[
https://issues.apache.org/jira/browse/CMIS-806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14208479#comment-14208479
]
Vincent Tang commented on CMIS-806:
-----------------------------------
Having WS-Security LTPA token header inserted in SOAP envelop can be done
simply using WebSphere Application Server policy set and bindings. By doing so
you don't have to change your web application code, and the same policy set and
bindings can be applied to other WebSphere applications. The steps to do it are
not so complicated.
Create policy set
1. Deploy IBM CMIS for FileNet with WS-Security with web services
authentication method. If you have experience of IBM CMIS for FileNet
configuration tools either in 1.0.0.2 or newer versions ( IBM CMIS for FileNet
had become a component of IBM Content Navigator V2.0.2 in 2013)
2. Create another new WebSphere Application Server profile, configure same LDAP
server as IBM CMIS for FileNet server. Export LTPA key from IBM CMIS for
FileNet server and import the key into the new WebSphere application server.
Enable WebSphere administrator and application security. Basically, same
security configuration as IBM CMIS for FileNet server.
3. Logon administrator console of the WebSphere application server. Go down the
road to Services -> Policy sets -> Application sets. Click button New to create
a new policy set.
4. Give a name to the policy set, for example cmis_ltpa_policyset, click on
button Add and select WS-Security, save it. Then open cmis_ltpa_policyset ->
WS-Security -. Main policy. Click on Request token policies. Then click on
button Add Token Type, choose LTPA, give a name to the token for example
LTPAv2Token. Click on button Apply or OK to save it.
5. Change something on Main policy page. At first, open Request message part
protection and Response message part protection to remove all encrypted_parts
and signed_parts because IBM CMIS for FileNet doesn't support it. Change key
symmetric tokens to Use symmetric tokens. Change Security header layout to
Layout (lax). Save the changes.
6. Now you have a policy set. The next step is creating a new policy set client
binding.
Create policy binding.
1. Logon administrator console of the WebSphere application server. Go down the
road to Services -> Policy sets -> General client policy set bindings. Click
button New to create a new policy set binding.
2. Give a name to the policy set, for example cmis_ltpa_binding, click on
button Add and select WS-Security. Click on Authentication and protection.
Click button New Token under Authentication tokens and select Token Generator.
3. Input a name for Token Generator for example LTPAv2Token, select LTPA Token
v2.0 in Token Type. Click button OK to save it.
4. Open client policy set binding cmis_ltpa_binding. Open WS-Security then
Message expiration. Select Enable message expiration and enter 1440 minutes.
Click button OK to save it.
Now you have your policy set and client policy set binding created. The next
step is assign them to your application.
1. Open the enterprise application in WebSphere administrator console, click on
Service client policy sets and bindings under Web services properties (forgot
mentioning, your application must be a JAX-WS web services client).
2. Select your application, click on button Attach Client Policy Set and choose
the policy set you just created cmis_ltpa_policyset. Save it.
3. Select your application, click on button Assign Binding and choose
cmis_ltpa_binding. Save it.
4. Restart WebSphere application server.
Note that the instructions above are tested in WebSphere Application Server
V8.5 only. Other versions of WebSphere please consult WebSphere documents.
These are all necessary steps that configure your WebSphere JAX-WS application
to work with LTPA with IBM CMIS for FileNet. The good news is that It is
totally a container managed solution. Your application doesn't need to take
care WS-Security between it and CMIS provider (in this case, IBM CMIS for
FileNet). Another good thing is that the policy sets and policy set bindings
can be exported and imported for other applications. One time effort can be
kept.
> LTPA autnentication provider
> ----------------------------
>
> Key: CMIS-806
> URL: https://issues.apache.org/jira/browse/CMIS-806
> Project: Chemistry
> Issue Type: Test
> Components: opencmis-client-bindings
> Affects Versions: OpenCMIS 0.10.0
> Environment: Websphere 7 with IBM filenet cmis implem
> Reporter: Leonardo
>
> Hello, I'd like to know how to set up a LTPA auth provider test bench with
> websphere. I guess that a sample web application (with LTPA auth provider
> bindings) should be implemented and deployed on websphere for the LTPA auth
> to take place. Can you please confirm this? The sample app calls the LTPA
> auth provider, which will in turn fetch LTPA subject from websphere context
> and create SOAP header. I also guess that the IBM filenet cmis should be
> configured to do ws-security auth (not http basic auth) for the LTPA auth to
> work properly. Can you confirm please ? Should you have a LTPA test bench on
> your own, can you tell me how to implement? Many Thanks, regards.L. Modeo
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
