General sample bindings for JAX-WS applications

You can use sample bindings with the administrative console for testing purposes. The configurations that you specify are reflected on the cell or server level.

WebSphere® Application Server Version 7.0 and later includes provider and client sample bindings for testing purposes. In the bindings, the product provides sample values for supporting tokens for different token types, such as the X.509 token, the username token, the LTPA token, and the Kerberos token. The bindings also include sample values for message protection information for token types such as X.509 and secure conversation. Both provider and client sample bindings can be applied to the applications attached with a system policy set, or application policy set, from the default local repository.

This information describes the general sample bindings for the Java™ API for XML-Based Web Services (JAX-WS) programming model. You can develop web services using the Java API for XML-based RPC (JAX-RPC) programming model, or for WebSphere Application Server Version 7.0 and later, using the Java API for XML-Based Web Services (JAX-WS) programming model. Sample general bindings may differ depending on which programming model you use. The following sections, describing various general sample bindings, are provided:
Best practices: IBM® WebSphere Application Server supports the Java API for XML-Based Web Services (JAX-WS) programming model and the Java API for XML-based RPC (JAX-RPC) programming model. JAX-WS is a web services programming model that extends the foundation provided by the JAX-RPC programming model. The JAX-WS programming model simplifies development of web services and clients through support of a standards-based annotations model. Although the JAX-RPC programming model and applications are still supported, take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients.

Do not use these provider and client sample bindings in their default state in a production environment. You must modify the bindings to meet your security needs before using them in a production environment by making a copy of the bindings and then modifying the copy. For example, you must change the key and keystore settings to ensure security, and modify the binding settings to match your environment.

Avoid trouble: After making a copy of the provider or client sample bindings, only customize the settings of your new copy to suit your purposes. Do not remove anything from your binding copy, such as token generators, token consumers, sign parts, or encrypt parts. You can add things to your binding copy if needed, but deleting information can cause unanticipated errors at run time.
One set of general default bindings is shared by the applications to make application deployment easier. You can specify default bindings for your service provider or client that are used at the global security (cell) level, for a security domain, or for a particular server. The default bindings are used in the absence of an overriding binding specified at a lower scope. The order of precedence from lowest to highest that the application server uses to determine which default bindings to use is as follows:
  1. Server level default
  2. Security domain level default
  3. Global security (cell) default

General client sample bindings

  • The sample configuration for signing information generation, called asymmetric-signingInfoRequest, contains the following configuration:
    • References the gen_signkeyinfo signing key information.
    • The part reference configuration, which contains the transform configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, gen_signkeyinfo, which contains this configuration:
      • The security token reference.
      • The gen_signx509token protection token asymmetric signature generator, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.generate.x509 JAAS login
      • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks, with these characteristics:
        • The keystore type is JKS.
        • The keystore password is client.
        • The alias name of the personal certificate is soaprequester.
        • The key password is client.
    • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for signing information generation called symmetric-signingInfoRequest contains the following configuration:
    • References the gen_signsctkeyinfo signing key information.
    • The part reference configuration, which contains the transform configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, gen_signsctkeyinfo, which contains this configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_scttoken protection token generator, as follows:
        • Contains the Secure Conversation Token Version 1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type as the local part value.
        • Contains wss.generate.sct JAAS login
      • The WS-Trust Callback Handler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for encryption information generation, called asymmetric-encryptionInfoRequest, contains the following configuration:
    • References the gen_enckeyinfo encryption key information.
    • Encryption key information, named gen_enckeyinfo, which contains this configuration:
      • The key identifier.
      • The gen_encx509token protection token asymmetric encryption generator, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.generate.x509 JAAS login
      • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks, as follows:
        • Keystore type is JCEKS.
        • Keystore password is storepass.
        • Alias name of the personal certificate is bob.
    • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
  • The sample configuration for encryption information generation, called symmetric-encryptionInfoRequest, contains the following configuration:
    • References the gen_encsctkeyinfo encryption key information.
    • The encryption key information, gen_encsctkeyinfo, which contains this configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_scttoken protection token generator, which contains the following configuration:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains wss.generate.sct JAAS login.
      • The WS-Trust Callback Handler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for signing information consumption, called asymmetric-signingInfoResponse, contains the following configuration:
    • References the con_signkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named con_signkeyinfo, which contains the following configuration:
      • The con_signx509token protection token asymmetric signature consumer, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.consume.x509 JAAS login.
      • The X.509 Callback Handler, as follows:
        • References a certificate store named DigSigCertStore.
        • References a trusted anchor store named DigSigTrustAnchor.
    • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for signing information consumption, called symmetric-signingInfoResponse, contains the following configuration:
    • References the con_sctsignkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named con_sctsignkeyinfo, which contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_scttoken protection token consumer, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.consume.sct JAAS login.
      • The WS-SecureConversation Callback Handler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for encryption information consumption, called asymmetric-encryptionInfoResponse, which contains the following configuration:
    • References the dec_keyinfo encryption key information.
    • The encryption key information, named dec_keyinfo, which contains the following configuration:
      • The con_encx509token protection token asymmetric encryption consumer, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.consume.x509 JAAS login.
      • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks, with the follow characteristics:
        • The keystore type is JCEKS.
        • The keystore password is storepass.
        • The alias name of the personal certificate is alice.
        • The key password is keypass.
    • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
  • The sample configuration for encryption information consumption, called symmetric-encryptionInfoResponse, contains the following configuration:
    • References the dec_sctkeyinfo encryption key information.
    • The encryption key information, named dec_sctkeyinfo, contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_scttoken protection token consumer, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.consume.sct JAAS login.
      • The WS-SecureConversation Callback Handler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for authentication token generation, called gen_signkrb5token, contains the following configuration:
    • The custom token type for the Kerberos v5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
    • The wss.generate.KRB5BST JAAS login.
    • The following custom properties:
      • com.ibm.wsspi.wssecurity.krbtoken.targetServiceName, the target Kerberos service name.
      • com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost, the host name associated with the target Kerberos service name,

        You must provide the correct values for your environment before using this configuration.

    • The custom Kerberos token callback handler. You must provide the correct values for the Kerberos client principal and password.
  • The sample configuration for authentication token generation, called gen_signltpaproptoken, contains the following configuration:
    • The token type LTPA propagation token, as follows:
      • Contains LTPA_PROPAGATION for the local part value.
      • Contains https://www.ibm.com/websphere/appserver/tokentype for the Namespace URI value.
    • Contains the wss.generate.ltpaProp JAAS login.
    • Uses the LTPA token callback handler.
  • The sample configuration for authentication token generation, called gen_signltpatoken, contains the following configuration:
    • The token type of LTPA Token v2.0, as follows:
      • Contains LTPA_PROPAGATION for the local part value.
      • Contains https://www.ibm.com/websphere/appserver/tokentype for the Namespace URI value.
    • The wss.generate.ltpa JAAS login.
    • The LTPA token callback handler.
  • The sample configuration for authentication token generation, called gen_signunametoken, contains the following configuration:
    • The token type of Username Token v1.0, which uses http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken for the local part value.
    • The wss.generate.unt JAAS login.
    • The Username token callback handler, as follows:
      • Contains basic authentication fields. You must provide the correct values for your environment for client principal and password.
      • Contains the following custom properties:
        • com.ibm.wsspi.wssecurity.token.username.addNonce for adding the nonce value.
        • com.ibm.wsspi.wssecurity.token.username.addTimestamp for adding the time stamp value.

SHA256 client sample bindings

  • The sample configuration for signing information generation, called asymmetric-signingInfoRequest, contains the following configuration:
    • References the gen_signkeyinfo signing key information.
    • The part reference configuration, which contains the transform configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, gen_signkeyinfo, which contains this configuration:
      • The security token reference.
      • The gen_signx509token protection token asymmetric signature generator, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.generate.x509 JAAS login
      • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks, with these characteristics:
        • The keystore type is JKS.
        • The keystore password is client.
        • The alias name of the personal certificate is soaprequester.
        • The key password is client.
    • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
    • com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=rsa-sha256
  • The sample configuration for signing information generation called symmetric-signingInfoRequest contains the following configuration:
    • References the gen_signsctkeyinfo signing key information.
    • The part reference configuration, which contains the transform configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, gen_signsctkeyinfo, which contains this configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_scttoken protection token generator, as follows:
        • Contains the Secure Conversation Token Version 1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type as the local part value.
        • Contains wss.generate.sct JAAS login
      • The WS-Trust Callback Handler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
    • com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=hmac-sha256
  • The sample configuration for encryption information generation, called asymmetric-encryptionInfoRequest, contains the following configuration:
    • References the gen_enckeyinfo encryption key information.
    • Encryption key information, named gen_enckeyinfo, which contains this configuration:
      • The key identifier.
      • The gen_encx509token protection token asymmetric encryption generator, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.generate.x509 JAAS login
      • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks, as follows:
        • Keystore type is JCEKS.
        • Keystore password is storepass.
        • Alias name of the personal certificate is bob.
    • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
  • The sample configuration for encryption information generation, called symmetric-encryptionInfoRequest, contains the following configuration:
    • References the gen_encsctkeyinfo encryption key information.
    • The encryption key information, gen_encsctkeyinfo, which contains this configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_scttoken protection token generator, which contains the following configuration:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains wss.generate.sct JAAS login.
      • The WS-Trust Callback Handler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for signing information consumption, called asymmetric-signingInfoResponse, contains the following configuration:
    • References the con_signkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named con_signkeyinfo, which contains the following configuration:
      • The con_signx509token protection token asymmetric signature consumer, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.consume.x509 JAAS login.
      • The X.509 Callback Handler, as follows:
        • References a certificate store named DigSigCertStore.
        • References a trusted anchor store named DigSigTrustAnchor.
    • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
    • com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=rsa-sha256
  • The sample configuration for signing information consumption, called symmetric-signingInfoResponse, contains the following configuration:
    • References the con_sctsignkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named con_sctsignkeyinfo, which contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_scttoken protection token consumer, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.consume.sct JAAS login.
      • The WS-SecureConversation Callback Handler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
    • com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=hmac-sha256
  • The sample configuration for encryption information consumption, called asymmetric-encryptionInfoResponse, which contains the following configuration:
    • References the dec_keyinfo encryption key information.
    • The encryption key information, named dec_keyinfo, which contains the following configuration:
      • The con_encx509token protection token asymmetric encryption consumer, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.consume.x509 JAAS login.
      • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks, with the follow characteristics:
        • The keystore type is JCEKS.
        • The keystore password is storepass.
        • The alias name of the personal certificate is alice.
        • The key password is keypass.
    • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
  • The sample configuration for encryption information consumption, called symmetric-encryptionInfoResponse, contains the following configuration:
    • References the dec_sctkeyinfo encryption key information.
    • The encryption key information, named dec_sctkeyinfo, contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_scttoken protection token consumer, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.consume.sct JAAS login.
      • The WS-SecureConversation Callback Handler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for authentication token generation, called gen_signkrb5token, contains the following configuration:
    • The custom token type for the Kerberos v5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
    • The wss.generate.KRB5BST JAAS login.
    • The following custom properties:
      • com.ibm.wsspi.wssecurity.krbtoken.targetServiceName, the target Kerberos service name.
      • com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost, the host name associated with the target Kerberos service name,

        You must provide the correct values for your environment before using this configuration.

    • The custom Kerberos token callback handler. You must provide the correct values for the Kerberos client principal and password.
  • The sample configuration for authentication token generation, called gen_signltpaproptoken, contains the following configuration:
    • The token type LTPA propagation token, as follows:
      • Contains LTPA_PROPAGATION for the local part value.
      • Contains https://www.ibm.com/websphere/appserver/tokentype for the Namespace URI value.
    • Contains the wss.generate.ltpaProp JAAS login.
    • Uses the LTPA token callback handler.
  • The sample configuration for authentication token generation, called gen_signltpatoken, contains the following configuration:
    • The token type of LTPA Token v2.0, as follows:
      • Contains LTPA_PROPAGATION for the local part value.
      • Contains https://www.ibm.com/websphere/appserver/tokentype for the Namespace URI value.
    • The wss.generate.ltpa JAAS login.
    • The LTPA token callback handler.
  • The sample configuration for authentication token generation, called gen_signunametoken, contains the following configuration:
    • The token type of Username Token v1.0, which uses http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken for the local part value.
    • The wss.generate.unt JAAS login.
    • The Username token callback handler, as follows:
      • Contains basic authentication fields. You must provide the correct values for your environment for client principal and password.
      • Contains the following custom properties:
        • com.ibm.wsspi.wssecurity.token.username.addNonce for adding the nonce value.
        • com.ibm.wsspi.wssecurity.token.username.addTimestamp for adding the time stamp value.
  • The sample configuration for authentication token generation, called gen_saml11token, contains the following configuration:
    • The token type of SAML 1.1, as follows: Contains http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 For the local part value.
    • The system.wss.generate.saml JAAS login.
    • The SAML generator callback handler with the following custom properties:
      Table 1. Custom properties for the SAML generator callback handler
      Custom property Value
      confirmationMethod Bearer
      keyType http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
      stsURI https://example.com/Trust/13/UsernameMixed
      wstrustClientPolicy Username WSHTTPS default
      wstrustClientBinding SamlTCSample
      wstrustClientSoapVersion 1.2
  • The sample configuration for authentication token generation, called gen_saml20token, contains the following configuration:
    • The token type of SAML 2.0, as follows: Contains http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 for the local part value.
    • The system.wss.generate.saml JAAS login.
    • The SAML generator callback handler with the following custom properties:
      Table 2. Custom properties for the SAML generator callback handler
      Custom property Value
      confirmationMethod Bearer
      keyType http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
      stsURI https://example.com/Trust/13/UsernameMixed
      wstrustClientPolicy Username WSHTTPS default
      wstrustClientBinding SamlTCSample
      wstrustClientSoapVersion 1.2

Client sample bindings V2

Two new general sample bindings, Client sample V2, and Provider sample V2, have been added to the product. While many of the configurations are the same as previous versions of the client sample and provider sample bindings, there are several additional, new sample configurations. To use these new bindings, create a new profile after installing the product. For more information, read the topic Configuring Kerberos policy sets and V2 general sample bindings.

  • The sample configuration for signing information generation, called symmetric-KrbsignInfoRequest, contains the following configuration:
    • References the gen_reqKRBsignkeyinfo signing key information.
    • The part reference configuration, which contains the transform configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, gen_reqKRBsignkeyinfo, which contains this configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_krb5token protection token generator, as follows:
        • Contains the Kerberos V5 GSS AP_REQ binary security token type.
        • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type as the local part value.
        • Contains wss.generate.KRB5BST JAAS login
      • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for encryption information generation, called symmetric-KrbEncInfoRequest, contains the following configuration:
    • References the gen_reqKRBenckeyinfo encryption key information.
    • The encryption key information, gen_reqKRBenckeyinfo, which contains this configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_krb5token protection token generator, which contains the following configuration:
        • Contains the Kerberos V5 GSS AP_REQ binary security token type.
        • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
        • Contains wss.generate.KRB5BST JAAS login.
      • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for signing information consumption, called symmetric-KrbsignInfoResponse, contains the following configuration:
    • References the con_respKRBsignkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named con_respKRBsignkeyinfo, which contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_krb5token protection token consumer, as follows:
        • Contains the Kerberos V5 GSS AP_REQ binary security token type.
        • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
        • Contains the wss.consume.KRB5BST JAAS login.
      • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for encryption information consumption, called symmetric-KrbEncInfoResponse, contains the following configuration:
    • References the con_respKRBenckeyinfo encryption key information.
    • The encryption key information, named con_respKRBenckeyinfo, contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_krb5token protection token consumer, as follows:
        • Contains the Kerberos V5 GSS AP_REQ binary security token type.
        • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
        • Contains the wss.consume.KRB5BST JAAS login.
      • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for authentication token generation, called gen_krb5token, contains the following configuration:
    • The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
    • The wss.generate.KRB5BST JAAS login.
    • The following custom properties:
      • com.ibm.wsspi.wssecurity.krbtoken.targetServiceName, the target Kerberos service name.
      • com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost, the host name associated with the target Kerberos service name.
        Note: You must provide the correct values for your environment before using this configuration.
    • The custom Kerberos token callback handler.
      Note: You must provide the correct values for the Kerberos client principal and password.
  • The sample configuration for authentication token generation, called con_krb5token, contains the following configuration:
    • The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
    • The wss.consume.KRB5BST JAAS login.
    • The custom Kerberos token callback handler.

General provider sample bindings

  • The sample configuration for signing information consumption, called asymmetric-signingInfoRequest, contains the following configuration:
    • References the con_signkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named con_signkeyinfo, which contains the following configuration:
      • The con_signx509token protection token asymmetric signature consumer, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.consume.x509 JAAS login.
      • The X.509 Callback Handler, as follows:
        • References a certificate store named DigSigCertStore.
        • References a trusted anchor store named DigSigTrustAnchor.
    • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for signing information consumption, called symmetric-signingInfoRequest, contains the following configuration:
    • References the con_sctsignkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named con_sctsignkeyinfo, which contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_scttoken protection token generator, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.consume.sct JAAS login.
      • The WS-SecureConversation Callback Handler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for encryption information consumption, called asymmetric-encryptionInfoRequest, contains the following configurations:
    • References the dec_keyinfo encryption key information.
    • The encryption key information, named dec_keyinfo, which contains the following configuration:
      • The con_encx509token protection token asymmetric encryption consumer, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.consume.x509 JAAS login.
      • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks, with the following characteristics:
        • The keystore type is JCEKS.
        • The keystore password is storepass.
        • The alias name of the personal certificate is bob.
        • The key password is keypass.
    • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
  • The sample configuration for encryption information consumption, called symmetric-encryptionInfoRequest, contains the following configuration:
    • References the dec_sctkeyinfo encryption key information.
    • The encryption key information, named dec_sctkeyinfo, which contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_scttoken protection token consumer, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.consume.sct JAAS login.
      • The WS-SecureConversation Callback Handler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for signing information generation, called asymmetric-signingInfoResponse, contains the following configuration:
    • References the gen_signkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named gen_signkeyinfo, which contains the following configuration:
      • The security token reference.
      • The gen_signx509token protection token asymmetric signature generator, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.generate.x509 JAAS login.
      • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks, with the following characteristics:
        • The keystore type is JKS.
        • The keystore password is server.
        • The alias name of the personal certificate is soapprovider.
        • The key password is server.
    • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for signing information generation, called symmetric-signingInfoResponse, contains the following configuration:
    • References the gen_signsctkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named gen_signsctkeyinfo, which contains the following configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_scttoken protection token generator, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.generate.sct JAAS login.
      • The WS-Trust Callback Handler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for encryption information generation, called asymmetric-encryptionInfoResponse, contains the following configuration:
    • References the gen_enckeyinfo encryption key information.
    • The encryption key information, named gen_enckeyinfo, contains the following configuration
      • The key identifier.
      • The gen_encx509token protection token asymmetric encryption generator, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.generate.x509 JAAS login.
      • Uses X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks, with the following characteristics:
        • The keystore type is JCEKS.
        • The keystore password is storepass.
        • The alias name of the personal certificate is alice.
        • The key password is keypass.
    • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
  • The sample configuration for encryption information generation, called symmetric-encryptionInfoResponse, contains the following configuration:
    • References the gen_encsctkeyinfo encryption key information.
    • The encryption key information, named gen_encsctkeyinfo, contains the following configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_scttoken protection token generator, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.generate.sct JAAS login.
      • The WS-Trust Callback Handler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for authentication token consumption, called con_krb5token, contains the following configuration:
    • The custom token type for Kerberos v5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
    • The wss.consume.KRB5BST JAAS login.
    • The custom Kerberos token callback handler.
  • The sample configuration for authentication token consumption, called con_ltpaproptoken, contains the following configuration:
    • The token type LTPA propagation token.
    • The wss.consume.ltpaProp JAAS login.
    • The LTPA token callback handler.
  • The sample configuration for authentication token consumption, called con_ltpatoken, contains the following configuration:
    • The token type LTPA Token v2.0, with the following characteristics:
      • Contains LTPAv2 for the local part value.
      • Contains https://www.ibm.com/websphere/appserver/tokentype for the Namespace URI value.
    • The wss.consume.ltpa JAAS login
    • The LTPA token callback handler.
  • The sample configuration for authentication token consumption, called con_unametoken, contains the following configuration:
    • Token type Username Token v1.0, which uses http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken for the local part value.
    • The wss.consume.unt JAAS login.
    • The Username token callback handler, with the following custom properties:
      • com.ibm.wsspi.wssecurity.token.username.verifyNonce for verifying the nonce value.
      • com.ibm.wsspi.wssecurity.token.username.verifyTimestamp for verifying the time stamp value.

SHA256 provider sample bindings

  • The sample configuration for signing information consumption, called asymmetric-signingInfoRequest, contains the following configuration:
    • References the con_signkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named con_signkeyinfo, which contains the following configuration:
      • The con_signx509token protection token asymmetric signature consumer, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.consume.x509 JAAS login.
      • The X.509 Callback Handler, as follows:
        • References a certificate store named DigSigCertStore.
        • References a trusted anchor store named DigSigTrustAnchor.
    • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
    • com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=rsa-sha256
  • The sample configuration for signing information consumption, called symmetric-signingInfoRequest, contains the following configuration:
    • References the con_sctsignkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named con_sctsignkeyinfo, which contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_scttoken protection token generator, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.consume.sct JAAS login.
      • The WS-SecureConversation Callback Handler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
    • com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=hmac-sha256
  • The sample configuration for encryption information consumption, called asymmetric-encryptionInfoRequest, contains the following configurations:
    • References the dec_keyinfo encryption key information.
    • The encryption key information, named dec_keyinfo, which contains the following configuration:
      • The con_encx509token protection token asymmetric encryption consumer, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.consume.x509 JAAS login.
      • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks, with the following characteristics:
        • The keystore type is JCEKS.
        • The keystore password is storepass.
        • The alias name of the personal certificate is bob.
        • The key password is keypass.
    • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
  • The sample configuration for encryption information consumption, called symmetric-encryptionInfoRequest, contains the following configuration:
    • References the dec_sctkeyinfo encryption key information.
    • The encryption key information, named dec_sctkeyinfo, which contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_scttoken protection token consumer, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.consume.sct JAAS login.
      • The WS-SecureConversation Callback Handler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for signing information generation, called asymmetric-signingInfoResponse, contains the following configuration:
    • References the gen_signkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named gen_signkeyinfo, which contains the following configuration:
      • The security token reference.
      • The gen_signx509token protection token asymmetric signature generator, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.generate.x509 JAAS login.
      • The X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks, with the following characteristics:
        • The keystore type is JKS.
        • The keystore password is server.
        • The alias name of the personal certificate is soapprovider.
        • The key password is server.
    • The signature method http://www.w3.org/2000/09/xmldsig#rsa-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
    • com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=rsa-sha256
  • The sample configuration for signing information generation, called symmetric-signingInfoResponse, contains the following configuration:
    • References the gen_signsctkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named gen_signsctkeyinfo, which contains the following configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_scttoken protection token generator, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.generate.sct JAAS login.
      • The WS-Trust Callback Handler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
    • com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=hmac-sha256
  • The sample configuration for encryption information generation, called asymmetric-encryptionInfoResponse, contains the following configuration:
    • References the gen_enckeyinfo encryption key information.
    • The encryption key information, named gen_enckeyinfo, contains the following configuration
      • The key identifier.
      • The gen_encx509token protection token asymmetric encryption generator, as follows:
        • Contains the X.509 V3 Token v1.0 token type.
        • Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value type for the local part value.
        • Contains the wss.generate.x509 JAAS login.
      • Uses X.509 Callback Handler. The callback handler calls the custom keystore in ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks, with the following characteristics:
        • The keystore type is JCEKS.
        • The keystore password is storepass.
        • The alias name of the personal certificate is alice.
        • The key password is keypass.
    • The key encryption method http://www.w3.org/2001/04/xmlenc#rsa-1_5.
  • The sample configuration for encryption information generation, called symmetric-encryptionInfoResponse, contains the following configuration:
    • References the gen_encsctkeyinfo encryption key information.
    • The encryption key information, named gen_encsctkeyinfo, contains the following configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_scttoken protection token generator, as follows:
        • Contains the Secure Conversation Token v1.3 token type.
        • Contains the http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct value type for the local part value.
        • Contains the wss.generate.sct JAAS login.
      • The WS-Trust Callback Handler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for authentication token consumption, called con_krb5token, contains the following configuration:
    • The custom token type for Kerberos v5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
    • The wss.consume.KRB5BST JAAS login.
    • The custom Kerberos token callback handler.
  • The sample configuration for authentication token consumption, called con_ltpaproptoken, contains the following configuration:
    • The token type LTPA propagation token.
    • The wss.consume.ltpaProp JAAS login.
    • The LTPA token callback handler.
  • The sample configuration for authentication token consumption, called con_ltpatoken, contains the following configuration:
    • The token type LTPA Token v2.0, with the following characteristics:
      • Contains LTPAv2 for the local part value.
      • Contains https://www.ibm.com/websphere/appserver/tokentype for the Namespace URI value.
    • The wss.consume.ltpa JAAS login
    • The LTPA token callback handler.
  • The sample configuration for authentication token consumption, called con_unametoken, contains the following configuration:
    • Token type Username Token v1.0, which uses http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken for the local part value.
    • The wss.consume.unt JAAS login.
    • The Username token callback handler, with the following custom properties:
      • com.ibm.wsspi.wssecurity.token.username.verifyNonce for verifying the nonce value.
      • com.ibm.wsspi.wssecurity.token.username.verifyTimestamp for verifying the time stamp value.
  • The sample configuration for authentication token generation, called gen_saml11token, contains the following configuration:
    • The token type of SAML 1.1, as follows: Contains http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 for the local part value.
    • The system.wss.consume.saml JAAS login.
    • The SAML consumer callback handler with the following custom properties:
      Table 3. Custom properties for the SAML consumer callback handler
      Custom property Value
      confirmationMethod Bearer
      keyType http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
      trustStoreType jceks
      trustStorePath ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig_issuer.jceks
      trustStorePassword storepass
  • The sample configuration for authentication token generation, called gen_saml20token, contains the following configuration:
    • The token type of SAML 2.0, as follows: Contains http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 for the local part value.
    • The system.wss.consumer.saml JAAS login.
    • The SAML consumer callback handler with the following custom properties:
      Table 4. Custom properties for the SAML consumer callback handler
      Custom property Value
      confirmationMethod Bearer
      keyType http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
      trustStoreType jceks
      trustStorePath ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig_issuer.jceks
      trustStorePassword storepass

Provider sample bindings V2

Two new general sample bindings, Client sample V2, and Provider sample V2, have been added to the product. While many of the configurations are the same as previous versions of the client sample and provider sample bindings, there are several additional, new sample configurations. To use these new bindings, create a new profile after installing the product. For more information, read the topic Configuring Kerberos policy sets and V2 general sample bindings.

  • The sample configuration for signing information generation, called symmetric-KrbsignInfoRequest, contains the following configuration:
    • References the con_respKRBsignkeyinfo signing key information.
    • The part reference configuration, which contains the transform configuration using the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, con_respKRBsignkeyinfo, which contains this configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_krb5token protection token consumer, as follows:
        • Contains the Kerberos V5 GSS AP_REQ binary security token type.
        • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type as the local part value.
        • Contains wss.consume.KRB5BST JAAS login.
      • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for encryption information generation, called symmetric-KrbEncInfoRequest, contains the following configuration:
    • References the con_reqKRBenckeyinfo encryption key information.
    • The encryption key information, con_reqKRBenckeyinfo, which contains this configuration:
      • The security token reference.
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The con_krb5token protection token consumer, which contains the following configuration:
        • Contains the Kerberos V5 GSS AP_REQ binary security token type.
        • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
        • Contains wss.consume.KRB5BST JAAS login.
      • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for signing information consumption, called symmetric-KrbsignInfoResponse, contains the following configuration:
    • References the gen_respKRBsignkeyinfo signing key information.
    • The part reference configuration, which uses the transform configuration http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
    • The signing key information, named gen_respKRBsignkeyinfo, which contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_krb5token protection token generator, as follows:
        • Contains the Kerberos V5 GSS AP_REQ binary security token type.
        • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
        • Contains the wss.generate.KRB5BST JAAS login.
      • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.
    • The signature method http://www.w3.org/2000/09/xmldsig#hmac-sha1.
    • The canonicalization method http://www.w3.org/2001/10/xml-exc-c14n#.
  • The sample configuration for encryption information consumption, called symmetric-KrbEncInfoResponse, contains the following configuration:
    • References the gen_respKRBenckeyinfo encryption key information.
    • The encryption key information, named gen_respKRBenckeyinfo, contains the following configuration:
      • The derived key, as follows:
        • Requires explicit derived key token.
        • WS-SecureConversation as the client label.
        • WS-SecureConversation as the service label.
        • Key length of 16 bytes.
        • Nonce length of 16 bytes.
      • The gen_krb5token protection token generator, as follows:
        • Contains the Kerberos V5 GSS AP_REQ binary security token type.
        • Contains the http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ value type for the local part value.
        • Contains the wss.generate.KRB5BST JAAS login.
      • The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler
    • The data encryption method http://www.w3.org/2001/04/xmlenc#aes128-cbc.
  • The sample configuration for authentication token generation, called gen_krb5token, contains the following configuration:
    • The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
    • The wss.generate.KRB5BST JAAS login.
    • The custom Kerberos token callback handler.
  • The sample configuration for authentication token generation, called con_krb5token, contains the following configuration:
    • The custom token type for the Kerberos V5 token, which uses http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value.
    • The wss.consume.KRB5BST JAAS login.
    • The custom Kerberos token callback handler.