Default bindings for Web services

Certain applications can share certain binding information. This includes trust stores, key stores, and authentication method (token validation). WebSphere Application Server - Express provides support for default binding information. This means administrators can define binding information at the server level, and applications can refer to the binding information. The default binding information is defined in ws-security.xml and can be administered by either the administrative console or by scripting.

The following binding information can be defined in the ws-security.xml file:

• Trust anchors (trust store)
  • Trust anchors contain key store configuration information that has the root-trusted certificates. Trust anchors are used for certificate path validation of the incoming X.509-formatted security tokens.
  • The Trust Anchor Name is used in the binding file (ibm-webservices-bnd.xmi and ibm-webservicesclient-bnd-xmi when Web services is running as client) to refer to the trust anchor defined in the default binding information. The Trust Anchor Name must be unique in the trust anchor collection.

• Collection certificate store
  • The collection certificate store specifies a list of untrusted, intermediate certificates and is used for certificate path validation of incoming X.509-formatted security tokens. The default provider is IBMCertPath.
  • The Certificate Store Name is used in the binding file (ibm-webservices-bnd.xmi and ibm-webservicesclient-bnd-xmi when Web services is running as client) to refer to the certificate store defined in the default binding information. The Certificate Store Name must be unique to the collection certificate store collection.

• Key locators
  • Key locators specify implementation of the com.ibm.wsspi.wssecurity.config.KeyLocator interface. This interface is used to retrieve keys for signature or encryption. Customer implementation can be provided to extend the key locator interface to retrieve keys using other methods. WebSphere Application Server - Express provides implementations to retrieve a key from the key store, map an authenticated identity to a key in the key store, or retrieve a key from the signer certificate (the latter two are used for encrypting the response).
  • The Key Locator Name is used in the binding file (ibm-webservices-bnd.xmi and ibm-webservicesclient-bnd-xmi when Web services is running as client) to refer to the key locator defined in the default binding information. The Key Locator Name must be unique to the key locators collection in the default binding information.

• Trusted ID evaluators
  • Trusted ID evaluators are an implementation of the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface. This interface is used to make sure the identity-asserting authority is trusted. Additionally, you can extend the trusted identity evaluator to validate the trust. WebSphere Application Server - Express provides a default implementation for validating trust based on a pre-defined list of identities.
  • The Trusted ID Evaluator Name is used in the binding file (ibm-webservices-bnd.xmi) to refer to the trusted identity evaluator defined in the default binding information. The Trusted ID Evaluator Name must be unique to the Trusted ID Evaluator collection.

• Login mappings
  • The login mappings define the mapping of the AuthMethod to JAAS Login Configuration. The mappings are used to authenticate the incoming security token embedded in the Web services security SOAP message header. The JAAS Login Configuration is defined in the administrative console under Security --> JAAS Configuration --> Application Logins.
  • WebSphere Application Server - Express defines BasicAuth (authenticates user name and password), Signature (maps the subject distinguished name (DN) in the certificate to a WebSphere Application Server - Express credential), and IDAssertion (maps the identity to a WebSphere Application Server - Express credential). After identity authentication, the associated credential is used in the downstream call.
  • This can be extended to authenticate custom security tokens by providing custom JAAS Login Configuration and using the com.ibm.wsspi.wssecurity.auth.module.WSSecurityMappingModule to create the principal and credential required by WebSphere Application Server - Express.
  • If LoginConfig (AuthMethod) is defined in the IBM extension deployment descriptor (ibm-webservices-ext.xmi), but there are no login mapping bindings (ibm-webservices-bnd.xmi) defined for the AuthMethod, Web services security run time uses the login mapping defined in the default binding information.

In WebSphere Application Server - Express, each server has a copy of the ws-security.xml file (default binding information for Web services security). To navigate to the server-level default binding in the administrative console, click Servers --> Application Servers --> server_name --> Web Services: Default bindings for Web Services Security, where server_name is the name of your application server.

Figure 1: Web services security application level bindings and server level default binding information.

Web services security run time uses the binding information in the Web module binding file (ibm-webservices-bnd.xmi or ibm-webservicesclient-bnd.xmi if Web services is acting as client on the server) if the binding information is defined in the application level binding file. For example, if key locator K1 is defined in both the application level binding file and the default binding file (ws-security.xml), the K1 in the application level binding file is used.