Setting default policy set bindings

You can set provider and client default policy set bindings that are used as the global security default policy set bindings. The specified global security default bindings apply to all web services unless the bindings are overridden at the attachment point, at the server, or at a security domain.

Before you begin

You must first install and configure an application server. After the application server is installed, you must install a Java™ API for XML-Based Web Services (JAX-WS) application onto your server. Now, you are ready to attach a policy set to the web service application. You can define and manage general service provider and client policy set bindings for your web service resource by using the administrative console.

About this task

Policy set bindings for servers

After you understand policy set bindings, then it is easier to understand how the default bindings are used.

Policy set bindings contain platform-specific information, such as keystore, authentication information or persistent information that is required by a policy set attachment. A policy set attachment is a policy set that is attached to an application resource. Starting with WebSphere® Application Server Version 7.0 and later, there are two types of bindings, general bindings and application specific bindings.

There are two types of general bindings, general service provider bindings and general service client bindings. You can configure one or more general service provider bindings and one or more general service client bindings and then use them across a range of policy sets. Additionally, you can re-use these general bindings across applications and for trust service attachments. To define and manage general bindings, in the administrative console click Services > Policy sets > General provider policy set bindings or Services > Policy sets > General client policy set bindings. The general service provider and client bindings have independent settings that you can customize to meet the needs of your environment.

You can create application specific bindings when you attach a policy set to a web service application resource. These bindings are specific to and defined by to the characteristics of the defined policy. Application specific bindings are capable of providing configuration for advanced policy requirements, such as multiple signatures; however, these bindings are only reusable within an application. Furthermore, application specific bindings have limited reuse across policy sets. To assign application specific bindings to an application for service providers, in the administrative console click Applications > Applications Types > WebSphere enterprise applications > application_name > Service provider policy sets and bindings. Select a web service resource with an attached policy and click Assign Binding > New Application Specific Binding. To assign application specific bindings to an application for service clients, in the administrative console click Applications > Applications Types > WebSphere enterprise applications > application_name > Service client policy sets and bindings . Select a web services resource with an attached policy and click Assign Binding > New Application Specific Binding. You can additionally assign application specific bindings for service providers or service clients using the administrative console and click Services > Service providers > application_name or Services > Service clients > application_name and then select a web services resource with an attached policy and assign your bindings.

To learn more about general bindings or application specific bindings, read about defining and managing policy set bindings.

Default policy set bindings

For transitioning users: In WebSphere Application Server Version 7.0 and later, the security model was enhanced to a domain-centric security model instead of a server-based security model. The configuration of the default global security (cell) level and default server level bindings has also changed in this version of the product. In the WebSphere Application Server Version 6.1 Feature Pack for Web Services, you can configure one set of default bindings for the cell and optionally configure one set of default bindings for each server. In Version 7.0 and later, you can configure one or more general service provider bindings and one or more general service client bindings. After you have configured general bindings, you can specify which of these bindings is the global default binding. You can also optionally specify general binding that are used as the default for an application server or a security domain.

General service provider and client bindings are not linked to a particular policy set, and they provide configuration information that you can reuse across multiple applications. You can create and manage general provider and client policy set bindings and then select one of each binding type to use as the default for an application server. Setting the server default bindings is useful if you want the services that are deployed to a server to share binding configuration. You can also share binding configuration by either assigning the binding to each application that is deployed to the server or by setting default bindings for a security domain and assigning the security domain to one or more servers.

You can specify default bindings for your service provider or client that are used at the global security (cell) level, for a security domain, for a particular server. The default bindings are used in the absence of an overriding binding specified at a lower scope. The following list is the order of precedence from lowest to highest that the application server uses to determine which default bindings to use:
  1. Server level default
  2. Security domain level default
  3. Global security (cell) default

The sample general bindings that are provided with the product are initially set as the global security (cell) default bindings. The default service provider binding and the default service client bindings are used when no application specific bindings or trust service bindings are assigned to a policy set attachment. For trust service attachments, the default bindings are used when no trust specific bindings are assigned. If you do not want to use the provided Provider sample as the default service provider binding, you can select an existing general provider binding or create a new general provider binding to meet your business needs. Likewise, if you do not want to use the provided Client sample as the default service client binding, you can select an existing general client binding or create a new general client binding. To specify your global security (cell) default bindings, in the administrative console click Services > Policy sets > Default policy set bindings. For environments with multiple security domains, you can optionally choose the general provider and general client bindings that you want to use as the default bindings for a domain.

In addition to choosing default bindings for the global security (cell), you can also choose the general provider and general client bindings that you want to use as the default bindings for a server. This is only necessary if you want to use different default bindings for a particular server than those used by the other servers in the security domain or cell. To choose the default bindings for a server from the administrative console, click Servers > Server Types > WebSphere application servers > server_name and then from Security, click Default policy set bindings. If you do not choose a general binding as the default for a server, the default bindings for the domain in which the server resides is used. If you do not choose a binding as the default for a domain, the default bindings for the global security (cell) are used. You must choose a default service provider and default service client bindings for the cell. The general bindings that are included with the product are initially set as the global security (cell) default bindings. You cannot delete a binding that is used as part of any policy set attachment or specified as the default binding for the server, a domain, or the cell. To learn more about defining default bindings for a server, see the server default bindings documentation.

Depending on your assigned security role when security is enabled, you might not have access to text entry fields or buttons to create or edit configuration data. Review the administrative roles documentation to learn more about the valid roles for the application server.

Procedure

  1. Open the administrative console.
  2. To set global security default policy set bindings, select Services > Policy sets > Default policy set bindings.
  3. Select the default service provider binding.
    The default service provider binding is used as the default for policy set attachments unless the provider or client binding is overridden at the attachment point, at the server, or at a security domain. The default setting is Provider sample.
  4. Select the default service client binding.
    If you specify a default service client binding, the selected binding overrides the default bindings that are specified for the cell or the security domain to which the server is deployed. The default setting is Client sample.
  5. If multiple security domains are enabled, you can view the default provider bindings and the default client bindings for each security domain that is defined in the security domain default bindings collection.
    You can select the security domain name link if you want to access the domain and select different default bindings. Additionally, you can select the default provider binding links or the default client binding links to access the default bindings and select different default binding settings.
  6. Click Apply to apply selected bindings as the global default bindings.
  7. Click Save to save your changes to the master configuration.
  8. (optional) If you are using a Version 6.1 application, you can specify server V6.1 default policy set bindings. To set these bindings, select Services > Policy sets > Default policy set bindings > Version 6.1 default policy set bindings.
    Mixed-version environment:

    If you have an application that contains one or more application specific bindings that are configured at the WebSphere Application Server Version 6.1 level, this application is a V6.1 application. If you have applications that are deployed to V6.1 servers within the Version 7.0 or later application server environment, or you have V6.1 applications that are deployed to V7.0 or later versions of the application server, you can specify Version 6.1 default policy set bindings for the cell. These bindings are used for both client and provider policy set attachments within V6.1 applications and attachments to service applications that are deployed to a V6.1 server. Additionally, these default bindings are used for V6.1 attachments unless they are overridden at the attachment point by an application specific binding or a V6.1 server default binding. You can upgrade V6.1 bindings to the bindings that are used by WebSphere Application Server V7.0 and later versions. Use the upgradeBindings command using the wsadmin tool to upgrade the bindings level, if the V6.1 application is not installed on WebSphere Application Server V6.1.

Results

When you complete these steps, you have defined your global security (cell) default policy set bindings and domain default policy set bindings, if applicable.

Example

Suppose that you do not want to use the provided general provider binding, Provider sample, as your default service provider binding. To take advantage of existing bindings, you can copy and modify the Provider sample to meet your business needs. This example assumes that your server environment has SecurityDomain1 and SecurityDomain2 defined.

  1. Copy and modify the provided Provider sample general service provider binding. Click Services > Policy sets > General provider policy set bindings. Select Provider sample > copy. Name the new general provider binding, MyServiceProviderbinding, and provide a description for the new binding.
  2. Copy and modify the provided Client sample general service client binding. Click Services > Policy sets > General client policy set bindings. Select Client sample > copy. Name the new general client binding, MyServiceClientbinding, and provide a description for the new binding.
  3. To specify the default policy set bindings for your global security (cell) and for your domains, click Services > Policy sets > Default policy set bindings. From this page, select MyServiceProviderbinding as the default service provider binding, and select MyClientProviderbinding as the default service client binding.
  4. Click Apply and Save to save your changes to the master configuration.

Assigning a domain default binding is optional. Generally, you assign domain default policy set bindings only when you want the servers in the domain to use different default bindings than the rest of the cell. In this example, suppose you have defined another general provider binding, MyServiceProviderbinding2, and you want to specify this binding as the domain default binding for your SecurityDomain1 domain.

  1. From the security domain default bindings collection click SecurityDomain1 > Default policy set bindings. From this page, you can select MyServiceProviderbinding2 as the service provider domain default binding.
  2. Click Apply and Save to save your changes to the master configuration.