Configuring general, cell-wide bindings for policies using wsadmin scripting

You can use the Jython or Jacl scripting language to customize your cell-wide default binding configuration. Create multiple cell-wide general bindings that you can attach to applications.

Before you begin

Before you use the commands in this topic, verify that you are using the most recent version of the wsadmin tool. The policy set management commands that accept a properties object as the value for the attributes or bindingLocation parameters are not supported on previous versions of the wsadmin tool. For example, the commands do not run on a Version 6.1.0.x node.

When administrative security is enabled, verify that you use the correct administrative role, as the following table describes:
Table 1. Administrative roles . The administrative role determines if you can configure or assign bindings.
Administrative role Authorization
Administrator The Administrator role must have cell-wide access to configure bindings. If you have access to a specific resource only, you can configure bindings for the resource for which you have access. Only the Administrator role can edit binding attributes.
Configurator The Configurator role with cell-wide or resource specific access can assign or unassign bindings, but cannot edit attributes.
Deployer The Deployer role with cell-wide or resource specific access can assign or unassign bindings, but cannot edit attributes.
Operator The Operator role can view, but cannot configure bindings.
Monitor The Monitor role can view, but cannot configure bindings.

About this task

Bindings are environment and platform-specific information such as key store information, keys used for signature and encryption, or authentication information.

For transitioning users: In WebSphere Application Server Version 7.0 and later, the security model was enhanced to a domain-centric security model instead of a server-based security model. The configuration of the default global security (cell) level and default server level bindings has also changed in this version of the product. In the WebSphere Application Server Version 6.1 Feature Pack for Web Services, you can configure one set of default bindings for the cell and optionally configure one set of default bindings for each server. In Version 7.0 and later, you can configure one or more general service provider bindings and one or more general service client bindings. After you have configured general bindings, you can specify which of these bindings is the global default binding. You can also optionally specify general binding that are used as the default for an application server or a security domain.

To support a mixed-cell environment, WebSphere Application Server supports Version 7.0 and Version 6.1 bindings. General cell-level bindings are specific to Version 7.0 and later Application-specific bindings remain at the version that the application requires. When the user creates an application-specific binding, the application server determines the required binding version to use for application.

Use the following guidelines to manage bindings in your environment:
  • To display or modify default Version 6.1 bindings, Version 7.0 and trust service bindings, or to reference bindings by attachment for an application, specify the attachmentId and bindingLocation parameters with the getBinding or setBinding commands.
  • To use or modify general Version 7.0 and later bindings, specify the bindingName parameter with the getBinding or setBinding commands.
  • To display the version of a specific binding, specify the version attribute for the getBinding command.
Use a Version 6.1 binding for an application in a Version 7.0 and later environment if:
  • The module in the application is installed on at least one Web Services Feature Pack server.
  • The application contains at least one Version 6.1 application-specific binding. The application server does not assign general bindings to resource attachments for applications that are installed on a Web Services Feature Pack server. All application-specific bindings for an application must be at the same level.
General service provider and client bindings are not linked to a particular policy set and they provide configuration information that you can reuse across multiple applications. You can create and manage general provider and client policy set bindings and then select one of each binding type to use as the default for an application server. Setting the server default bindings is useful if you want the services that are deployed to a server to share binding configuration. You can also accomplish this sharing of binding configuration by assigning the binding to each application deployed to the server or by setting default bindings for a security domain and assigning the security domain to one or more servers. You can specify default bindings for your service provider or client that are used at the global security (cell) level, for a security domain, for a particular server. The default bindings are used in the absence of an overriding binding specified at a reduced scope. The order of precedence from lowest to highest that the application server uses to determine which default bindings to use is as follows:
  1. Server level default
  2. Security domain level default
  3. Global security (cell) default

The sample general bindings that are provided with the product are initially set as the global security (cell) default bindings. The default service provider binding and the default service client bindings are used when no application specific bindings or trust service bindings are assigned to a policy set attachment. For trust service attachments, the default bindings are used when no trust specific bindings are assigned. If you do not want to use the provided Provider sample as the default service provider binding, you can select an existing general provider binding or create a new general provider binding to meet your business needs. Likewise, if you do not want to use the provided Client sample as the default service client binding, you can select an existing general client binding or create a new general client binding.

Procedure

  1. Start the wsadmin scripting tool.
  2. Determine the policy to update.
    To view a list of all available policies for a specific policy set, use the listPolicyType command. For example:
    AdminTask.listPolicyTypes('[-policySet PolicySet1]')
  3. Retrieve the current binding configuration for the policy to determine the attributes to update.
    Use the getBinding command to display a Properties object containing all configuration attributes for a specific policy binding. Specify a Properties object for the -bindingLocation parameter using an empty Properties object. For example:
    AdminTask.getBinding('-policyType WSAddressing -bindingLocation "" -bindingName cellWideBinding1')
    To return a specific configuration attribute for the policy, use the -attributes parameter. For example, enter this command to determine if the WSAddressing policy has workload management enabled:
    AdminTask.getBinding('-policyType WSAddressing -bindingLocation "" -bindingName cellWideBinding1 -attributes "[preventWLM]"')
    The command returns a properties object which contains the value of the requested attribute, preventWLM.
  4. Edit the binding configuration.
    Use the setBinding command to update your binding configuration for a policy. To specify that you are editing a cell-wide binding, set the -bindingLocation parameter by passing a null or empty Properties object and specify the name of the binding with the -bindingName parameter. You can further customize your binding with the following parameters:
    Table 2. Command parameters . Use the command to update the binding configuration.
    Parameter Description Data type
    -policyType Specifies the policy of interest. String, optional
    -attributes Specifies the attribute values to update. This parameter can include all binding attributes for the policy or a subset to update. Properties, optional
    -replace Specifies whether to replace all of the existing binding attributes with the attributes specified in the command. Use this parameter to remove optional parts of the configuration for policies with complex data. The default value is false. Boolean, optional
    -remove Use this parameter to remove a specific policy from the binding configuration. The default value for the remove parameter is false. If the policyType parameter is not specified, the command removes the custom binding from the attachment. To delete the binding configuration, provide a value for the bindingName parameter and an asterisk character (*) for the attachmentId. Boolean, optional
    -domainName Specifies the domain name for the binding. Use this parameter to scope a binding to a domain other than the global security domain. String, optional

    You must use the -attributes parameter when editing your binding configuration for cell-wide bindings. The following example disables workload management within the cell-wide default binding for the WSAddressing policy:

    AdminTask.setBinding('-policyType WSAddressing -bindingLocation "" -bindingName cellWideBinding1 -attributes "[preventWLM false]"')
  5. Save your configuration changes. 
    AdminConfig.save()