Web services security generic security token login module custom properties

When you configure a generic security token login module, you can configure name-value pairs of data, where the name is a property key and the value is a string value that you can use to set internal system configuration properties. You can use these configuration properties, along with the options provided in the administrative console, to control how the token is generated or consumed.

To configure these custom properties for the callback handler in the administrative console, complete the following steps:

  1. Expand Services.
  2. Select Service provider or Service client
  3. Click on the appropriate application in the Name column.
  4. Click on the appropriate binding in the Binding column.

    You must have previously attached a policy set and assigned a binding.

or

  1. Expand Applications > Application Types and click WebSphere enterprise applications.
  2. Select an application that contains Web services. The application must contain a service provider or a service client.
  3. Under the Web Services Properties heading, click Service provider policy sets and bindings or Service client policy sets and bindings.
  4. Select a binding. You must have previously attached a policy set and assigned an application-specific binding.

Then complete the following steps:

  1. Click WS-Security in the Policies table.
  2. Under the Main Message Security Policy Bindings heading, click Authentication and protection.
  3. Under the Authentication tokens heading, click the name of the authentication token.
    Supported configurations: You can use the token, which is processed by the generic security token login module, for authentication only. You cannot use the token as a protection token.
  4. Under the Additional Bindings heading, click Callback handler.
  5. Under the Custom Properties heading, enter the name and value pairs.

Callback handler custom properties for both token generator and token consumer bindings

The following table lists the callback handler custom properties that can be used to configure both token generator and token consumer bindings.

Table 1. Callback handler custom properties for both token generator and token consumer bindings. . This table contains the custom property name, its values, and a short description.
Name Values Description

clockSkew

This custom property does not have a default value.

Use this custom property to specify, in minutes, an adjustment to the times in the self-issued SAML token that the SAMLGenerateLoginModule creates.

The clockSkew custom property is set on the Callback handler of the SAML token generator that uses the SAMLGenerateLoginModule class. The value specified for this custom property must be numeric and is specified in minutes.

When a value is specified for this custom property, the following time adjustments are made in the self-issued SAML token that the SAMLGenerateLoginModule creates:
  • The new NotBefore time setting equals the initial NotBefore time setting, minus the amount of time specified for the clockSkew custom property.
  • The new NotAfter time setting equals the initial NotAfter time setting, plus the amount of time specified for the clockSkew custom property.
stsURI

This custom property does not have a default value.

Use this custom property to specify the Security Token Service (STS) address.

This custom property is required for the token consumer. However, this custom property is optional for the token generator if the requested token exists in the RunAs Subject and its verification is not required.
wstrustClientBinding

This custom property does not have a default value.

Use this custom property to specify the binding name for the WS-Trust client.
wstrustClientBindingScope You can specify an application or domain value. Use this custom property to specify the type of bindings that are used for the WS-Trust client.
The following conditions apply:
  • If you specify the domain value, general bindings are used.
  • If you specify the application value, custom bindings are used.
  • If you do not specify a value and application bindings exist, those application bindings are used.
  • If you do not specify a value and general bindings exist, those general bindings are used.
  • If neither application or general bindings exist, the default bindings are used.

This custom property is optional.
wstrustClientPolicy

This custom property does not have a default value.

Use this custom property to specify the policy set name for the WS-Trust client.
wstrustClientSoapVersion

You can specify a 1.1 or 1.2 value.

Use this custom property to specify the SOAP message version that the trust client uses to generate the SOAP message. The SOAP message is sent to the Security Token Service (STS). If you do not define this custom property, the generic security token login module uses the SOAP version of the application when it generates the SOAP message for the trust client request.

The default value corresponds to the SOAP version that is used by the application client.

This custom property is optional.
wstrustClientWSTNamespace
Specify one of the following values:
Trust Version 1.3 (Default)

Specify 1.3 to use Trust Version 1.3 (Default).

http://docs.oasis-open.org/ws-sx/ws-trust/200512
Trust Version 1.2

Specify 1.2 to use Trust Version 1.2.

http://schemas.xmlsoap.org/ws/2005/02/trust

Use this custom property to specify which trust client namespace the generic security token login modules uses when it makes the WS-Trust request.
wstrustValidateClientBinding

By default, the value for this custom property is the same value that is specified for the wstrustClientBinding custom property.

Use this custom property to specify the bindings that are used by the WS-Trust Validate request.

If you do not specify this custom property, the WS-Trust Validate request uses the same bindings that are used by WS-Trust Issue, which are defined by the wstrustClientBinding custom property.
wstrustValidateClientPolicy

By default, the value for this custom property is the same value that is specified for the wstrustClientPolicy custom property.

Use this custom property to specify the policy sets to use with the WS-Trust Validate request.

If you do not specify a value for this custom property, WS-Trust Validate uses the same policy set as WS-Trust Issue, which is defined by the required wstrustClientPolicy custom property.
wstrustIssuer

You can use any string value.

Use this custom property to specify the issuer for the request token.

This custom property is optional.
wstrustValidateTargetOption

The default value is the WS-Trust Base element extension.

You can specify a token value or a base value, which is also the default value.

Use this custom property to specify whether the WS-Trust client passes the validation token to the WS-Trust Security Token Service using the ValidateTarget or the Base element extension.

The following conditions apply:
  • If you do not specify a value for this custom property, the token is wrapped in the Base element extension within the RequestedSecurityToken element.
  • If you specify the token value, the token is wrapped in the ValidateTarget element within the RequestedSecurityToken element.

Callback handler custom properties for token generator bindings

The following table lists the callback handler custom properties that can only be used to configure token generator bindings.

Table 2. Callback handler custom properties for token generator bindings only. . This table contains the custom property name, its values, and a short description.
Name Value Description
passThroughToken

You can use a True or False value. The default value is False.

The value for this custom property is not case sensitive.
Use this custom property to direct whether the outbound token should be obtained from the STS or not. The default behavior is to always obtain the token from the STS. When this property is set to True, the inbound token will be obtained in this order:
  1. From the sharedState from a stacked JAAS login module
  2. From the com.ibm.wsspi.wssecurity.token.tokenHolder list on the message context
  3. From the inbound SecurityTokens
For more information, see the following constants in the com.ibm.wsspi.wssecurity.core.Constants Java™ API documentation. This documentation is available under Reference > Programming interfaces > APIs in the documentation navigation.
  • com.ibm.wsspi.wssecurity.token.tokenHolder
  • com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext
  • com.ibm.wsspi.wssecurity.token.enableCaptureTokenInboundMsg
useRunAsSubject

You can use a True or False value. The default value is True.

The value for this custom property is not case sensitive.

Use this custom property to specify whether the generic security token login modules use the token from the RunAs Subject for the outgoing request. By default, the login module uses the validated tokens in the RunAs Subject first.

The following conditions apply:
  • If you set this custom property to a false value, the generic security token login module does not use WS-Trust Validate to exchange the token for the outbound request. Instead, it uses WS-Trust Issue to request a token.
  • If you do not specify this custom property, the generic security token login module attempts to use a token from the RunAs Subject and WS-Trust Validate to exchange the token.
  • If a token does not exist in the RunAs Subject, the generic security token login module uses WS-Trust Issue and is protected by the trust client policy sets.
useRunAsSubjectOnly

You can use a True or False value. The default value is False.

The value for this custom property is not case sensitive.

Use this custom property to disable or enable WS-Trust Issue in the generic security token login module. If you set this custom property to a true value, the generic security token login module uses the token from the RunAs Subject and WS-Trust Validate to exchange the tokens. The generic security token login module does not use WS-Trust Issue to request a token even if WS-Trust Validate fails or it does not find a matching token in the RunAs Subject.
useToken

You can use any string value of the ValueType value for the security token.

When you use a security token in a RunAs Subject to validate and exchange tokens for an outbound request, you can use this custom property to specify which token ValueType value in the RunAs Subject to validate and exchange for the requested token.

For example, you might have a token with a ValueType value of Token_1 in the RunAs Subject. However, the ValueType value of Token_2 is the required token. You can set this custom property to Token_1 .

If you do not define this custom property, the validation token is the token from the RunAs Subject that has the same ValueType value as the required token.

This custom property is optional.
validateUseToken

You can use a True or False value. The default value is True.

The value for this custom property is not case sensitive.

Use this custom property to specify whether the token generator uses WS-Trust Validate to validate the token from the RunAs Subject.

By default, the generic security token login module validates a token from the RunAs Subject against the Security Token Service (STS) before sending the token in the SOAP message to the service provider.

If you set this custom property value to false and the generic security token login module finds a matching token from the RunAs Subject, the login module does not invoke WS-Trust Validate to validate the matching token. Instead, it sends the matching token to the downstream service provider without validation.
wstrustIncludeTokenType

You can use a True or False value. The default value is True.

The value for this custom property is not case sensitive.

Use this custom property to specify whether the WS-Trust RequestedSecurityToken token includes the requested token ValueType value.

If you do not specify this custom property, the generic security token login module includes the requested token type in the WS-Trust RequestedSecurityToken token.

This custom property is optional.

Callback handler custom properties for token consumer bindings

The following table lists the callback handler custom properties that can only be used to configure token consumer bindings.

Table 3. Callback handler custom properties for token consumer bindings only. . This table contains the custom property name, its values, and a short description.
Name Value Description
alwaysGeneric

You can use a True or False value. The default value is False.

The value for this custom property is not case sensitive.

Use this custom property to specify whether the login module creates a GenericSecurityToken.

If passThroughToken and this property are both set to True, the login module always creates a GenericSecurityToken instead of a built-in token type that corresponds to the valueType that is configured for the token.
exchangedTokenType

The valid value for this custom property is the string ValueType value for the token that is supported by the system default login modules.

Use this custom property to specify the new token with the defined ValueType value, which the trust service must return after successful validation.

If you do not specify a value for the custom property, the generic security token login module accepts whichever token the trust service returns.

This custom property is optional.
passThroughToken

You can use a True or False value. The default value is False.

The value for this custom property is not case sensitive.

Use this custom property to specify whether the inbound token should be sent to the STS.

The default behavior is to always send the inbound token to the STS for validation, exchange, or both.

When this property is set to True, the inbound token is not sent to the STS, and it passes through the consumer. When this property is set to True and a built-in token is used, the token is parsed and made available on the WS-Security context for later processing by a caller configuration JAAS login module.