The Web Service Client agent profile describes the configuration that is used for securing outbound web service requests from a web service client. The name of the web service client must be unique across all agents.
The following General attributes define basic web service client properties:
The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.
Defines the password for the web service client agent.
Confirm the password.
Defines whether the web service client agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.
Lists the basic LDAP properties, that uniquely defines the web service client agent.
The following attributes define web service client security attributes:
Defines the type of security credential that is used to secure the web service client request. You can choose one of the following security credential types:
Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos security tokens.
LibertyDiscoverySecurity — Uses Liberty-based security tokens.
SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.
SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.
STSSecurity — Uses the security token generated from the Security Token service for a given web service provider.
UserNameToken — Uses User Name Token with digest password.
UserNameToken-Plain — Uses a user name token with a clear text password for securing web service requests.
X509Token — Uses the X509 certificate.
This attribute is enabled when the web service client uses Security Token service (STS) as the Security Mechanism. This configuration describes a list of STS agent profiles that are used to communicate with and secure the web service requests to the STS service.
This attribute is enabled when the web service client is enabled for Discovery Service security. This configuration describes a list of Discovery Agent profiles that are used to secure requests made to the Discovery service.
When enabled, this attribute defines that the services client's protected page requires a user to be authenticated in order to gain access.
When enabled, this attribute defines that the SOAP security headers are preserved by the web service client for further processing.
When enabled, this attribute indicates that the web service client will pass through the received Security token from the Subject. It will not try to create the token locally or from STS communication.
The URN (Universal Resource Name) describes a Liberty service type that the web service client will use for service lookups.
The attribute represents the username/password shared secrets that are used by the web service client to generate a Username security token.
The following attributes define signing and encryption configuration for web service security:
When enabled, the web services client signs the request using a given token type.
When enabled, the web services client security header will be encrypted.
When enabled, the web services client request will be encrypted.
When enabled, the web services response signature is verified.
When enabled, the web services response will be decrypted.
Defines the reference types used when the Security Token service signs the WSC response. The possible reference types are DircectReference, KeyIdentifier, and X509.
Defines the encryption algorithm used to encrypt the web service response.
Sets the encryption strength used by he Security Token service to encrypt the web service response. Select a greater value for greater encryption strength.
The following attributes configure the keystore to be used for certificate storage and retrieval:
This attribute defines the public certificate key alias that is used to encrypt the web service request or verify the signature of the web service response.
This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.
This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:
Location of Key Store
Password of Key Store
Password of Key
The following attributes define web service endpoints:
This attribute defines a web service end point to which the web service client is making a request. This end point is optional unless it is configured as a web security proxy.
This attribute defines a web service end point to which the web service client is making a request.
Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
This attribute specifies the Kerberos Distribution Center (KDC) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.
Specifies the web service principal registered with the KDC.
Use the following format:
hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.
Specifies the Kerberos TGT (Ticket Granting Ticket) cache directory. When the user authenticates to the desktop or initializes using kinit (the command used to obtain the TGT from KDC), the TGT is stored in the local cache, as defined in this attribute.