.htm">Validating a pluggable token</a></li>
</ul>
<p><strong>Note:</strong> The pluggable token is required for the request sender and request receiver as they are a pair. The request sender and the request receiver must match for a request to be accepted by the receiver.</p>
<p>Prior to completing these steps, it is assumed that you have already created a Web services-enabled Java 2 Platform, Enterprise Edition (J2EE) with a Web Services for J2EE (JSR 109) enterprise application. If not, see <a href="wsdev.htm">Developing Web services</a> to create Web services-enabled J2EE with a JSR 109 enterprise application.</p>
<p>Perform the folowing steps in the WebSphere Development Studio Client for iSeries to configure a pluggable token for your Web service client:</p>
<ol>
<li><p>Open the webservicesclient.xml file in the Web Services Client Editor of the WebSphere Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>
<li><p>Click the <strong>Security Extensions</strong> tab. The Web Service Client Security Extensions
editor displays. Specify the following settings:</p>
<ol type="a">
<li>Under <strong>Service References</strong>, select an existing service reference or click <strong>Add</strong> to create a new one.</li>
<li>Under <strong>Port Qname Bindings</strong>, select an existing port-qualified name for the selected service reference or click <strong>Add</strong> to create a new port name binding.</li>
<li>Under <strong>Request Sender Configuration: Login Config</strong>, select an exiting authentication method or type in a new one in the editable list box. When a Web servics acts as a client, <tt>LTPA</tt> is a supported token generation format.</li>
</ol><p></p></li>
<li><p>Click the <strong>Web Services Client Binding</strong> tab. The Web Services Client Binding editor displays. Specify the following settings:</p>
<ol type="a">
<li><p>Under <strong>Port Qualified Name Binding</strong>, select an existing entry or click <strong>Add</strong> to add a new port name binding. The Web Services Client Binding editor displays for the selected port.</p></li>
<li><p>Under <strong>Login Binding</strong>, click <strong>Edit</strong> or <strong>Enable</strong>. The Login Binding dialog displays. Specify the following settings:</p>
<ol type="i">
<li>In the <strong>Authentication Method</strong> field, enter the authentication method. The authentication method that you enter in this field must match the authentication method defined on the <strong>Security Extension</strong> tab for the same Web service port. This field is mandatory.</li>
<li>(Optional) Enter the token value type information in the <strong>URI</strong> and <strong>Local name</strong> fields. These fields are ignored for the BasicAuth, Signature, and IDAssertion authentication methods, but required for other authentication methods. The token value type information is inserted into the &lt;wsse:BinarySecurityToken&gt;@ValueType element for binary security token and is used as the namespace for the XML-based token.</li>
<li>Enter an implementation of the Java Authentication and Authorization Service (JAAS) javax.security.auth.callback.CallbackHandler interface. See <a href="wssecplugtokgen.htm">Generating a pluggable token</a> for information on how to develop a CallbackHandler that can generate a security token in the request sender. This is a mandatory field.</li>
<li>Enter the basic authentication information in the <strong>User ID</strong> and <strong>Password</strong> fields. The basic authentication information is passed to the constructor of the CallbackHandler implementation. The usage of the basic authentication information is up to the implementation of the CallbackHandler.</li>
<li>In the <strong>Property</strong> field, add name and value pairs. These pairs are passed to the constructor of the CallbackHandler implementation as java.util.Map data types.</li>
<li>Click <strong>OK</strong>.</li>
</ol></li>
</ol><p></p></li>
<li><p>Save the file.</p></li>
</ol>
<p>Perform the folowing steps in the WebSphere Development Studio Client for iSeries to configure a pluggable token for your Web services application:</p>
<ol>
<li><p>Open the webservices.xml deployment descriptor for your Web services application in the Web Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>
<li><p>Click the <strong>Security Extensions</strong> tab. Specify the following settings:</p>
<ol type="a">
<li>Under <strong>Web Service Description Extension</strong>, select an existing service reference or click <strong>Add</strong> to create a new extension.</li>
<li>Under <strong>Port Component Binding</strong>, select an existing port-qualified name of the selected service reference or click<strong> Add</strong> to create a new one.</li>
<li>Under <strong>Request Receiver Service Configuration Details: Login Config</strong>, select an exiting authentication method or click <strong>Add</strong> and enter a new method in the <strong>Add AuthMethod</strong> field that displays. You can select multiple authentication methods for the request receiver. The security token of the incoming message is authenticated against the authentication methods in the order that they are specified in the list.</li>
</ol><p></p></li>
<li><p>Click the <strong>Bindings</strong> tab. The Web Services Bindings editor displays. Under <strong>Web Service Description Bindings</strong>, select an existing entry or click <strong>Add</strong> to add a new Web services descriptor.</p></li>
<li><p>Click the <strong>Binding Configurations</strong> tab. The Web Services Binding Configurations editor displays for the selected Web services descriptor. Under <strong>Request Receiver Binding Configuration Details: Login Mapping</strong>, click <strong>Add</strong> to create a new login mapping or click <strong>Edit</strong> to edit existing selected login mapping.</p>
<p>The Login mapping dialog displays. Specify the following settings:</p>
<ol type="a">
<li>In the <strong>Authentication method</strong> field, enter the authentication method. The information entered in this field must match the authentication method defined on the <strong>Security Extensions</strong> tab for the same Web service port. This is a mandatory field.</li>
<li>In the <strong>Configuration name</strong> field, enter a JAAS login configuration name. You must define the JAAS login configuration name in the WebSphere administrative console under <strong> Security --&gt; JAAS Configuration --&gt; Application Logins</strong>). This is a mandatory field. For more information, see <a href="../sec/seccjaas.htm">Configure JAAS login</a> in the <em>Security</em> topic.</li>
<li>(Optional) Select <strong>Use Token value type</strong> and enter the token value type information in the <strong>URI</strong> and <strong>Local name</strong> fields. This information is optional for BasicAuth, Signature and IDAssertion authentication methods, but required for any other authentication method. The token value type is used to validate the &lt;wsse:BinarySecurityToken&gt;@ValueType element for binary security tokens and to validate the namespace of the XML-based token.</li>
<li>Under <strong>Callback Handler Factory</strong>, enter an implementation of the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory interface in the <strong>Class name</strong> field. This field is mandatory. See <a href="wssecplugtokval.htm">Validating a pluggable token</a> for instructions on how to develop a CallbackHandlerFactory and JAAS Login Configuration to validate the security token of the incoming message.</li>
<li>Under <strong>Callback Handler Factory Property</strong>, click <strong>Add</strong> and enter the name and value pairs for the Callback Handler Factory Property. These name and value pairs are passed as a java.util.Map data type to the com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory.init() method. The usage of these name and value pairs is determined by the CallbackHandlerFactory implementation chosen.</li>
<li>Under Login Mapping Property, click <strong>Add</strong> and enter the name and value pairs for the Login Mapping Property. These name and value pairs are available to the JAAS Login Module or Modules through thecom.ibm.wsspi.wssecurity.auth.callback.PropertyCallback JAAS Callback interface. Click <strong>Remove</strong> to delete selected login mapping.</li>
<li>Click <strong>OK</strong>.</li>
</ol><p></p></li>
<li><p>Save the file.</p></li>
</ol>
<p><strong>Configure pluggable tokens with WebSphere administrative console</strong></p>
<p>Prior to completing these steps, it is assumed that you deployed a Web services-enabled enterprise application to the WebSphere Application Server - Express.</p>
<p>Perform the following steps in the administrative console:</p>
<ol>
<li><p>Click <strong>Applications --&gt; Enterprise Applications --&gt; <em>enterprise_application</em></strong>, where <em>enterprise_application</em> is the name of your enterprise application.</p></li>
<li><p>Under <strong>Related Items</strong>, click <strong>Web Modules --&gt; <em>Uri</em></strong>, where <em>Uri</em> is the URI of your Web services-enabled module.</p></li>
<li><p>(Optional) If the Web service is acting as a client, configure the client bindings. Under Additional Properties, click <strong>Web Services: Client Security Bindings</strong> to edit the response sender binding information, if Web services is acting as client. Specify the following settings:</p>
<ol type="a">
<li><p>Under Response Sender Binding, click <strong>Edit.</strong></p></li>
<li><p>Under Additional Properties, click<strong> Login Binding</strong>.</p></li>
<li><p>Select <strong>Dedicated Login Binding</strong> to define a new login binding. Specify the following settings:</p>
<ol type="i">
<li>Enter the authentication method, this must match the authentication method defined in the IBM extension deployment descriptor. The authentication method must be unique in the binding file.</li>
<li>Enter the name of your JAAS javax.security.auth.callback.CallbackHandler implementation. For more information, see <a href="wssecplugtokgen.htm">Generating a pluggable token</a>.</li>
<li>Enter the basic authentication information (User ID and Password). The basic authentication information is passed to the construct of the CallbackHandler implementation. The usage of the basic authentication information defined by the implementation of the CallbackHandler.</li>
<li>Enter the token value type, it is optional for BasicAuth, Signature and IDAssertion authentication methods but required for any other authentication method. The token value type is inserted into the &lt;wsse:BinarySecurityToken&gt;@ValueType for binary security token and used as the namespace of the XML-based token.</li>
<li>Click <strong>Properties</strong>. Define the property with name and value pairs. These pairs are passed to the construct of the CallbackHandler implementation as java.util.Map data types.</li>
</ol></li>
</ol><p></p></li>
<li><p>Under <strong>Additional Properties</strong>, click <strong>Web Services: Server Security Bindings</strong> to edit the request receiver binding information. Specify the following settings:</p>
<ol type="a">
<li><p>Under <strong>Request Receiver Binding</strong>, click <strong>Edit</strong>.</p></li>
<li><p>Under <strong>Additional Properties</strong>, click <strong>Login Mappings</strong>. Click <strong>New</strong> to create new login mapping. Specify the following settings:</p>
<ol type="i">
<li>Enter the authentication method, this must match the authentication method defined in the IBM extension deployment descriptor. The authentication method must be unique in the login mapping collection of the binding file.</li>
<li>Enter a JAAS Login Configuration name. The JAAS Login Configuration must be defined in the <strong>Security --&gt; JAAS Configuration --&gt; Application Logins</strong> settings. For more information, see <a href="../sec/seccjaas.htm">Configure JAAS login</a> in the <em>Security</em> topic.</li>
<li>Enter the name of your com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory implementation. See <a href="wssecplugtokval.htm">Validating a pluggable token</a> for more information. This is a mandatory field.</li>
<li>Enter the token value type. This setting is optional for BasicAuth, Signature and IDAssertion authentication methods but required for any other authentication method. The token value type is used to validate against the &lt;wsse:BinarySecurityToken&gt;@ValueType for binary security token and against the namespace of the XML-based token.</li>
<li>Enter the name and value pairs for the <strong>Login Mapping Property</strong> by clicking <strong>Properties</strong>. These name and value pairs are available to the JAAS login module or modules by the com.ibm.wsspi.wssecurity.auth.callback.PropertyCallback JAAS callback.</li>
<li>Enter the name and value pairs for the <strong>Callback Handler Factory Property</strong> These name and value pairs are passed as java.util.Map data types to the om.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory.init() method. The usage of these name and value pairs is dependent on the CallbackHandlerFactory implementation.</li>
</ol></li>
</ol><p></p></li>
<li><p>Save the configuration.</p></li>
</ol>
<p>You can also define login mappings for the server-level and cell-level default binding configuration (ws-security.xml). To define the login mappings for the server-level default binding configuration, perform these steps in the administrative console:</p>
<ol>
<li><p>Click <strong>Servers --&gt; Application Servers --&gt; <em>server_name</em></strong>, where <em>server_name</em> is the name of your application server.</p></li>
<li><p>Under Related Items, click <strong>Web Services: Default bindings for Web Services Security</strong> and then follow the steps outlined previously for creating or editing login mappings for <strong>Web Services: Server Security Bindings</strong>.</p></li>
<li><p>To define the login mappings for the cell-level default binding configuration, click <strong>Security --&gt; Web Services</strong> and then follow the steps outlined previously for creating or editing login mappings for <strong>Web Services: Server Security Bindings</strong>.</p></li>
<li><p>Save the configuration.</p></li>
</ol>
</body>
</html>