Configuring a policy set and bindings for a stand-alone security token (UsernameToken or LTPA Token)

You can secure web services by configuring the message-level WS-Security policy set and bindings for a stand-alone security token that is either a Lightweight Third Party Authentication (LTPA) token or a Username token.

Before you begin

This task assumes that the service provider and client that you are configuring are in the JaxWSServicesSamples application. For more information about obtaining this application, see Obtaining the JAX-WS Web Services samples.

Specify the following trace specification on your server to enable you to debug any future configuration problems that might occur.

*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all: 
com.ibm.ws.wssecurity.*=all: com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all: 
com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:

If LTPA tokens are used, you must enable the application security on the application servers that are used for both the client and the service.

About this task

This topic describes how to configure a WS-Security policy set and provider bindings for a Username token or an LTPA token. For simplicity, this procedure demonstrates how to remove the timestamp, digital signature, and encryption attributes from the policy; however, you might want to include these attributes in your final configuration. To learn more, see the documentation on configuring a policy set and bindings for Asymmetric XML digital signature or XML encryption with client and provider application specific bindings.

In this task, default provider general bindings are used for the provider application to consume the tokens. If a caller configuration is required, an application-specific binding will be added for the provider.

Procedure

  1. Create the custom policy set.
    1. In the administrative console, click Services > Policy sets > Application Policy sets.
    2. Click New.
    3. Specify Name = OneTokenPolicy.
    4. Click Apply.
    5. Under Policies, click Add > WS-Security.
  2. Edit the custom policy set
    1. Remove digital signature, encryption, and timestamp.
      1. In the administrative console, clickWS-Security > Main Policy.
      2. Deselect Message level protection.
      3. Click Apply.
    2. Add the UsernameToken or LTPA token.
      1. Under Policy details, click Request token policies.
      2. Select Add Token Type.
      3. If you want to use a UsernameToken, select UserName. If you want to use an LTPA token, select LTPA.

        Token name=myToken.

      4. Click OK.
  3. Configure the client to use the OneTokenPolicy policy set.
    1. In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
    2. Select the web services client resource.
    3. Click Attach Policy Set.
    4. Select OneTokenPolicy .
  4. Create a custom binding for the client.
    1. Select the web services resource again.
    2. Click Assign Binding.
    3. Click New Application Specific Binding to create an application-specific binding
    4. Specify the bindings configuration name. name: oneTokenClientBinding
    5. Click Add > WS-Security
    6. If the Main Message Security Policy Bindings' panel does not display, select WS-Security.
  5. Edit the custom binding for the client.
    1. Click Authentication and Protection
    2. Edit the identity token generator to send the identity username.
      1. Click request:myToken.
      2. Click Apply.
      3. Click Callback handler. User name=(yourUserid) Password=(yourPassword)
      Avoid trouble: This is a userid/password that is valid on the user registry on the provider's system. If you are using LTPA tokens, the userid/password must be valid on both the consumer and provider registries.
    3. (Optional) If configuring a UsernameToken, add the following WS-Security custom properties: 
      com.ibm.wsspi.wssecurity.token.username.addNonce=true
com.ibm.wsspi.wssecurity.token.username.addTimestamp=true

      These custom properties are added because they are specified on the UsernameToken consumer default general bindings. If we do not specify those properties here, you will either need to remove those properties from the default provider general bindings or create application-specific bindings for the provider that does not include those properties.

    4. Click OK.
    5. Click Save
  6. Configure the provider to use the OneTokenPolicy policy set.
    1. In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings
    2. Select the web services provider resource (OneTokenPolicy)
    3. Click Attach Policy Set.
    4. Select OneTokenPolicy
      Note: Since no bindings are attached to the provider application, it will use the default provider general bindings for the token consumers.
  7. (Optional) If you want to create a Caller configuration for the provider, create custom bindings for the provider.
    1. Select the web services provider resource again.
    2. Click Assign Binding
    3. Click New Application Specific Binding to create an application-specific binding
    4. Specify Bindings configuration name:oneTokenProvBinding
    5. Click Add > WS-Security
    6. If the Main Message Security Policy Bindings' Panel does not display, select WS-Security
  8. (Optional) If a Caller configuration will be created, edit the custom bindings for the provider.
    1. Click Caller > New. Name: myCaller.
      • If using a UsernameToken, enter the following:
        • Caller identity local name: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
      • If using an LTPA token, enter the following:
        • Caller identity local name: LTPAv2
        • Caller identity local URI: http://www.ibm.com/websphere/appserver/tokentype
    2. Click OK.
  9. Click Save to save your configuration changes.
  10. Restart the client provider.
    1. Stop the client and the provider
    2. Restart the client and the provider
  11. Test the Service.
    1. Point your web browser at the JaxWSServicesSamples:
      http://localhost:9080/wssamplesei/demo
      Avoid trouble: Make sure you provide the correct hostname and port if your profile is not on the same machine or the port is not 9080.
    2. Select Message Type Synchronous Echo
    3. Make sure Use SOAP 1.2 is not selected
    4. Enter a message and click Send Message. The sample application should reply with JAXWS==>Message.

Results

The JaxWSServicesSamples web services application is configured to generate and consume a UsernameToken or LTPA token in the request message.