Protection token settings (generator or consumer)

Use this page to configure protection tokens. Protection tokens sign messages to protect integrity or encrypt messages to provide confidentiality.

You can add protection token settings for message parts when you are editing a default cell or server binding. You can also configure custom bindings for tokens and message parts that are required by the policy set.

To view this administrative console page when you are editing a default cell binding, complete the following actions:
  1. Click Services > Policy sets > Default policy set bindings.
  2. Click the WS-Security policy in the Policies table.
  3. Click the Authentication and protection link in the Main message security policy bindings section.
  4. Click New token to create a new token generator or consumer or click an existing consumer or generator token link from the Protection Tokens table.
To view this administrative console page when you are configuring custom bindings for tokens and message parts that are required by the policy set, complete the following actions:
  1. Click Applications > Websphere enterprise applications .
  2. Select an application that contains Web services. The application must contain a service provider or a service client.
  3. Click the Service provider policy sets and bindings link or the Service client policy sets and bindings in the Web Services Properties section.
  4. Select a binding. You must have previously attached a policy set and assigned a custom binding.
  5. Click the WS-Security policy in the Policies table.
  6. Click the Authentication and protection link in the Main message security policy bindings section.
  7. Click a consumer or generator token link from the Protection Tokens table.

這個管理主控台畫面只適用於 Java™ API for XML Web Service (JAX-WS) Web 服務。

Name

Specifies the token generator or consumer name. Enter a name in this field when you create a new token.

Token type

Specifies the type of token. When using custom bindings, the token type is determined from the policy and cannot be edited.

Valid values are:
  • LPTA Token v2.0
  • Secure Conversation Token v1.3
  • Secure Conversation Token v200502
    Note: The Secure Conversation Token v200502 token type for the WS-Security policy represents the requirement for a Security Context Token as defined in the February 2005 level of the WS-SecureConversation specification.
  • X509V3 Token v1.1
  • X509V3 Token v1.0
  • X509PKCS7 Token v1.1
  • X509PKCS7 Token v1.0
  • X509PkiPathV1 Token v1.1
  • X509PkiPathV1 Token v1.0
  • X509V1 Token v1.1
  • Custom Token
Enforce token version
Local name

Specifies the local name of the custom token generator or consumer. The Local name field is populated based on the token type displayed. Use this field to edit custom token types only.

If the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile v1.1, use one of the values listed below for the local name. The value you choose depends on the specification level of the Kerberos token generated by the Key Distribution Center (KDC). The table below lists the values and the specification level associated with each value. For purposes of interoperability, the Basic Security Profile v1.1 standard requires the use of the local name http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ.

Local name value for Kerberos token Associated specification level
http://docs.oasis-open.org/wss/oasiswss- kerberos-token-profile-1.1#Kerb erosv5_AP_REQ Kerberos v5 AP-REQ as defined in the Kerberos specification. This value is used when the Kerberos ticket is an AP Request.
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ GSS-API Kerberos V5 mechanism token containing a KRB_AP_REQ message as defined in RFC-1964 [1964], Sec. 1.1 and its successor RFC-4121, Sec. 4.1. This value is used when the Kerberos ticket is an AP Request (ST + Authenticator).
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510 Kerberos v5 AP-REQ as defined in RFC1510. This value is used when the Kerberos ticket is an AP Request per RFC1510.
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510 GSS-API Kerberos V5 mechanism token containing a KRB_AP_REQ message as defined in RFC-1964, Sec. 1.1 and its successor RFC-4121, Sec. 4.1. This value is used when the Kerberos ticket is an AP Request (ST + Authenticator) per RFC1510.
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120 Kerberos v5 AP-REQ as defined in RFC4120. This value is used when the Kerberos ticket is an AP Request per RFC4120.
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120 GSS-API Kerberos V5 mechanism token containing an KRB_AP_REQ message as defined in RFC-1964, Sec. 1.1 and its successor RFC-4121, Sec. 4.1. This value is used when the Kerberos ticket is an AP Request (ST + Authenticator) per RFC4120.
URI

Specifies the uniform resource identifier (URI) of the custom token generator or consumer. The URI field is populated based on the token type displayed. Use this field to edit custom token types only.

Leave this field blank if the custom token type is used to generate a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile v1.1.

JAAS login

Specifies the Java Authentication and Authorization Service (JAAS) application login information. Click New to add a new JAAS application login or JAAS system login entry.

If the server is in a security domain that includes specific system or application logins, these logins will be listed in the JAAS login drop-down menu, in addition to the global logins.

If the custom token type is used to generate a Kerberos binary security token, select wss.generate.KRB5BST as the JAAS login module for the token generation, wss.consume.KRB5BST for the token consumer, and wss.consume.KRB5BSTDefaultIdMapping for the default local user ID mapping with the token consumer.

Custom properties – Name

Specifies the name of the custom property. Custom properties are not initially displayed in this column until they are added.

Select one of the following actions for custom properties:

Button Resulting Action
New Creates a new custom property entry. To add a custom property, enter the name and value.
Edit Specifies that you can edit the selected custom property. Select this action to provide input fields and create the listing of cell values for editing. The Edit button is not available until at least one custom property has been added.
Delete Removes the selected custom property.
Custom properties – Value

Specifies the value of the custom property. Use the Value field to enter, edit, or delete the value for a custom property.

If the custom token type is used to generate a Kerberos token, specify a custom property with the value com.ibm.wsspi.wssecurity.krbtoken.serviceSPN for the target Kerberos service principal name (SPN). For the token generator, the SPN represents the target Kerberos service principal name. The Kerberos client requests the initial Kerberos token from the target SPN. For the token consumer, the SPN represents the Kerberos principal, which accepts the initial Kerberos token.

Callback handler

After all other configurations on the protection token page are applied or saved, this section appears and links to the configuration settings for the callback handler. Click this link to specify callback handler settings that determine how security tokens are acquired from message headers.

Tolerate Secure Conversation Token v200502

The Secure Conversation Token v200502 token type for the WS-Security policy represents the requirement for a Security Context Token as defined the in the February 2005 level of the WS-SecureConversation specification. This option specifies whether the provider should handle both Secure Conversation Token v1.3 and Secure Conversation Token v200502. By default, the provider handles both versions. You can change this behavior by clicking to remove the checkbox selection so that the provider will handle only the v1.3 token.

Data type Checkbox
Range Selected or unselected.
Default value Selected



標示(線上)的鏈結表示需要存取網際網路。

Related tasks
Related reference
Callback handler settings
Application policy sets collection
Application policy set settings
Search attached applications collection
Policy set bindings settings


檔名: uwbs_wsspsbpt.html