General JAX-WS default bindings for Web Services Security

General bindings are used as the default bindings at the cell level or server level, or for multiple domains, at the domain level. The general bindings that are included with WebSphere® Application Server are initially set as the default bindings. However, you can choose a different binding as the default, or change the level of binding that is used as the default, for example, from cell-level binding to server-level binding.

Policy set bindings defined

Policy set bindings contain platform-specific information, such as keystore, authentication information, or persistent information, required by a policy set attachment. In WebSphere Application Server Version 7.0 and later, there are two types of bindings: application-specific bindings, and general bindings. Both types of bindings are supported for WS-Security policy sets. General bindings can be used as default bindings, and can also be shared across multiple applications and for trust service attachments. There are two types of general bindings: one for service providers and one for service clients. You can define multiple general bindings for the provider and also for the client. However, only one general provider binding and one general client binding can be designated as the default.

Default bindings are used when no application-specific binding or trust service binding has been assigned to a policy set attachment. You can choose the general provider and general client bindings, which are used as the default bindings for the cell. These are the global security settings. Likewise, you can choose the general provider and general client bindings, which are used as the default bindings for a server. For specific information about selecting bindings, see the topic Defining and managing policy set bindings.

Setting the default bindings

To define and manage general bindings, in the administrative console click Services > Policy sets > General provider policy set bindings or Services > Policy sets > General client policy set bindings. To manage bindings for the cell or the domain, click Services > Policy sets > Default policy set bindings. The general service provider and client bindings have independent settings that you can customize to meet the needs of your environment. To learn more about general bindings, read the topic Defining and managing policy set bindings.

In addition to choosing default bindings for the cell (global security), you can also choose the general provider and general client bindings that you want to use as the default bindings for a server. When are using the JAX-WS programming model and want to specify the server default bindings, log on to the administrative console and click Servers > Server Types > WebSphere application servers > server_name. In the Security section of the console page, click Default policy set bindings.

Applications use of default, general, and applications-specific bindings

Two kinds of bindings can be explicitly attached to an application: general bindings and application-specific bindings. The following rules are used for the use for the default bindings in WS-Security:
  • When there is no binding explicitly attached, only the default binding is used.
  • When a general binding is explicitly attached, the default binding is not used.
  • When an application-specific binding is attached, both the application-specific and the default binding are used.

When an application-specific binding is attached to an application, the application-specific binding is applied first, then the default binding is used to fill in the gaps. However, the portions of the configuration that reside in either the application-specific binding of the default binding must be encapsulated. For example, if a policy is defined to use XML Digital Signature and it picks up the sign part from the default binding, everything related to the sign part (X.509 token consumer, truststore, etc.) must reside in the default binding. The sign part in a default binding cannot pick up an X.509 token consumer that is configured in an application-specific binding. However, if a policy is defined to use XML Digital Signature and an LPTA token, the LTPA token generator can reside in the application-specific binding and the signing configuration can reside in the default binding.

The encapsulation rule does not apply to a caller configuration. Since the caller configuration refers to a token type and not a binding reference, a caller configuration can reside in an application-specific binding when the token consumer for the token it refers to resides in the default binding and vice versa.

When a general binding is specifically attached, since the default binding is not available to be used, unlike an application-specific binding, all binding configuration information that is required to satisfy the policy must be contained within the general binding.

For specific information about selecting bindings, see the topic Defining and managing policy set bindings.

Access of default bindings at the server and cell level

The general bindings that are included with WebSphere Application Server are initially set as the cell default bindings. You cannot delete a binding that is selected as the default binding for server, a domain, or the cell. Before you delete a binding that is selected as the default, you must select a different default binding, or specify that the defaults for the cell (global security) should be used.

The following default bindings are shipped with the product:
  • Provider sample
  • Client sample
  • Version 6.1 default policy set bindings

    The Version 6.1 bindings are used only if a WebSphere Application Server Version 6.1 Feature Pack for Web Services application is installed within the WebSphere Application Server Version 7.0 and later environment. For more information, see the topic Version 6.1 default policy set bindings.

Avoid trouble: Do not use the provider and client sample bindings that are included with WebSphere Application Server in their current state in a production environment. You must modify these bindings to meet your security needs before using them in a production environment by making a copy of the bindings and then modifying the copy. For example, change the key and keystore settings to ensure security, and modify the binding settings to match your environment.

After you make a copy of the provider or client sample bindings, customize only the settings of your new copy to suit your purposes. Do not remove anything from your binding copy, such as token generators, token consumers, sign parts, or encrypt parts. You can add things to your binding copy if needed, but deleting information can cause unanticipated errors at run time.

For a detailed description of the general sample bindings, see the topic General sample bindings for JAX-WS applications.

Multiple security domains

In an environment with multiple security domains, you can also choose the general provider and general client bindings, which are used as the default bindings for a domain. If you do not choose a binding to be the default for a server, the default bindings for the domain in which the server resides are used. If you do not choose a binding to be the default for a domain, the default bindings for the cell (global security) are used. You must choose default provider and default client bindings for the cell.