Configuring a policy set and bindings to consume an LTPA and/or UsernameToken (optional security tokens)

This procedure describes how to configure the message-level WS-Security policy set and bindings to consume an LTPA token, a UsernameToken or both. This procedure can be modified to apply to any pair of dissimilar token value types. You cannot create a configuration that will make one token required and the other optional.

Before you begin

This task assumes that the service provider and client that you are configuring are in the JaxWSServicesSamples application. Refer to Accessing the samples for more information on how to obtain and install this application. You should use the following trace specification on your server. These specifications enable you to debug any future configuration problems that might occur.

*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all: 
com.ibm.ws.wssecurity.*=all: com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all: 
com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:

Since LTPA tokens will be used, application security must be enabled on the application servers used for both the client and the service.

About this task

This procedure explains the actions you need to complete to configure a WS-Security policy to consume an LTPA token, a UsernameToken or both. Ordinarily this configuration would be used on a provider application. For simplicity, this procedure will remove timestamp, digital signature and encryption from the policy; you may want to include these in your final configuration. Refer to Configuring a policy set and bindings for Asymmetric XML Digital Signature or XML Encryption by using application-specific bindingsfor more information.

This procedure also includes the steps to configure a client application to send a UsernameToken or an LTPA token.

Procedure

  1. Create the custom policy set for the provider.
    1. In the administrative console, click Services > Policy sets > Application Policy sets.
    2. Click New.
    3. Specify Name = AtwoTokenPolicy.
    4. Click Apply.
    5. Under Policies, click Add > WS-Security.
  2. Edit the custom policy set.
    1. Remove digital signature, encryption and timestamp.
      1. In the administrative console, click WS-Security > Main Policy.
      2. Deselect Message level protection.
      3. Click Apply.
    2. Add the UsernameToken and LTPA token.
      1. Click Request token policies.
      2. Click Add Token Type > LTPA.
        • LTPA token name: myLTPA
      3. Click OK.
      4. Click Add Token Type > UserName.
        • Username token name: myUNT.
      5. Click OK.
    3. Save the configuration.
      1. Click Save.
  3. Configure the provider to use the AtwoTokenPolicy policy set.
    1. In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings.
    2. Select the web services client resource.
    3. Select the web services provider resource.
    4. Click Attach Policy Set.
    5. Select AtwoTokenPolicy.
  4. Create a custom binding for the provider.
    1. Select the web services provider resource again.
    2. Click Assign Binding.
    3. Click New Application Specific Binding to create an application-specific binding.
    4. Specify Bindings configuration name:providerBinding.
    5. Click Add > WS-Security.
  5. Edit the custom bindings for the provider.
    1. To add a caller configuration for the LTPA token:
      1. Click Caller.
      2. Click New.
        • Name: ltpaCaller
        • Caller identity local part: LTPAv2
        • Caller identity namespace URI: https://www.ibm.com/websphere/appserver/tokentype
      3. Click OK.
    2. To add a caller configuration to the UsernameToken
      1. Click New.
        • Name: untCaller
        • Caller identity local part: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
        • Caller identity namespace URI: [leave blank]
      2. Click OK.
    Note: Ensure that tokens have the desired precedence. There can only be a single caller identity for thread. If more than one tokens occur in the inbound SOAP message for which there are caller configurations, the caller configuration with the lower order number will be used. If the order shown in the Order field in the table is not the order that you want, do the following:
    1. Select the token that you want to have highest priority.
    2. Click Move Up until its Order number is 1.
    3. Repeat this procedure using Move Up and Move Down to achieve the desired order.
    4. Click Save to save the configuration.
  6. Create a policy set that has only a UsernameToken in the request message for the client
    1. In the administrative console, click Services > Policy sets> Application Policy sets.
    2. Click New.
    3. Specify Name = AUntPolicy
    4. Click Apply.
    5. Under Policies, click Add > WS-Security.
    6. Remove digital signature, encryption and timestamp. In the administrative console:
      1. Click WS-Security > Main Policy.
      2. Deselect Message level protection.
      3. Click Apply
    7. Add the UsernameToken.
      1. Click Request Token Policies.
      2. Click Add Token Type > UserName.
      3. Username token name: myUNT.
      4. Click OK.
    8. Save the configuration. Click Save.
  7. Create a policy set that has only an LTPA token in the request message for the client.
    1. In the administrative console, click Services > Policy sets> Application Policy sets.
    2. Click New.
    3. Specify Name = AnLTPAPolicy
    4. Click Apply.
    5. Under Policies, click Add > WS-Security.
    6. Remove digital signature, encryption and timestamp. In the administrative console:
      1. Click WS-Security > Main Policy.
      2. Deselect Message level protection.
      3. Click Apply
    7. Add the LTPA token.
      1. Click Request Token Policies.
      2. Click Add Token Type > LTPA.
      3. LTPA token name: myLTPA.
      4. Click OK.
    8. Save the configuration. Click Save.
  8. Perform the following steps to configure the client to use the UsernameToken policy and create bindings:
    1. Configure the client to use the AUntPolicy policy set.
      1. In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
      2. Select the web services client resource.
      3. Click Attach Policy Set.
      4. Select AUntPolicy.
    2. Create a custom binding for the client.
      1. Select the web services resource again.
      2. Click Assign Binding.
      3. Click New Application Specific Binding to create an application specific binding.
      4. Specify the bindings configuration name. name: untClientBinding.
      5. Click Add > WS-Security.
    3. Configure the client's custom bindings.
      1. Select Authentication and protection.
      2. Under Authentication tokens, select myUNT.
      3. Click Apply.
      4. Click Callback handler.
      5. Enter your desired User name and Password.
      6. Add the custom properties for nonce and timestamp: Since the UsernameToken consumer was not configured during the custom binding configuration on the provider, the run time will use the default general bindings for the UsernameToken configuration. The UsernameToken consumer in the default general binding requires that timestamp and nonce be sent in the username token, so the properties to emit these elements must be entered:
        * com.ibm.wsspi.wssecurity.token.username.addTimestamp=true
* com.ibm.wsspi.wssecurity.token.username.addNonce=true
      7. Click OK.
    4. Save the configuration.
      1. Click Save.
  9. Perform the following steps to configure the client to use the LTPA policy and create bindings:
    1. Configure the client to use the AnLTPAPolicypolicy set.
      1. In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
      2. Select the web services client resource .
      3. Click Attach Policy Set.
      4. Select AnLTPAPolicy.
    2. Create a custom binding for the client.
      1. Select the web services resource again.
      2. Click Assign Binding.
      3. Click New Application Specific Binding to create an application specific binding.
      4. Specify the bindings configuration name. name: ltpaClientBinding.
      5. Click Add > WS-Security.
    3. Configure the client's custom bindings.
      1. Select Authentication and protection.
      2. Under Authentication tokens, select myLTPA.
      3. Click Apply.
      4. Click Callback handler.
      5. Enter your desired User name and Password.
      6. Click OK.
    4. Save the configuration.
      1. Click Save.