Use the wsadmin tool, which supports the Jython and Jacl
scripting languages, to define the policy set configuration for your
web services applications.
Before you begin
When administrative security is enabled, verify that you
use the correct administrative role, as the following table describes:
Table 1. Administrative roles . The administrative role determines
if you can create policy set attachments.
Administrative role |
Authorization |
Administrator |
The Administrator role must have cell-wide access
to create policy set attachments. If you have access to a specific
resource only, you can create policy set attachments for the resource
for which you have access. |
Configurator |
The Configurator role must have cell-wide access
to create policy set attachments. If you have access to a specific
resource only, you can create policy set attachments for the resource
for which you have access. |
Deployer |
The Deployer role with cell-wide or resource
specific access can create policy set attachments for application
resources only. |
Operator |
The Operator role cannot create policy set attachments. |
Monitor |
The Monitor role cannot create policy set attachments. |
Before you use the commands in this topic, verify
that you are using the most recent version of the wsadmin tool. The
policy set management commands that accept a properties object as
the value for the attributes or bindingLocation parameters
are not supported on previous versions of the wsadmin tool. For example,
the commands do not run on a Version 6.1.0.x node.
About this task
To use a new policy set to manage policies for your application,
you must attach the policy set to an application artifact or artifacts.
When the application restarts, the application uses the policies from
the newly attached policy set.
Mixed-version environment: In a mixed cell environment, the following
limitations apply to service reference attachments or resource attachments that are specified in
name-value pair format:
- You must not create these types of attachments for applications that are deployed on an
application server that is prior to WebSphere Application Server Version 8.0. Service reference
attachments are only supported on WebSphere Application Server V8.0 and later.
- An application that contains these types of attachments must not be deployed on an application
server that is prior to WebSphere Application Server Version 8.0.
- If an application that is deployed in a cluster environment contains these types of attachments,
you must not add a member application server that is prior to WebSphere Application Server Version
8.0 to the cluster.
Procedure
- Launch a scripting command.
To learn more, read
about starting the wsadmin scripting client.
- Select an application with web services to update.
Use the listWebServices command to list all web services and
the associated applications. Enter the following command to list
all web services and attributes:
AdminTask.listWebServices()
For each web service, the command returns the associated application name, module name,
service name, and service type. For example, the following information is returned:
'[ [service {https://www.ibm.com}service1] [client false] [application application1]
[module webapp1.war] [type JAX-WS] ]'
- Create a policy set attachment for an application.
For the commands in the PolicySetManagement group, the term resource refers
to a web service artifact. For application and service client policy
sets, the artifacts use the application hierarchy. The application
hierarchy includes a web service, module name, endpoint, or operation.
Enter the value for the -resource parameter as a string, with a backslash
( / ) character as a delimiter.
Avoid trouble: When
attempting to connect to a web service from a thin client, verify
that the resources you are specifying are valid before running the
updatePolicySetAttachment command. No configuration changes are made
if the requested resource does not match a resource in the attachment
file for the application.
Use the following format for application
and client policy set attachments:
- WebService:/
Attaches all artifacts in the application
to the policy set.
- WebService:/webapp1.war:{https://www.ibm.com}myService
Attaches
all artifacts within the web service {https://www.ibm.com}myService to
the policy set. You must provide a fully qualified name (QName) for
the service.
- WebService:/webapp1.war:{https://www.ibm.com}myService/endpointA
Attaches
all operations for the endpointA endpoint to the policy set.
- WebService:/webapp1.war:{https://www.ibm.com}myService/endpointA/operation1
Attaches
only the operation1 operation to the policy set.
The format for the -resource string
differs for service reference attachments. Use the following format
for service reference attachments:
type=WebService:/
Attaches all artifacts in
the application to the policy set.
type=WebService:/,module=myModule.war,service={ https://www.mynamespace.com}myService
Attaches
all artifacts within the web service {https://www.mynamespace.com}myService
to
the policy set. You must provide a fully qualified name (QName) for
the service.
type=WebService:/,module=myModule.war,service={ https://www.mynamespace.com
}myService,serviceRef=
myServiceRef
Attaches
all artifacts within the web service reference myServiceRef
to
the policy set.
type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,
endpoint=endpointA
Attaches
all operations for the service reference endpointA
endpoint
in the service reference myServiceRef
to the policy
set.
type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,
endpoint=endpointA
operation=operation1
Attaches only the operation1
operation
in the service reference myServiceRef
to the policy
set.
The format for the -resource string
differs for system policy set attachments for the trust service. Use
the following format for system policy set attachments:
- Trust.opName:/
The opName attribute can be
issue, renew, cancel, or validate.
- Trust.opName:/url
The opName attribute can
be issue, renew, cancel, or validate. You can specify any valid URL
for the url attribute.
- Enter the command to attach the policy set to the application.
This command attaches the policyset1 application policy set
to all artifacts in the WebService application.
For transitioning users: Even though you can
specify the application
value for the -attachmentType parameter, use the
provider
value in place of the application
value because the
attachments are used for more than just applications, such as system attachments for trust service.
For system policy set attachments, specify the provider
value for the
attachmentType parameter and the "[systemType trustService]"
value for the
-attachmentProperties parameter. For WSNClient attachments, specify the client
value for the attachmentType parameter and the bus
and WSNService
properties with the -attachmentProperties parameter.
To attach a policy set to a Web
service application, specify the
provider value for the -attachmentType
parameter:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources
"WebService:/" -applicationName WebService -attachmentType provider]')
To
attach a policy set to a service client application, specify the
client value
for the -attachmentType parameter, as the following example demonstrates:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources
"WebService:/" -applicationName WebService -attachmentType client]')
To create a trust service attachment for a system policy set, specify the
provider value
for the -attachmentType parameter and the
[systemType trustService] value for the
-attachmentProperties parameter, as the following example demonstrates:
AdminTask.createPolicySetAttachment('[-policySet policyset1 -resources
"WebService:/" -attachmentType provider -attachmentProperties "[systemType trustService]"]')
To attach a policy set to a service reference, enter the following command:
AdminTask.createPolicySetAttachment('[-resources "type=WebService:/,module=webapp1.war,service=
{https://www.mynamespace.com}myService,serviceRef=myServiceRef" -applicationName application1
-attachmentType client -policySet PolicySet1 -inheritFromService false]')
This command returns an attachment
ID number that you must use to reference this attachment. In the
next step, use the attachment ID number to set the binding configuration.
For this example, the attachment ID number is 124.
- Run the command to set the binding.
To attach
a policy set to a web services application, specify the provider value
for the -attachmentType parameter.
The following example demonstrates
how to set the timestamp expiration attribute on the
SecureConversation123binding binding
for the
WSSecurity policy, on the
WebService Web
service application.
AdminTask.setBinding('-policyType WSSecurity -bindingLocation "[[application WebService]
[attachmentId 124] ]" -attachmentType provider
-bindingName SecureConversation123binding -attributes
"[application.securityoutboundbindingconfig.timestampexpires.expires 5]"')
To
attach a policy set to a Web services application client or to a service
reference, specify the client
value for the -attachmentType
parameter.
- Save the configuration changes.
Enter the following command to save your changes:
AdminConfig.save()
Results
Your have attached the policy set to the application artifact
or artifacts specified. Restart your application to use the policies
from the newly attached policy set.
What to do next
Manage and update your attachments.