WebSphere® Application Server provides message-level
protection for its security token service, known as the WebSphere Application
Server trust service. For the trust service, you must use a special
class of policy sets known as system policy sets.
Before you begin
You can secure requests to the trust service by using two
different configuration methods:
- Use the administrative console to define and attach a system policy
set and binding to a trust service operation that is associated with
an endpoint.
- Use the wsadmin tool, which supports the Jython and Jacl scripting
languages, to configure system policy sets for the trust service.
You can manage the policies for the Quality of Service (QoS) by creating
policy sets and managing associated policies.
About this task
For WebSphere Application Server trust service
security, you must configure the system policy sets, the bindings,
the trust service attachments, and the security cache. Perform
the following high-level steps. The order of the tasks is not important
but all high-level required steps must be performed to complete the
trust configuration.
Procedure
- Define a new system policy set or manage existing system
policy sets.
To manage system policy sets, you can perform
the following tasks:
- Define
the system policy set and binding.
The system policy
set can be a new or existing policy set. If you create a new system
policy set, you must specify and configure the policy types. A default
binding configuration is associated with each policy type.
- Modify the system policy set, as needed.
Other
optional policy set-related tasks that you can perform include:
- Add, edit, or remove policy set attachments.
- Edit, enable, disable or remove policy types
- Create a system policy set by selecting and copying an existing
system policy set. When copying an existing system policy set, you
also specify whether to move the existing attachments to this new
system policy set.
- Delete system policy sets. You cannot delete pre-configured system
policy sets that are provided by WebSphere Application
Server by default.
- Archive a system policy set by selecting and exporting an existing
system policy set. When exporting an existing system policy set, you
create a .zip archive file. The .zip file for exporting the policy
set is provided for downloading. For example, if you have a policy
set named ABC_ps and you want to export and move the archive file
from ServerA to ServerB, first use the export function to create the
.zip file. Then, manually transfer the archive file to ServerB.
- Create and manage explicit attachments.
You can perform the following trust service attachment tasks:
- Attach the system policy set and assign a binding to an
endpoint.
For an endpoint, you can create explicit
attachments for each of the four trust service operations to the respective
Trust Service Defaults policy sets and bindings. After you have created
these initial attachments, you can view and further modify existing
policy set and binding configurations.
- Modify
existing policy set attachment and binding configurations, as needed..
The system policy set can be a new or existing policy set. If
you create a new system policy set, you must specify and configure
the policy types. A default binding configuration is associated with
each policy type.
The system policy set that is attached to issue
and renew must correspond to the client and endpoint’s bootstrap policy
set and the system policy set attached to validate and cancel must
correspond to the client and endpoint’s application policy set. The
bootstrap policy set for the endpoint service is only required if
the endpoint service makes issue and renew requests to the trust service.
Other
optional attachment-related tasks that you can perform include:
- Change the system policy set and binding configurations.
- Create custom system policy sets and bindings.
- Attach each of the four default trust service operations to a
system policy set and binding.
- Attach each of the four trust service operations associated with
a specific endpoint to a system policy set and binding.
- Specify that the selected trust service operations for an endpoint
inherit the respective default trust service policy set and binding.
- Assign the Default binding or a custom binding configuration to
the selected policy set attachment.
- Update the trust service runtime configuration.
- Manage the security context token provider that the trust
service provides.
You can perform the following trust service
token provider tasks:
- Modify
the configuration of the Security Context Token provider, as needed..
Other optional token provider-related tasks that you can
perform include:
- Update the trust service runtime configuration for any token provider
configuration changes.
- Manage the trust service default token provider and any
endpoints that have an explicitly assigned token (rather than inheriting
from the default).
Targets are endpoints
that are assigned a specific token provider. You can perform the following
trust service target tasks:
- Create a new trust service target by explicitly assigning
a service endpoint URL to the default token provider..
Performing this task creates an explicit assignment to the default
trust service token provider, the Security Context Token. All other
endpoints inherit the trust service default token provider.
- Configure
a target.
WebSphere Application Server
defines one default supported token provider, the Security Context
Token. Other tasks that you can perform for existing targets include:
- Modifying one or more endpoints that have a security context token
provider explicitly assigned.
- Changing the token provider for an endpoint from inherited to
explicitly assigned. Therefore, the token provider for the endpoint
does not change as the default trust service token provider changes.
- Changing the token provider for an endpoint from explicitly assigned
to inherited. Therefore, the token provider for the endpoint is the
default trust service token provider and changes as the default changes.
- Updating the trust service runtime configuration.
- Configure
the security cache.
You can change the behavior
of client-side security caching.
- Update
the trust service runtime configuration.
You must
update the runtime configuration whenever one or all of the following
trust-related items are created or changed:
- Trust service attachments
- Token providers
- Targets
Results
After the configurations are completed and the trust service
runtime configuration has been updated, you have used the administrative
console to secure requests to the trust service by using system policy
sets.