Use this topic and the commands in the SecureConversation
group of the AdminTask object to enable secure conversation client
cache by creating a new policy set and bindings to attach to your
applications.
Before you begin
Verify that the SecureConversation policy set is available
in your configuration. By default, the SecureConversation policy set
is not available. Use the importPolicySet command to import the SecureConversation
policy to your configuration, as the following example demonstrates:
AdminTask.importPolicySet('-defaultPolicySet SecureConversation')
Before you use the commands in this topic, verify
that you are using the most recent version of the wsadmin tool. The
policy set management commands that accept a properties object as
the value for the attributes or bindingLocation parameters
are not supported on previous versions of the wsadmin tool. For example,
the commands do not run on a Version 6.1.0.x node.
About this task
This topic uses the default SecureConversation policy
set and default WS-Security and TrustServiceSecurityDefault bindings
to enable secure conversation.
The default SecureConversation
policy set contains an application policy with the symmetric binding,
and a bootstrap policy with the asymmetric binding. The application
policy secures application messages. The bootstrap policy secures
RequestSecurityToken (RST) messages. The trust service, which issues
security context token providers, uses the TrustServiceSecurityDefault
system policy and the TrustServiceSecurityDefault bindings. The trust
policy secures RequestSecurityTokenResponse (RSTR) messages. If you
modify the bootstrap policy, you must also modify the trust policy
so that both of the configurations match.
Avoid trouble: Use
the following steps in development and test environments only. The
WS-Security bindings in this procedure contain sample key files that
you must customize before using the bindings in a production environment.
Create custom bindings for your production environment.
Procedure
- Launch the wsadmin scripting tool using the Jython scripting
language.
To learn more, see the starting the wsadmin scripting
client information.
- Copy the existing SecureConversation policy set.
Use
the following command example to create a new policy set by copying
the existing SecureConversation policy set:
AdminTask.copyPolicySet('[-sourcePolicySet SecureConversation -newPolicySet CopyOfSCPolicySet]')
- Change the binding for the global security domain. If you
chose the Create the server using the development template option
when you created your profile with the Profile Management Tool or
the manageprofiles command utility, you can optionally skip this step.
- List each WS-Security policy attribute.
To
modify the binding for the global security domain, use the getDefaultBindings
command to determine the binding that is set as the default for the
provider or client, as the following example demonstrates:
AdminTask.getDefaultBinding('-bindingType provider')
- Display the attributes for the binding.
Use
the getBinding command to display the current attributes for the binding,
as the following example demonstrates:
AdminTask.getBinding('-bindingLocation "" -bindingName myBinding')
- Modify the outbound configuration for the protection
token.
Use the following commands to modify the outbound
configuration for the protection token:
cmd1_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler
.key.name [CN=Bob,O=IBM, C=US]] [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler
.keystore.storepass storepass] [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler
.keystore.type JCEKS] [application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler.key.alias bob]
[application.securityoutboundbindingconfig.tokengenerator_5.callbackhandler.keystore.path ${USER_INSTALL_ROOT}
/etc/ws-security/samples/enc-sender.jceks] ]"
AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "" -attributes cmd1_attributes_value
-attachmentType application]')
cmd2_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore
.path ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks] [application.securityoutboundbindingconfig
.tokengenerator_0.callbackhandler.keystore.storepass client] [application.securityoutboundbindingconfig
.tokengenerator_0.callbackhandler.key.name [CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP]] [application
.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.keypass client] [application
.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key.alias soaprequester]
[application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.type JKS] ]"
AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "" -attributes cmd2_attributes_value
-attachmentType application]')
- Optional: Modify the TrustDefaultBindings binding.
If you chose the Create the server using the development template option
when you created your profile with the Profile Management Tool or
the manageprofiles command utility, you can optionally skip this step.
If the TrustDefaultBindings are not yet customized, use the
following commands to modify the TrustDefaultBindings binding:
cmd3_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.keystore
.storepass storepass] [application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.key.alias bob]
[application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.keystore.type JCEKS] [application
.securityoutboundbindingconfig.tokengenerator_1.callbackhandler.keystore.path ${USER_INSTALL_ROOT}/etc
/ws-security/samples/enc-sender.jceks] [application.securityoutboundbindingconfig.tokengenerator_1.callbackhandler
.key.name [CN=Bob, O=IBM, C=US]] ]"
AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "[attachmentId 2]"
-attributes cmd3_attributes_value -attachmentType system/trust]')
cmd4_attributes_value = "[ [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.path
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks] [application.securityoutboundbindingconfig.tokengenerator_0
.callbackhandler.keystore.storepass client] [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler
.key.name [CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP]] [application.securityoutboundbindingconfig.tokengenerator_0
.callbackhandler.key.keypass client] [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.key
.alias soaprequester] [application.securityoutboundbindingconfig.tokengenerator_0.callbackhandler.keystore.type JKS] ]"
AdminTask.setBinding('[-policyType WSSecurity -bindingLocation "[attachmentId 2]"
-attributes cmd4_attributes_value -attachmentType system/trust]')
- Attach the policy set and binding to the application.
Use the attachmentType parameter for the createPolicySetAttachment
command to specify if your application is a service client or a service
provider. Use the following commands to attach the
CopyOfSCPolicySet policy
set to the
myTestApp service client application:
AdminTask.createPolicySetAttachment('[-applicationName myTestApp -policySet CopyOfSCPolicySet
-resources WebService:/ -attachmentType client]')
Use the following commands to attach the
CopyOfSCPolicySet policy
set to the
myTestApp service provider application:
AdminTask.createPolicySetAttachment('[-applicationName myTestApp -policySet CopyOfSCPolicySet
-resources WebService:/ -attachmentType application]')
This step automatically assigns
the bindings.
Results
Your secure conversation configuration is updated in the
WSSCCache.xml file located in the cell level directory.
What to do next
Manage your secure conversation configurations with the
SecureConversation command group for the AdminTask object.