Managing policy set attachments using the wsadmin tool

Use the wsadmin tool to manage your policy set attachment configurations. You can use the Jython or Jacl scripting language to list all attachments and attachment properties, add or remove resources for an existing attachment, and transfer attachments across policy sets.

Before you begin

When administrative security is enabled, verify that you use the correct administrative role, as the following table describes:
Table 1. Administrative roles . The administrative role determines if you can manage policy set attachments.
Administrative role Authorization
Administrator The Administrator role must have cell-wide access to manage policy set attachments. If you have access to a specific resource only, you can manage policy set attachments for the resource for which you have access.
Configurator The Configurator role must have cell-wide access to manage policy set attachments. If you have access to a specific resource only, you can manage policy set attachments for the resource for which you have access.
Deployer The Deployer role with cell-wide or resource specific access can manage policy set attachments for application resources only.
Operator The Operator role cannot manage policy set attachments.
Monitor The Monitor role cannot manage policy set attachments.

About this task

Policy set attachments define how a policy set is attached to resources and binding configurations.

Procedure

  • Query the configuration for policy set attachments and attachment properties.

    Before making configuration changes to your policy set attachments, use the listAttachmentsForPolicySet and getPolicySetAttachments commands to view current configuration information about your policy set attachments.

    1. Start the wsadmin scripting tool.
    2. Use the listAttachmentsForPolicySet command to view all applications to which a specific policy set is attached, for example: 
      AdminTask.listAttachmentsForPolicySet('[-policySet PolicySet1]')
      Use the -attachmentType parameter to narrow your query. You can query for provider or client attachments.
      Note: The application and system/trust values for the -attachmentType parameter are deprecated. Specify the provider value in place of the application value. For system policy set attachments, specify the provider value for the attachmentType parameter. For a trust client attachment, or a WSNClient attachment, specify the client value for the attachmentType parameter.
    3. Use the getPolicySetAttachments command to view the properties for all policy set attachments in a specified application, for example: 
      AdminTask.getPolicySetAttachments('[-applicationName application1]')
      Use the -attachmentType parameter to narrow your query. You can query for provider or client attachments.
  • Determine the assets to which a specific policy set is attached.
    Use the listAssetsAttachedToPolicySet command to display the assets that are attached to the policy set of interest, as the following example demonstrates:
    AdminTask.listAssetsAttachedToPolicySet('[-policySet SecureConversation]')

    The command returns a list of properties that describe each asset. Each properties object contains the assetType property, which specifies the type of asset.

  • Modify resources that apply to a policy set attachment.
    1. Start the wsadmin scripting tool.
    2. Determine the resource of interest and review the command syntax for the updatePolicySetAttachment command.

      For the commands in the PolicySetManagement group, the term resource refers to a web service artifact. For application and service client policy sets, the artifacts use the application hierarchy. The application hierarchy includes a web service, module name, endpoint, or operation. Enter the value for the -resource parameter as a string, with a backslash ( / ) character as a delimiter.

      Note: When attempting to connect to a web service from a thin client, verify that the resources you are specifying are valid before running the updatePolicySetAttachment command. No configuration changes are made if the requested resource does not match a resource in the attachment file for the application.
      Use the following format for application and client policy set attachments:
      • WebService:/

        Attaches all artifacts in the application to the policy set.

      • WebService:/webapp1.war:{https://www.ibm.com}myService

        Attaches all artifacts within the web service {https://www.ibm.com}myService to the policy set. You must provide a fully qualified name (QName) for the service.

      • WebService:/webapp1.war:{https://www.ibm.com}myService/endpointA

        Attaches all operations for the endpointA endpoint to the policy set.

      • WebService:/webapp1.war:{https://www.ibm.com}myService/endpointA/operation1

        Attaches only the operation1 operation to the policy set.

      The format for the -resource string differs for system policy set attachments for the trust service. Use the following format for system policy set attachments:
      • Trust.opName:/

        The opName attribute can be issue, renew, cancel, or validate.

      • Trust.opName:/url

        The opName attribute can be issue, renew, cancel, or validate. You can specify any valid URL for the url attribute.

    3. Modify the attachment.
      For example, the policy set attachment is connected to the operation1 operation, which is a specific single operation. To attach the 124 attachment to all operations for the endpointA endpoint, enter the following command:
      AdminTask.updatePolicySetAttachment('[-attachmentId 124 -resources 
"WebService:/webapp1.war:{https://www.ibm.com}myService/endpointA" -applicationName application1]')
      Note: The updatePolicySetAttachment command replaces all existing resources for an attachment with the resources specified in the command. You can also update your policy set attachments using the addToPolicySetAttachment command to add resources to an existing attachment, or you can also use the createPolicySetAttachment command to create an attachment for a specific resource. For more information about these commands reference the commands for the PolicySetManagement group for the AdminTask object.
    4. Save the configuration changes.
      Enter the following command to save your changes:
      AdminConfig.save()
  • Remove resources that apply to a policy set attachment.
    1. Start the wsadmin scripting tool.
    2. Determine which resources to remove with the command. You can remove a resource for each web service artifact, each operation for an endpoint, or for a specific operation.
      In the following example, the command removes the newAttach attachment from operation1, which is associated with the plantShop application.
      AdminTask.removeFromPolicySetAttachment('[-attachmentId newAttach -resources 
"WebService:/webapp1.war:{https://www.ibm.com}myPlantService/endpointA/operation1" -applicationName 
plantShop]')
      The command returns a success or failure message.
    3. Save the configuration changes.
      Enter the following command to save your changes:
      AdminConfig.save()
  • Transfer attachments from one policy set to another policy set.
    This command detaches each web service from the source policy set and attaches those web services to the destination policy set. The destination policy set must have the same set of enabled policy types as the source policy set.
    1. Enter the following command to transfer all attachments: 
      AdminTask.transferAttachmentsForPolicySet('[-sourcePolicySet PolicySet1 
-destinationPolicySet PolicySet2]')
      The command returns a success or failure message.
    2. Save the configuration changes.
      Enter the following command to save your changes:
      AdminConfig.save()