4 Configuring Business Services Server Security for JAX-WS Based Business Services (Release 9.1 Update 2)

This chapter contains the following topics:

• Section 4.1, "Understanding Business Services Server Security for JAX-WS Based Business Services on WAS"

• Section 4.2, "Securing JAX-WS Based Business Services on WAS"

• Section 4.3, "Configuring WebSphere to Use Anonymous Login"

4.1 Understanding Business Services Server Security for JAX-WS Based Business Services on WAS

JAX-WS based EnterpriseOne business services deployed to the WebSphere Application Server (WAS) are secure by default. They are only invoked by supplying valid EnterpriseOne credentials in the WS-Security part of the SOAP header. The Business Services Server uses the JD Edwards EnterpriseOne Login Module as the authentication mechanism for authenticating the credentials in the SOAP Header against the EnterpriseOne Security Server.

Prerequisite

Before you deploy a JAX-WS based business service application to a business services server on WAS, ensure that the WAS version, Fix Pack Level, and IFIX (required) are per the EnterpriseOne 9.1.2 Tools Release MTRs for the business services server on WAS.

Note:

JAX-WS based business services deployed to Oracle WebLogic Server are secure by default, and they use the same security model as JAX-RPC business services, as discussed in Chapter 3.

4.2 Securing JAX-WS Based Business Services on WAS

When the business services application is deployed to the business services server on WAS, Server Manager automatically installs and configures the following modules for all published services to ensure they are secure:

• The wss.generate.issuedToken, wss.consume.issuedToken, System Java Authentication and Authorization Service (JAAS) login configurations.

• The custom E1JAXWSBSSV_UNT JAX-WS policy set with WS-Security as the main policy to handle the UsernameToken element with user name and password elements in the SOAP Header.

• The custom E1JAXWSBSSVBinding JAX-WS binding to configure the generic issued token consumer for the inbound UsernameToken and to configure the caller.

• The custom Java Authentication and Authorization Service (JAAS) Application Login Module, application.e1JAXWSBssvLogin, to validate the JD Edwards EnterpriseOne users against the JD Edwards EnterpriseOne Security Server.

The system JAAS login module, the custom JAAS application login module, and the custom JAX-WS policy set are all installed once for a particular WAS profile. After a business service application is deployed to a business service instance, the custom JAX-WS policy set and binding are attached to the entire business service application making them applicable to all of the published services.

4.3 Configuring WebSphere to Use Anonymous Login

In WebSphere, you can disable security for the entire business services server application by detaching the custom JAX-WS policy set and binding. When you disable security, the system uses anonymous login credentials for authentication for all of the published services instead of the user credentials supplied in the WS-Security part of the SOAP Header. The anonymous login credentials are stored in the jdbj.ini file on the business services server.

To set up anonymous login for JAX-WS business services on WAS:

1. Login to the WAS Admin Console.

2. From the left-hand menu, click Applications > Application Types > WebSphere enterprise applications.

3. On the right-hand Enterprise Applications page, select the business services server application/instance for which you want to set up anonymous login.

4. On the Business Services Server Applications page, with the Configuration tab selected, click the Service provider policy sets and bindings link under the Web Services Properties heading.

   Figure 4-1 Service Provider Policy Sets and Bindings

   
   Description of "Figure 4-1 Service Provider Policy Sets and Bindings"
   
   

5. On the Service provider policy sets and bindings page, select the business services server application and click the Detach Policy Set button.

   This action detaches both the policy set and the binding for all of the published services in the business service application.

   Figure 4-2 Detach Service Provider Polity Sets and Bindings

   
   Description of "Figure 4-2 Detach Service Provider Polity Sets and Bindings"
   
   

6. Save the changes.

7. Restart the business services server for changes to take effect.

After anonymous login is set up, you can invoke all of the published services in the business services application anonymously without passing user credentials in the WS-Security part of the SOAP Header.