Configuring custom policies and bindings for security tokens using wsadmin scripting

Use the setPolicyType and setBinding commands for the AdminTask object to specify security tokens for custom policy and binding configurations.

Before you begin

Create a new custom policy set.

About this task

The following scenarios configure the custom policy and bindings to use a Kerberos token based on the Oasis Kerberos Token Profile V1.1 specification. You can also use the setPolicyType and setBinding commands to configure other binary security tokens, such as username tokens, Lightweight Third-Party Authentication (LTPA) and SecureConversation.

Procedure

  • Configure custom policies for security tokens.
    1. Launch the wsadmin scripting tool using the Jython scripting language.
      To learn more, see the starting the wsadmin scripting client information.
    2. Display the properties of the policy of interest.
      Use the getPolicyType command to display detailed property information for the WS-Security policy type, as the following command demonstrates: 
      AdminTask.getPolicyType('-policySet AuthenticationTokenService -policyType 
 WSSecurity')
      The getPolicyType command returns a properties object that contains name and value pairs for each property, as the following sample output displays: 
      '[ [SupportingTokens.request:krb_token.CustomToken.IncludeToken 
 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient] [enabled true] [type WSSecurity] 
 [description [Policies for sending security tokens and providing message confidentiality and integrity, based on the OASIS Web 
 Service Security and Token Profiles specifications.]] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri ] 
 [provides ] [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.localname 
 http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] ]'
    3. Specify the authentication token for the policy type.
      Use the setPolicyType command to specify the Uniform Resource Identifier (URI) of the authentication token for services as the value for the SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri property. Use the [ ] syntax to specify an empty string. The following example specifies an empty string as the value for the authentication token: 
      AdminTask.setPolicyType('-policySet AuthenticationTokenService -policyType 
 WSSecurity -attributes "[ [SupportingTokens.request:krb_token.CustomToken.IncludeToken  
 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient] [enabled true] [type 
 WSSecurity] [description  [Policies for sending security tokens and providing message confidentiality and integrity, 
 based on the OASIS Web Services Security and Token Profiles specifications.]]  
 [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.uri []] [provides []] 
 [SupportingTokens.request:krb_token.CustomToken.WssCustomToken.localname  
 http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] ]"')
  • Configure custom bindings for security tokens.
    1. Start the wsadmin scripting tool.
    2. Display the properties of the bindings of interest.
      Use the getBinding command to display detailed property information for the binding of interest, as the following command demonstrates: 
      AdminTask.getBinding('-policyType WSSecurity -bindingLocation "" -bindingName 
 AuthenticationTokenService')
      The getBinding command returns a properties object that contains name and value pairs for each property, as the following sample output displays: 
      '[ [application.securityinboundbindingconfig.tokenconsumer_0.properties_0.name 
 com.ibm.wsspi.wssecurity.krbtoken.serviceSPN]  [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname 
 http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ]  
 [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri ]  
 [application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname 
 com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler]  [application.name 
 application][application.securityinboundbindingconfig.tokenconsumer_0.properties_0.value HTTP/derekho1.firehorse.austin.ibm.com]  
 [application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname system.wss.consume.KRB5BST] 
 [application.securityinboundbindingconfig.tokenconsumer_0.name 
 con_krbtoken][application.securityinboundbindingconfig.tokenconsumer_0.classname 
 com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer]  
 [application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference request:krb_token] ]'
    3. Specify the authentication token for the policy type.
      Use the setBinding command to specify the Uniform Resource Identifier (URI) of the authentication token for services as the value for the application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri property. Use the [ ] syntax to specify an empty string. The following example specifies an empty string as the value for the authentication token: 
      AdminTask.setBinding('-policyType WSSecurity -bindingLocation "" 
 -bindingName AuthenticationTokenService -attributes  "[ 
 [application.securityinboundbindingconfig.tokenconsumer_0.properties_0.name com.ibm.wsspi.wssecurity.krbtoken.serviceSPN] 
 [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.localname  
 http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ] 
 [application.securityinboundbindingconfig.tokenconsumer_0.valuetype.uri []]  
 [application.securityinboundbindingconfig.tokenconsumer_0.callbackhandler.classname 
 com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler] [application.name 
 application][application.securityinboundbindingconfig.tokenconsumer_0.properties_0.value 
 HTTP/derekho1.firehorse.austin.ibm.com] [application.securityinboundbindingconfig.tokenconsumer_0.jaasconfig.configname 
 system.wss.consume.KRB5BST][application.securityinboundbindingconfig.tokenconsumer_0.name 
 con_krbtoken][application.securityinboundbindingconfig.tokenconsumer_0.classname 
 com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer] 
 [application.securityinboundbindingconfig.tokenconsumer_0.securitytokenreference.reference request:krb_token] 
 ]"')

Results

If the setPolicyType and setBinding commands return a 'true' value, the system successfully updated the policy and binding configurations.