friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wsseccfadigsv.htm

137 lines
6.4 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure the server for Web service signature authentication</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="wsseccfadigsv"></a>Configure the server for Web service signature authentication</h6>
<p>This task is used to configure signature authentication at the server. <em>Signature</em> refers
to the an X.509 certificate sent by the client to the server. The certificate is used to authenticate
to the user registry configured at the server. After a request is received by the server that contains
certificate, the server needs to log in to form a credential. The credential is used for authorization.
If the certificate supplied cannot be mapped to an entry in the user registry, an exception is thrown
and the request ends without invoking the resource. For more information, see <a href="wssecsignauth.htm">Digital signature authentication method</a>.</p>
<p>Perform the following steps in the WebSphere Development Studio Client for iSeries to configure the
server for Web services signature authentication:</p>
<ol>
<li><p>Open the webservices.xml deployment descriptor for your Web services application in the Web
Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>
<li><p>Click the <strong>Security Extensions</strong> tab.</p></li>
<li><p>Expand the <strong>Request Receiver Service Configuration Details --&gt; Login Config</strong>
settings. Select <strong>Signature</strong> to authenticate the client using an X509 certificate.</p>
<p>The certificate that is sent from the client is the certificate used for signing the message. You
must be able to map this certificate to the configured user registry. For Local OS, the common name
(cn) of the distinguished name (DN) is mapped to a user ID in the registry. For LDAP, you can configure
multiple mapping modes:</p>
<ul>
<li><p><strong>EXACT_DN</strong>
<br>This default mode directly maps the DN of the certificate to an entry in the LDAP
server.</p></li>
<li><p><strong>CERTIFICATE_FILTER</strong>
<br>With this mode, the LDAP advanced configuration has a place to specify a filter that maps
specific attributes of the certificate to specific attributes of the LDAP server.</p></li>
</ul></li>
<li><p>Save the file.</p></li>
</ol>
<p>Next, perform the following steps in the Web Services Editor to specify how the signature
authentication information is validated:</p>
<ol><li><p>Click the <strong>Binding Configurations</strong> tab.</p></li>
<li><p>Expand the <strong>Request Receiver Binding Configuration Details --&gt; Login Mapping</strong>
settings.</p></li>
<li><p>Click <strong>Edit</strong> to view the login mapping information or click <strong>Add</strong>
to add new login mapping information. The login mapping dialog is displayed.</p></li>
<li><p>Select or enter the following information:</p>
<table border="1" cellpadding="3" cellspacing="0">
<tr valign="top">
<th>Name</th>
<th>Purpose</th>
</tr>
<tr valign="top">
<td><strong>Authentication method</strong></td>
<td>The authentication method specifies the type of authentication that will occur. Select <strong>
Signature</strong> to use signature authentication.</td>
</tr>
<tr valign="top">
<td><strong>Configuration name</strong></td>
<td>This specifies the Java Authentication and Authorization Service (JAAS) login configuration name.
For the signature authentication method, enter <tt>system.wssecurity.Signature</tt> for the JAAS login
configuration name. This specification logs in with the
com.ibm.wsspi.wssecurity.auth.<br>module.SignatureLoginModule JAAS login module.</td>
</tr>
<tr valign="top">
<td><strong>Use Token value type</strong></td>
<td>This determines if you want to specify a custom token type. For the default authentication method
selections, you do not need to specify a value.</td>
</tr>
<tr valign="top">
<td><strong>URI</strong> and <strong>Local name</strong></td>
<td>When you select <strong>Signature</strong>, you cannot edit the token value type URI and local name
values. These values are specifically for custom authentication types. For signature authentication,
you do not need to enter any information.</td>
</tr>
<tr valign="top">
<td><strong>Callback Handler factory class name</strong></td>
<td>This class name creates a JAAS CallbackHandler implementation that understands the following
callback handlers:
<ul>
<li>javax.security.auth.callback.<br>NameCallback</li>
<li>javax.security.auth.callback.<br>PasswordCallback</li>
<li>com.ibm.wsspi.wssecurity.auth.callback.<br>BinaryTokenCallback</li>
<li>com.ibm.wsspi.wssecurity.auth.callback.<br>XMLTokenReceiverCallback</li>
<li>com.ibm.wsspi.wssecurity.auth.callback.<br>PropertyCallback</li>
</ul>
<p>For any of the default Authentication methods (BasicAuth, IDAssertion, Signature), use the callback
handler factory default implementation. Enter the following class name for any of the default
authentication methods including signature:
<tt>com.ibm.wsspi.wssecurity.auth.callback.<br>WSCallbackHandlerFactoryImpl</tt>. This implementation
creates the correct callback handler for the default implementations.</p></td>
</tr>
<tr valign="top">
<td><strong>Callback handler factory property name</strong> and <strong>Callback handler factory
property value</strong></td>
<td>This field is used to specify callback handler properties for custom callback handler factory
implementations. You do not need to specify any properties for the default callback handler factory
implementation. For signature, you do not need to enter any properties for this field.</td>
</tr>
<tr valign="top">
<td><strong>Login mapping property name</strong> and <strong>Login mapping property value</strong></td>
<td>This field is used to specify properties for a custom login mapping to use. For the default
implementations including signature, you do not need to enter any properties for this field.</td>
</tr>
</table><p></p></li>
<li><p>Save the file.</p></li>
</ol>
<p><strong>Note: </strong>Examples may be wrapped for display purposes.</p>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink