Managing policy set attachments for service references using the wsadmin tool

Use the wsadmin tool to manage your policy set attachment configurations for services and service references. You can use the Jython or Jacl scripting language to list all attachments and attachment properties, add or remove resources for an existing attachment, and transfer attachments across policy sets.

Before you begin

When administrative security is enabled, verify that you use the correct administrative role, as the following table describes:
Table 1. Administrative roles . The administrative role determines if you can manage policy set attachments.
Administrative role Authorization
Administrator The Administrator role must have cell-wide access to manage policy set attachments. If you have access to a specific resource only, you can manage policy set attachments for the resource for which you have access.
Configurator The Configurator role must have cell-wide access to manage policy set attachments. If you have access to a specific resource only, you can manage policy set attachments for the resource for which you have access.
Deployer The Deployer role with cell-wide or resource-specific access can manage policy set attachments for application resources only.
Operator The Operator role cannot manage policy set attachments.
Monitor The Monitor role cannot manage policy set attachments.

About this task

Policy set attachments define how a policy set is attached to resources and binding configurations.

Application components including application clients, web modules, and EJB modules, can define references to external web services by using logical names called web service references. Before Version 8.0, web service references always inherited the policy set attachment of the web service.

In Version 8.0 and later, you can specify a policy set and binding for a service reference that is different from the policy set attachment for the service. In addition, you can indicate to not attach a policy set to a service reference, even if a policy set is attached to the service. The default behavior is that a service reference, as well as its endpoints and operations, inherits the policy set attachment of the corresponding resources of the service. Service references are only valid for the client attachment type.

Mixed-version environment: In a mixed cell environment, the following limitations apply to service reference attachments or resource attachments that are specified in name-value pair format:
  • You must not create these types of attachments for applications that are deployed on an application server that is prior to WebSphere Application Server Version 8.0. Service reference attachments are only supported on WebSphere Application Server V8.0 and later.
  • An application that contains these types of attachments must not be deployed on an application server that is prior to WebSphere Application Server Version 8.0.
  • If an application that is deployed in a cluster environment contains these types of attachments, you must not add a member application server that is prior to WebSphere Application Server Version 8.0 to the cluster.

Procedure

  • Query the configuration for policy set attachments and attachment properties.

    Before making configuration changes to your policy set attachments, use the listAttachmentsForPolicySet and getPolicySetAttachments commands to view current configuration information about your policy set attachments.

    1. Start the wsadmin scripting tool.
    2. Use the listAttachmentsForPolicySet command to view all applications to which a specific policy set is attached; for example: 
      AdminTask.listAttachmentsForPolicySet('[-policySet PolicySet1 -attachmentType client]')
    3. Use the getPolicySetAttachments command to view the properties for all policy set attachments in a specified application; for example: 
      AdminTask.getPolicySetAttachments('[-applicationName application1 -attachmentType client]')
  • Determine the assets to which a specific policy set is attached.
    Use the listAssetsAttachedToPolicySet command to display the assets that are attached to the policy set of interest, as the following example demonstrates:
    AdminTask.listAssetsAttachedToPolicySet('[-policySet SecureConversation]')

    The command returns a list of properties that describe each asset. Each properties object contains the assetType property, which specifies the type of asset.

  • Use the createPolicySetAttachment command to create the policy set attachment.

    For the commands in the PolicySetManagement group, the term, resource, refers to a web service artifact. For service references, use name-value pairs to specify the resource name. You can also use this format instead of the application hierarchy format to specify service resources.

    The following format for application and client policy set attachments is required for service reference resources. For resources that are not service references, you can use either this format or the format specified in the managing policy set attachments using the wsadmin tool documentation. Use the following format for application and client policy set attachments:
    • type=WebService:/

      Attaches all artifacts in the application to the policy set.

    • type=WebService:/,module=myModule.war,service={ https://www.mynamespace.com}myService

      Attaches all artifacts within the web service, {https://www.mynamespace.com}myService, to the policy set. You must provide a fully qualified name (QName) for the service.

    • type=WebService:/,module=myModule.war,service={ https://www.mynamespace.com }myService,serviceRef=myServiceRef

      Attaches all artifacts within the web service reference, myServiceRef, to the policy set.

    • type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,endpoint=endpointA

      Attaches all operations for the service reference, endpointA, endpoint in the service reference, myServiceRef, to the policy set.

    • type=WebService:/,module=myModule.war,service={namespace}myService,serviceRef=myServiceRef,endpoint=endpointA,operation=operation1

      Attaches only the operation1 operation in the service reference,

      myServiceRef, to the policy set.

    Use the inheritFromService parameter and specify either true or false to indicate whether you want to inherit the policy set attachment from the service.

    • If you specify a service reference resource with inheritFromService=false and no policySet parameter, all attachments for the service reference are removed and the service reference does not inherit the policy set attachments of the service.
    • If you specify a service reference resource with inheritFromService=false and policySet=<policySetName>, an attachment for the service reference resource to the policy set is created. If you create an attachment to attach a service reference to a policy set, the service reference does not inherit the policy set of the service.
    • If you specify a service reference resource with inheritFromService=true, the service reference inherits the attachments for the service. The inheritFromService parameter is only valid for service references. If no policySet parameter is specified, the inheritFromService parameter is only valid at the serviceRef level, not at the endpoint or operation level.
      For example, to attach policy set PolicySet1 to all operations and endpoints for the service reference, enter the following command:
      AdminTask.createPolicySetAttachment('[-resources "type=WebService:/,module=webapp1.war,service=
{https://www.mynamespace.com}myService,serviceRef=myServiceRef" -applicationName application1 -attachmentType 
client -policySet PolicySet1 -inheritFromService false]')
      To specify that the service reference does not have a policy set attachment and does not inherit the policy set from the service, enter the following command:
      AdminTask.createPolicySetAttachment('[-resources "type=WebService:/,module=webapp1.war,service=
{https://www.mynamespace.com}myService,serviceRef=myServiceRef" -applicationName application1 -attachmentType 
client -inheritFromService false]')
  • Modify resources that apply to a policy set attachment.
    1. Start the wsadmin scripting tool.
    2. Determine the resource of interest, and review the command syntax for the updatePolicySetAttachment command.
    3. Modify the attachment.
      For example, the policy set attachment is connected to the operation1 operation, which is a specific single operation. To attach the 124 attachment to all operations for the endpointA endpoint in the service reference, enter the following command:
      AdminTask.updatePolicySetAttachment('[-attachmentId 124 -resources 
"type=WebService:/,module=webapp1.war,service={https://www.mynamespace.com}myService,serviceRef=myServiceRef,
endpoint=endpointA" -applicationName application1 -attachmentType client]')

      The updatePolicySetAttachment command replaces all existing resources for an attachment with the resources that are specified in the command. If you update an attachment to attach a service reference to a policy set, the service reference does not inherit the policy set of the service. You can also update your policy set attachments using the addToPolicySetAttachment command to add resources to an existing attachment, or you can also use the createPolicySetAttachment command to create an attachment for a specific resource. For more information about these commands reference the commands for the PolicySetManagement group for the AdminTask object. A resource for a service reference cannot be included in the same attachment as a resource for a service.

    4. Save the configuration changes.
      Enter the following command to save your changes:
      AdminConfig.save()
  • Remove resources that apply to a policy set attachment.
    1. Start the wsadmin scripting tool.
    2. Determine which resources to remove with the command. You can remove a resource for each web service artifact, each endpoint operation, or for a specific operation.
      In the following example, the command removes the newAttach attachment from operation1 in the service reference myPlantServiceRef, which is associated with the plantShop application and myPlantService service:
      	AdminTask.removeFromPolicySetAttachment('[-attachmentId newAttach -resources 
"type=WebService:/,module=webapp1.war,service={https://www.mynamespace.com}myPlantService,
serviceRef=myPlantServiceRef,endpoint=endpointA,operation=operation1" -applicationName plantShop 
-attachmentType client]')
      The command returns a success or failure message.
    3. Save the configuration changes.
      Enter the following command to save your changes:
      AdminConfig.save()
  • Transfer attachments from one policy set to another policy set.
    This command detaches each web service from the source policy set and attaches those web services to the destination policy set. The destination policy set must have the same set of enabled policy types as the source policy set.
    1. Enter the following command to transfer all attachments: 
      AdminTask.transferAttachmentsForPolicySet('[-sourcePolicySet PolicySet1 
-destinationPolicySet PolicySet2]')
      The command returns a success or failure message.
    2. Save the configuration changes.
      Enter the following command to save your changes:
      AdminConfig.save()