You can configure a generic security token login module
used for an authentication token on the token generator side of the
Web Services Security process.
About this task
When you invoke the generic security token login modules
on the generator side, the login module delegates the token generation
process to a Security Token Service (STS) using a WS-Trust Issue or WS-Trust
Validate request. The STS processes the request and returns a RequestSecurityTokenResponse message to the login
module. The login module inserts the token from the STS response message
in the security header of the web service request message.
For
illustration purposes, it is assumed that policy sets and bindings
are configured and attached to an application. For example, you can
use the SAML11 Bearer WSSecurity default policy set and SAML Bearer
Client sample binding. For more information, see the topic about configuring
client and provider bindings for the SAML bearer token.
Complete
the following steps to configure the generic security token login
module on the token generator side using the administrative console:
Procedure
- Configure the wss.generate.issuedToken Java™ Authentication and Authorization
Service (JAAS) login module for your application.
- Expand and click WebSphere
enterprise applications.
- Click the application that contains the policy sets
and bindings that you want to modify.
- Under Web Services Properties,
click Service client policy sets and bindings.
- In the Binding column on the
Service client policy sets and bindings panel, click the name of the
binding.
- In the Policy column on the Bindings
configuration panel, click WS-Security.
- Under the Main Message Security Policy Bindings heading,
click Authentication and protection .
- In the Authentication tokens section of the Authentication
and protection panel, select the token that you want to configure.
For example, select request:SAMLToken11Bearer.
- On the Token generator panel, select the wss.generate.issuedToken option
for the JAAS login.
- Click Apply.
- Configure the callback handler.
- Under the Additional Bindings heading,
click Callback handler.
- Under the Class Name heading
on the Callback handler panel, select Use custom and
specify com.ibm.websphere.wssecurity.callbackhandler.GenericIssuedTokenGenerateCallbackHandler for
the class name.
- Click Apply.
After
you click apply, a list of existing custom properties displays in
the Custom Properties section of the panel.
You can add, edit, or delete entries in the custom properties list.
For more information about the custom properties for the callback
handler, see the information about the com.ibm.wsspi.wssecurity.core.config.IssuedTokenConfigConstants application
programming interface (API). This information is accessible within
the section of the product documentation.
- Click Add to add both the stsURI custom
property and its associated value.
This custom property
value is the target Security Token Service URL address. This property
is required, unless you want to use a security token from the RunAs
subject without calling out to a security token service for validation.
For more information, read the information about the validateUseToken and useRunAsSubjectOnly custom properties in subsequent
steps.
- Click Add to add both the wstrustClientPolicy custom
property and its associated value.
This custom property
value is the trust client policy set name that applies to the WS-Trust client call.
- Click Add to add both the wstrustClientBinding custom
property and its associated value.
The custom property
value is the trust client bindings that applies to the WS-Trust client
call. For more information about creating trust client bindings, see
the documentation on configuring client and provider bindings for
the SAML bearer token.
- Optional: Specify other custom properties.
- Click OK and click Save to
save the bindings.
- Stop and restart the applications.
Results
When you complete this task, you have configured a generic
login module for the token generator.
What to do next
Configure a generic security token login module for the token
consumer.