General sample bindings for JAX-WS applications
You can use sample bindings with the administrative console for testing purposes. The configurations that you specify are reflected on the cell or server level.
WebSphere® Application Server Version 7.0 and later includes provider and client sample bindings for testing purposes. In the bindings, the product provides sample values for supporting tokens for different token types, such as the X.509 token, the username token, the LTPA token, and the Kerberos token. The bindings also include sample values for message protection information for token types such as X.509 and secure conversation. Both provider and client sample bindings can be applied to the applications attached with a system policy set, or application policy set, from the default local repository.
Do not use these provider and client sample bindings in their default state in a production environment. You must modify the bindings to meet your security needs before using them in a production environment by making a copy of the bindings and then modifying the copy. For example, you must change the key and keystore settings to ensure security, and modify the binding settings to match your environment.
- Server level default
- Security domain level default
- Global security (cell) default
General client sample bindings
- The sample configuration for signing information generation, called
asymmetric-signingInfoRequest
, contains the following configuration:- References the
gen_signkeyinfo
signing key information. - The part reference configuration, which contains the transform configuration using the
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information,
gen_signkeyinfo
, which contains this configuration:- The security token reference.
- The
gen_signx509token
protection token asymmetric signature generator, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.generate.x509
JAAS login
- The X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
, with these characteristics:- The keystore type is
JKS
. - The keystore password is
client
. - The alias name of the personal certificate is
soaprequester
. - The key password is
client
.
- The keystore type is
- The signature method
http://www.w3.org/2000/09/xmldsig#rsa-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for signing information generation called
symmetric-signingInfoRequest
contains the following configuration:- References the
gen_signsctkeyinfo
signing key information. - The part reference configuration, which contains the transform configuration using the
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information,
gen_signsctkeyinfo
, which contains this configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_scttoken
protection token generator, as follows:- Contains the Secure Conversation Token Version 1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type as the local part value. - Contains
wss.generate.sct
JAAS login
- The WS-Trust Callback Handler.
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for encryption information generation, called
asymmetric-encryptionInfoRequest
, contains the following configuration:- References the
gen_enckeyinfo
encryption key information. - Encryption key information, named
gen_enckeyinfo
, which contains this configuration:- The key identifier.
- The
gen_encx509token
protection token asymmetric encryption generator, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.generate.x509
JAAS login
- The X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks
, as follows:- Keystore type is
JCEKS
. - Keystore password is
storepass
. - Alias name of the personal certificate is
bob
.
- Keystore type is
- The key encryption method
http://www.w3.org/2001/04/xmlenc#rsa-1_5
.
- References the
- The sample configuration for encryption information generation, called
symmetric-encryptionInfoRequest
, contains the following configuration:- References the
gen_encsctkeyinfo
encryption key information. - The encryption key information,
gen_encsctkeyinfo
, which contains this configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_scttoken
protection token generator, which contains the following configuration:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains
wss.generate.sct
JAAS login.
- The WS-Trust Callback Handler.
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for signing information consumption, called
asymmetric-signingInfoResponse
, contains the following configuration:- References the
con_signkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
con_signkeyinfo
, which contains the following configuration:- The
con_signx509token
protection token asymmetric signature consumer, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.consume.x509
JAAS login.
- The X.509 Callback Handler, as follows:
- References a certificate store named DigSigCertStore.
- References a trusted anchor store named DigSigTrustAnchor.
- The
- The signature method
http://www.w3.org/2000/09/xmldsig#rsa-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for signing information consumption, called
symmetric-signingInfoResponse
, contains the following configuration:- References the
con_sctsignkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
con_sctsignkeyinfo
, which contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_scttoken
protection token consumer, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.consume.sct
JAAS login.
- The WS-SecureConversation Callback Handler.
- The derived key, as follows:
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for encryption information consumption, called
asymmetric-encryptionInfoResponse
, which contains the following configuration:- References the
dec_keyinfo
encryption key information. - The encryption key information, named
dec_keyinfo
, which contains the following configuration:- The
con_encx509token
protection token asymmetric encryption consumer, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.consume.x509
JAAS login.
- The X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks
, with the follow characteristics:- The keystore type is
JCEKS
. - The keystore password is
storepass
. - The alias name of the personal certificate is
alice
. - The key password is
keypass
.
- The keystore type is
- The
- The key encryption method
http://www.w3.org/2001/04/xmlenc#rsa-1_5
.
- References the
- The sample configuration for encryption information consumption, called
symmetric-encryptionInfoResponse
, contains the following configuration:- References the
dec_sctkeyinfo
encryption key information. - The encryption key information, named
dec_sctkeyinfo
, contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_scttoken
protection token consumer, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.consume.sct JAAS
login.
- The WS-SecureConversation Callback Handler.
- The derived key, as follows:
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for authentication token generation, called
gen_signkrb5token
, contains the following configuration:- The custom token type for the Kerberos v5 token, which uses
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
for the local part value. - The
wss.generate.KRB5BST
JAAS login. - The following custom properties:
com.ibm.wsspi.wssecurity.krbtoken.targetServiceName
, the target Kerberos service name.com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost
, the host name associated with the target Kerberos service name,You must provide the correct values for your environment before using this configuration.
- The custom Kerberos token callback handler. You must provide the correct values for the Kerberos client principal and password.
- The custom token type for the Kerberos v5 token, which uses
- The sample configuration for authentication token generation, called
gen_signltpaproptoken
, contains the following configuration:- The token type LTPA propagation token, as follows:
- Contains
LTPA_PROPAGATION
for the local part value. - Contains
https://www.ibm.com/websphere/appserver/tokentype
for the Namespace URI value.
- Contains
- Contains the
wss.generate.ltpaProp
JAAS login. - Uses the LTPA token callback handler.
- The token type LTPA propagation token, as follows:
- The sample configuration for authentication token generation, called
gen_signltpatoken
, contains the following configuration:- The token type of LTPA Token v2.0, as follows:
- Contains
LTPA_PROPAGATION
for the local part value. - Contains
https://www.ibm.com/websphere/appserver/tokentype
for the Namespace URI value.
- Contains
- The
wss.generate.ltpa
JAAS login. - The LTPA token callback handler.
- The token type of LTPA Token v2.0, as follows:
- The sample configuration for authentication token generation, called
gen_signunametoken
, contains the following configuration:- The token type of Username Token v1.0, which uses
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
for the local part value. - The
wss.generate.unt
JAAS login. - The Username token callback handler, as follows:
- Contains basic authentication fields. You must provide the correct values for your environment for client principal and password.
- Contains the following custom properties:
com.ibm.wsspi.wssecurity.token.username.addNonce
for adding the nonce value.com.ibm.wsspi.wssecurity.token.username.addTimestamp
for adding the time stamp value.
- The token type of Username Token v1.0, which uses
SHA256 client sample bindings
- The sample configuration for signing information generation, called
asymmetric-signingInfoRequest
, contains the following configuration:- References the
gen_signkeyinfo
signing key information. - The part reference configuration, which contains the transform configuration using the
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information,
gen_signkeyinfo
, which contains this configuration:- The security token reference.
- The
gen_signx509token
protection token asymmetric signature generator, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.generate.x509
JAAS login
- The X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
, with these characteristics:- The keystore type is
JKS
. - The keystore password is
client
. - The alias name of the personal certificate is
soaprequester
. - The key password is
client
.
- The keystore type is
- The signature method
http://www.w3.org/2000/09/xmldsig#rsa-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
. - com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=rsa-sha256
- References the
- The sample configuration for signing information generation called
symmetric-signingInfoRequest
contains the following configuration:- References the
gen_signsctkeyinfo
signing key information. - The part reference configuration, which contains the transform configuration using the
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information,
gen_signsctkeyinfo
, which contains this configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_scttoken
protection token generator, as follows:- Contains the Secure Conversation Token Version 1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type as the local part value. - Contains
wss.generate.sct
JAAS login
- The WS-Trust Callback Handler.
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
. - com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=hmac-sha256
- References the
- The sample configuration for encryption information generation, called
asymmetric-encryptionInfoRequest
, contains the following configuration:- References the
gen_enckeyinfo
encryption key information. - Encryption key information, named
gen_enckeyinfo
, which contains this configuration:- The key identifier.
- The
gen_encx509token
protection token asymmetric encryption generator, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.generate.x509
JAAS login
- The X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks
, as follows:- Keystore type is
JCEKS
. - Keystore password is
storepass
. - Alias name of the personal certificate is
bob
.
- Keystore type is
- The key encryption method
http://www.w3.org/2001/04/xmlenc#rsa-1_5
.
- References the
- The sample configuration for encryption information generation, called
symmetric-encryptionInfoRequest
, contains the following configuration:- References the
gen_encsctkeyinfo
encryption key information. - The encryption key information,
gen_encsctkeyinfo
, which contains this configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_scttoken
protection token generator, which contains the following configuration:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains
wss.generate.sct
JAAS login.
- The WS-Trust Callback Handler.
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for signing information consumption, called
asymmetric-signingInfoResponse
, contains the following configuration:- References the
con_signkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
con_signkeyinfo
, which contains the following configuration:- The
con_signx509token
protection token asymmetric signature consumer, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.consume.x509
JAAS login.
- The X.509 Callback Handler, as follows:
- References a certificate store named DigSigCertStore.
- References a trusted anchor store named DigSigTrustAnchor.
- The
- The signature method
http://www.w3.org/2000/09/xmldsig#rsa-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
. - com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=rsa-sha256
- References the
- The sample configuration for signing information consumption, called
symmetric-signingInfoResponse
, contains the following configuration:- References the
con_sctsignkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
con_sctsignkeyinfo
, which contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_scttoken
protection token consumer, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.consume.sct
JAAS login.
- The WS-SecureConversation Callback Handler.
- The derived key, as follows:
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
. - com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=hmac-sha256
- References the
- The sample configuration for encryption information consumption, called
asymmetric-encryptionInfoResponse
, which contains the following configuration:- References the
dec_keyinfo
encryption key information. - The encryption key information, named
dec_keyinfo
, which contains the following configuration:- The
con_encx509token
protection token asymmetric encryption consumer, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.consume.x509
JAAS login.
- The X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks
, with the follow characteristics:- The keystore type is
JCEKS
. - The keystore password is
storepass
. - The alias name of the personal certificate is
alice
. - The key password is
keypass
.
- The keystore type is
- The
- The key encryption method
http://www.w3.org/2001/04/xmlenc#rsa-1_5
.
- References the
- The sample configuration for encryption information consumption, called
symmetric-encryptionInfoResponse
, contains the following configuration:- References the
dec_sctkeyinfo
encryption key information. - The encryption key information, named
dec_sctkeyinfo
, contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_scttoken
protection token consumer, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.consume.sct JAAS
login.
- The WS-SecureConversation Callback Handler.
- The derived key, as follows:
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for authentication token generation, called
gen_signkrb5token
, contains the following configuration:- The custom token type for the Kerberos v5 token, which uses
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
for the local part value. - The
wss.generate.KRB5BST
JAAS login. - The following custom properties:
com.ibm.wsspi.wssecurity.krbtoken.targetServiceName
, the target Kerberos service name.com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost
, the host name associated with the target Kerberos service name,You must provide the correct values for your environment before using this configuration.
- The custom Kerberos token callback handler. You must provide the correct values for the Kerberos client principal and password.
- The custom token type for the Kerberos v5 token, which uses
- The sample configuration for authentication token generation, called
gen_signltpaproptoken
, contains the following configuration:- The token type LTPA propagation token, as follows:
- Contains
LTPA_PROPAGATION
for the local part value. - Contains
https://www.ibm.com/websphere/appserver/tokentype
for the Namespace URI value.
- Contains
- Contains the
wss.generate.ltpaProp
JAAS login. - Uses the LTPA token callback handler.
- The token type LTPA propagation token, as follows:
- The sample configuration for authentication token generation, called
gen_signltpatoken
, contains the following configuration:- The token type of LTPA Token v2.0, as follows:
- Contains
LTPA_PROPAGATION
for the local part value. - Contains
https://www.ibm.com/websphere/appserver/tokentype
for the Namespace URI value.
- Contains
- The
wss.generate.ltpa
JAAS login. - The LTPA token callback handler.
- The token type of LTPA Token v2.0, as follows:
- The sample configuration for authentication token generation, called
gen_signunametoken
, contains the following configuration:- The token type of Username Token v1.0, which uses
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
for the local part value. - The
wss.generate.unt
JAAS login. - The Username token callback handler, as follows:
- Contains basic authentication fields. You must provide the correct values for your environment for client principal and password.
- Contains the following custom properties:
com.ibm.wsspi.wssecurity.token.username.addNonce
for adding the nonce value.com.ibm.wsspi.wssecurity.token.username.addTimestamp
for adding the time stamp value.
- The token type of Username Token v1.0, which uses
- The sample configuration for authentication token generation, called
gen_saml11token
, contains the following configuration:- The token type of SAML 1.1, as follows:
Contains http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
For the local part value. - The
system.wss.generate.saml
JAAS login. - The SAML generator callback handler with the following custom properties:
Table 1. Custom properties for the SAML generator callback handler Custom property Value confirmationMethod Bearer keyType http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer stsURI https://example.com/Trust/13/UsernameMixed wstrustClientPolicy Username WSHTTPS default wstrustClientBinding SamlTCSample wstrustClientSoapVersion 1.2
- The token type of SAML 1.1, as follows:
- The sample configuration for authentication token generation, called
gen_saml20token
, contains the following configuration:- The token type of SAML 2.0, as follows:
Contains http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
for the local part value. - The
system.wss.generate.saml
JAAS login. - The SAML generator callback handler with the following custom properties:
Table 2. Custom properties for the SAML generator callback handler Custom property Value confirmationMethod Bearer keyType http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer stsURI https://example.com/Trust/13/UsernameMixed wstrustClientPolicy Username WSHTTPS default wstrustClientBinding SamlTCSample wstrustClientSoapVersion 1.2
- The token type of SAML 2.0, as follows:
Client sample bindings V2
Two new general sample bindings, Client sample V2, and Provider sample V2, have been added to the product. While many of the configurations are the same as previous versions of the client sample and provider sample bindings, there are several additional, new sample configurations. To use these new bindings, create a new profile after installing the product. For more information, read the topic Configuring Kerberos policy sets and V2 general sample bindings.
- The sample configuration for signing information generation, called
symmetric-KrbsignInfoRequest
, contains the following configuration:- References the
gen_reqKRBsignkeyinfo
signing key information. - The part reference configuration, which contains the transform configuration using the
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information,
gen_reqKRBsignkeyinfo
, which contains this configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_krb5token
protection token generator, as follows:- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
value type as the local part value. - Contains
wss.generate.KRB5BST JAAS
login
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for encryption information generation, called
symmetric-KrbEncInfoRequest
, contains the following configuration:- References the
gen_reqKRBenckeyinfo
encryption key information. - The encryption key information,
gen_reqKRBenckeyinfo
, which contains this configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_krb5token
protection token generator, which contains the following configuration:- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
value type for the local part value. - Contains
wss.generate.KRB5BST
JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for signing information consumption, called
symmetric-KrbsignInfoResponse
, contains the following configuration:- References the
con_respKRBsignkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
con_respKRBsignkeyinfo
, which contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_krb5token
protection token consumer, as follows:- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
value type for the local part value. - Contains the
wss.consume.KRB5BST
JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler
- The derived key, as follows:
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for encryption information consumption, called
symmetric-KrbEncInfoResponse
, contains the following configuration:- References the
con_respKRBenckeyinfo
encryption key information. - The encryption key information, named
con_respKRBenckeyinfo
, contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_krb5token
protection token consumer, as follows:- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
value type for the local part value. - Contains the
wss.consume.KRB5BST
JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.
- The derived key, as follows:
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for authentication token generation, called
gen_krb5token
, contains the following configuration:- The custom token type for the Kerberos V5 token, which uses
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
for the local part value. - The
wss.generate.KRB5BST
JAAS login. - The following custom properties:
- com.ibm.wsspi.wssecurity.krbtoken.targetServiceName, the target Kerberos service name.
- com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost, the host name associated with the target
Kerberos service name.Note: You must provide the correct values for your environment before using this configuration.
- The custom Kerberos token callback handler. Note: You must provide the correct values for the Kerberos client principal and password.
- The custom token type for the Kerberos V5 token, which uses
- The sample configuration for authentication token generation, called
con_krb5token
, contains the following configuration:- The custom token type for the Kerberos V5 token, which uses
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
for the local part value. - The
wss.consume.KRB5BST
JAAS login. - The custom Kerberos token callback handler.
- The custom token type for the Kerberos V5 token, which uses
General provider sample bindings
- The sample configuration for signing information consumption, called
asymmetric-signingInfoRequest
, contains the following configuration:- References the
con_signkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
con_signkeyinfo
, which contains the following configuration:- The
con_signx509token
protection token asymmetric signature consumer, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.consume.x509
JAAS login.
- The X.509 Callback Handler, as follows:
- References a certificate store named DigSigCertStore.
- References a trusted anchor store named DigSigTrustAnchor.
- The
- The signature method
http://www.w3.org/2000/09/xmldsig#rsa-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for signing information consumption, called
symmetric-signingInfoRequest
, contains the following configuration:- References the
con_sctsignkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
con_sctsignkeyinfo
, which contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_scttoken
protection token generator, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.consume.sct
JAAS login.
- The WS-SecureConversation Callback Handler.
- The derived key, as follows:
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for encryption information consumption, called
asymmetric-encryptionInfoRequest
, contains the following configurations:- References the
dec_keyinfo
encryption key information. - The encryption key information, named
dec_keyinfo
, which contains the following configuration:- The
con_encx509token
protection token asymmetric encryption consumer, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.consume.x509
JAAS login.
- The X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks
, with the following characteristics:- The keystore type is
JCEKS
. - The keystore password is
storepass
. - The alias name of the personal certificate is
bob
. - The key password is
keypass
.
- The keystore type is
- The
- The key encryption method
http://www.w3.org/2001/04/xmlenc#rsa-1_5
.
- References the
- The sample configuration for encryption information consumption, called
symmetric-encryptionInfoRequest
, contains the following configuration:- References the
dec_sctkeyinfo
encryption key information. - The encryption key information, named
dec_sctkeyinfo
, which contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_scttoken
protection token consumer, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.consume.sct
JAAS login.
- The WS-SecureConversation Callback Handler.
- The derived key, as follows:
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for signing information generation, called
asymmetric-signingInfoResponse
, contains the following configuration:- References the
gen_signkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
gen_signkeyinfo
, which contains the following configuration:- The security token reference.
- The
gen_signx509token
protection token asymmetric signature generator, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.generate.x509
JAAS login.
- The X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
, with the following characteristics:- The keystore type is
JKS
. - The keystore password is
server
. - The alias name of the personal certificate is
soapprovider
. - The key password is
server
.
- The keystore type is
- The signature method
http://www.w3.org/2000/09/xmldsig#rsa-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for signing information generation, called
symmetric-signingInfoResponse
, contains the following configuration:- References the
gen_signsctkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
gen_signsctkeyinfo
, which contains the following configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_scttoken
protection token generator, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.generate.sct
JAAS login.
- The WS-Trust Callback Handler.
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for encryption information generation, called
asymmetric-encryptionInfoResponse
, contains the following configuration:- References the
gen_enckeyinfo
encryption key information. - The encryption key information, named
gen_enckeyinfo
, contains the following configuration- The key identifier.
- The
gen_encx509token
protection token asymmetric encryption generator, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.generate.x509
JAAS login.
- Uses X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks
, with the following characteristics:- The keystore type is
JCEKS
. - The keystore password is
storepass
. - The alias name of the personal certificate is
alice
. - The key password is
keypass
.
- The keystore type is
- The key encryption method
http://www.w3.org/2001/04/xmlenc#rsa-1_5
.
- References the
- The sample configuration for encryption information generation, called
symmetric-encryptionInfoResponse
, contains the following configuration:- References the
gen_encsctkeyinfo
encryption key information. - The encryption key information, named
gen_encsctkeyinfo
, contains the following configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_scttoken
protection token generator, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.generate.sct
JAAS login.
- The WS-Trust Callback Handler.
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for authentication token consumption, called
con_krb5token
, contains the following configuration:- The custom token type for Kerberos v5 token, which uses
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
for the local part value. - The
wss.consume.KRB5BST
JAAS login. - The custom Kerberos token callback handler.
- The custom token type for Kerberos v5 token, which uses
- The sample configuration for authentication token consumption, called
con_ltpaproptoken
, contains the following configuration:- The token type
LTPA propagation token
. - The
wss.consume.ltpaProp
JAAS login. - The LTPA token callback handler.
- The token type
- The sample configuration for authentication token consumption, called
con_ltpatoken
, contains the following configuration:- The token type
LTPA Token v2.0
, with the following characteristics:- Contains
LTPAv2
for the local part value. - Contains
https://www.ibm.com/websphere/appserver/tokentype
for the Namespace URI value.
- Contains
- The
wss.consume.ltpa
JAAS login - The LTPA token callback handler.
- The token type
- The sample configuration for authentication token consumption, called
con_unametoken
, contains the following configuration:- Token type
Username Token v1.0
, which useshttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
for the local part value. - The
wss.consume.unt
JAAS login. - The Username token callback handler, with the following custom properties:
com.ibm.wsspi.wssecurity.token.username.verifyNonce
for verifying the nonce value.com.ibm.wsspi.wssecurity.token.username.verifyTimestamp
for verifying the time stamp value.
- Token type
SHA256 provider sample bindings
- The sample configuration for signing information consumption, called
asymmetric-signingInfoRequest
, contains the following configuration:- References the
con_signkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
con_signkeyinfo
, which contains the following configuration:- The
con_signx509token
protection token asymmetric signature consumer, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.consume.x509
JAAS login.
- The X.509 Callback Handler, as follows:
- References a certificate store named DigSigCertStore.
- References a trusted anchor store named DigSigTrustAnchor.
- The
- The signature method
http://www.w3.org/2000/09/xmldsig#rsa-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
. - com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=rsa-sha256
- References the
- The sample configuration for signing information consumption, called
symmetric-signingInfoRequest
, contains the following configuration:- References the
con_sctsignkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
con_sctsignkeyinfo
, which contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_scttoken
protection token generator, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.consume.sct
JAAS login.
- The WS-SecureConversation Callback Handler.
- The derived key, as follows:
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
. - com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=hmac-sha256
- References the
- The sample configuration for encryption information consumption, called
asymmetric-encryptionInfoRequest
, contains the following configurations:- References the
dec_keyinfo
encryption key information. - The encryption key information, named
dec_keyinfo
, which contains the following configuration:- The
con_encx509token
protection token asymmetric encryption consumer, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.consume.x509
JAAS login.
- The X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks
, with the following characteristics:- The keystore type is
JCEKS
. - The keystore password is
storepass
. - The alias name of the personal certificate is
bob
. - The key password is
keypass
.
- The keystore type is
- The
- The key encryption method
http://www.w3.org/2001/04/xmlenc#rsa-1_5
.
- References the
- The sample configuration for encryption information consumption, called
symmetric-encryptionInfoRequest
, contains the following configuration:- References the
dec_sctkeyinfo
encryption key information. - The encryption key information, named
dec_sctkeyinfo
, which contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_scttoken
protection token consumer, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.consume.sct
JAAS login.
- The WS-SecureConversation Callback Handler.
- The derived key, as follows:
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for signing information generation, called
asymmetric-signingInfoResponse
, contains the following configuration:- References the
gen_signkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
gen_signkeyinfo
, which contains the following configuration:- The security token reference.
- The
gen_signx509token
protection token asymmetric signature generator, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.generate.x509
JAAS login.
- The X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
, with the following characteristics:- The keystore type is
JKS
. - The keystore password is
server
. - The alias name of the personal certificate is
soapprovider
. - The key password is
server
.
- The keystore type is
- The signature method
http://www.w3.org/2000/09/xmldsig#rsa-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
. - com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=rsa-sha256
- References the
- The sample configuration for signing information generation, called
symmetric-signingInfoResponse
, contains the following configuration:- References the
gen_signsctkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
gen_signsctkeyinfo
, which contains the following configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_scttoken
protection token generator, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.generate.sct
JAAS login.
- The WS-Trust Callback Handler.
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
. - com.ibm.ws.wssecurity.dsig.SignatureAlgorithm=hmac-sha256
- References the
- The sample configuration for encryption information generation, called
asymmetric-encryptionInfoResponse
, contains the following configuration:- References the
gen_enckeyinfo
encryption key information. - The encryption key information, named
gen_enckeyinfo
, contains the following configuration- The key identifier.
- The
gen_encx509token
protection token asymmetric encryption generator, as follows:- Contains the X.509 V3 Token v1.0 token type.
- Contains the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
value type for the local part value. - Contains the
wss.generate.x509
JAAS login.
- Uses X.509 Callback Handler. The callback handler calls the custom keystore in
${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks
, with the following characteristics:- The keystore type is
JCEKS
. - The keystore password is
storepass
. - The alias name of the personal certificate is
alice
. - The key password is
keypass
.
- The keystore type is
- The key encryption method
http://www.w3.org/2001/04/xmlenc#rsa-1_5
.
- References the
- The sample configuration for encryption information generation, called
symmetric-encryptionInfoResponse
, contains the following configuration:- References the
gen_encsctkeyinfo
encryption key information. - The encryption key information, named
gen_encsctkeyinfo
, contains the following configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_scttoken
protection token generator, as follows:- Contains the Secure Conversation Token v1.3 token type.
- Contains the
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
value type for the local part value. - Contains the
wss.generate.sct
JAAS login.
- The WS-Trust Callback Handler.
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for authentication token consumption, called
con_krb5token
, contains the following configuration:- The custom token type for Kerberos v5 token, which uses
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
for the local part value. - The
wss.consume.KRB5BST
JAAS login. - The custom Kerberos token callback handler.
- The custom token type for Kerberos v5 token, which uses
- The sample configuration for authentication token consumption, called
con_ltpaproptoken
, contains the following configuration:- The token type
LTPA propagation token
. - The
wss.consume.ltpaProp
JAAS login. - The LTPA token callback handler.
- The token type
- The sample configuration for authentication token consumption, called
con_ltpatoken
, contains the following configuration:- The token type
LTPA Token v2.0
, with the following characteristics:- Contains
LTPAv2
for the local part value. - Contains
https://www.ibm.com/websphere/appserver/tokentype
for the Namespace URI value.
- Contains
- The
wss.consume.ltpa
JAAS login - The LTPA token callback handler.
- The token type
- The sample configuration for authentication token consumption, called
con_unametoken
, contains the following configuration:- Token type
Username Token v1.0
, which useshttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
for the local part value. - The
wss.consume.unt
JAAS login. - The Username token callback handler, with the following custom properties:
com.ibm.wsspi.wssecurity.token.username.verifyNonce
for verifying the nonce value.com.ibm.wsspi.wssecurity.token.username.verifyTimestamp
for verifying the time stamp value.
- Token type
- The sample configuration for authentication token generation, called
gen_saml11token
, contains the following configuration:- The token type of SAML 1.1, as follows:
Contains http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
for the local part value. - The
system.wss.consume.saml
JAAS login. - The SAML consumer callback handler with the following custom properties:
Table 3. Custom properties for the SAML consumer callback handler Custom property Value confirmationMethod Bearer keyType http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer trustStoreType jceks trustStorePath ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig_issuer.jceks trustStorePassword storepass
- The token type of SAML 1.1, as follows:
- The sample configuration for authentication token generation, called
gen_saml20token
, contains the following configuration:- The token type of SAML 2.0, as follows:
Contains http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
for the local part value. - The
system.wss.consumer.saml
JAAS login. - The SAML consumer callback handler with the following custom properties:
Table 4. Custom properties for the SAML consumer callback handler Custom property Value confirmationMethod Bearer keyType http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer trustStoreType jceks trustStorePath ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig_issuer.jceks trustStorePassword storepass
- The token type of SAML 2.0, as follows:
Provider sample bindings V2
Two new general sample bindings, Client sample V2, and Provider sample V2, have been added to the product. While many of the configurations are the same as previous versions of the client sample and provider sample bindings, there are several additional, new sample configurations. To use these new bindings, create a new profile after installing the product. For more information, read the topic Configuring Kerberos policy sets and V2 general sample bindings.
- The sample configuration for signing information generation, called
symmetric-KrbsignInfoRequest
, contains the following configuration:- References the
con_respKRBsignkeyinfo
signing key information. - The part reference configuration, which contains the transform configuration using the
http://www.w3.org/2001/10/xml-exc-c14n# algorithm
. - The signing key information,
con_respKRBsignkeyinfo
, which contains this configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_krb5token
protection token consumer, as follows:- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
value type as the local part value. - Contains
wss.consume.KRB5BST
JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for encryption information generation, called
symmetric-KrbEncInfoRequest
, contains the following configuration:- References the
con_reqKRBenckeyinfo
encryption key information. - The encryption key information,
con_reqKRBenckeyinfo
, which contains this configuration:- The security token reference.
- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
con_krb5token
protection token consumer, which contains the following configuration:- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
value type for the local part value. - Contains
wss.consume.KRB5BST
JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler.
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for signing information consumption, called
symmetric-KrbsignInfoResponse
, contains the following configuration:- References the
gen_respKRBsignkeyinfo
signing key information. - The part reference configuration, which uses the transform configuration
http://www.w3.org/2001/10/xml-exc-c14n#
algorithm. - The signing key information, named
gen_respKRBsignkeyinfo
, which contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_krb5token
protection token generator, as follows:- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
value type for the local part value. - Contains the
wss.generate.KRB5BST
JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler.
- The derived key, as follows:
- The signature method
http://www.w3.org/2000/09/xmldsig#hmac-sha1
. - The canonicalization method
http://www.w3.org/2001/10/xml-exc-c14n#
.
- References the
- The sample configuration for encryption information consumption, called
symmetric-KrbEncInfoResponse
, contains the following configuration:- References the
gen_respKRBenckeyinfo
encryption key information. - The encryption key information, named
gen_respKRBenckeyinfo
, contains the following configuration:- The derived key, as follows:
- Requires explicit derived key token.
- WS-SecureConversation as the client label.
- WS-SecureConversation as the service label.
- Key length of 16 bytes.
- Nonce length of 16 bytes.
- The
gen_krb5token
protection token generator, as follows:- Contains the Kerberos V5 GSS AP_REQ binary security token type.
- Contains the
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
value type for the local part value. - Contains the
wss.generate.KRB5BST
JAAS login.
- The com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler
- The derived key, as follows:
- The data encryption method
http://www.w3.org/2001/04/xmlenc#aes128-cbc
.
- References the
- The sample configuration for authentication token generation, called
gen_krb5token
, contains the following configuration:- The custom token type for the Kerberos V5 token, which uses
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
for the local part value. - The
wss.generate.KRB5BST
JAAS login. - The custom Kerberos token callback handler.
- The custom token type for the Kerberos V5 token, which uses
- The sample configuration for authentication token generation, called
con_krb5token
, contains the following configuration:- The custom token type for the Kerberos V5 token, which uses
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
for the local part value. - The
wss.consume.KRB5BST
JAAS login. - The custom Kerberos token callback handler.
- The custom token type for the Kerberos V5 token, which uses