WS-Security Consumer Policies
You can configure WS-Security Consumer policies by copying a template into an external policy set, and modifying the parameters. You can find sample templates in an archive file under TIBCO_HOME/amx/version/samples/policy/samples.zip.
Several template samples are available.
You can configure this policy to retrieve user credentials from an Identity Provider resource instance. When using an Identity Provider resource instance to retrieve user credentials for a policy, in the Identity Provider resource template, check the Enable Access to Credential Store Containing Identity checkbox. The JCEKS keystore used in the Identity Provider resource template should be able to store symmetric keys.
UsernameToken - Nonce and Created Elements
When a Basic Credential Mapping or WSS Credential Mapping policy is used to insert a UsernameToken in the SOAP security header, the Nonce and Created elements can be optionally added.
You can configure a Basic Credential Mapping or WS-Security Consumer Credential Mapping policy to have the UsernameToken without the Nonce and Created elements by copying the template below and modifying the parameters appropriately. See the Policy Sets, Policy Templates Reference section in the Composite Development guide for more information about configuring policy sets.
The sample Basic Credential Mapping policy below generates the UsernameToken without the Nonce and Created elements.
<?xml version="1.0" encoding="UTF-8"?>
<ep:policySetContainer xmlns:ep="http://xsd.tns.tibco.com/amf/models/externalpolicy"
xmlns:sca="http://www.osoa.org/xmlns/sca/1.0"
xmlns:scaext="http://xsd.tns.tibco.com/amf/models/sca/extensions"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0
.xsd"
xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:tpc="http://xsd.tns.tibco.com/governance/policy/common/2009"
xmlns:jmsbt="http://xsd.tns.tibco.com/amf/models/sca/bindingtype/jms"
xmlns:soapbt="http://xsd.tns.tibco.com/amf/models/sca/binding/soap"
xmlns:webapp="http://xsd.tns.tibco.com/amf/models/sca/implementationtype/webapp"
targetNamespace="http://www.example.org">
<!-- add the policy sets here -->
<sca:policySet name="CredentialMappingUsernameToken"
provides="scaext:clientAuthentication.usernameToken"
appliesTo="soapbt:binding.soap.service">
<wsp:Policy template="tpt:WssConsumer" xmlns:tpt="
http://xsd.tns.tibco.com/governance/policy/template/2009">
<wsp:All>
<wsp:Policy>
<wsp:All>
<tpa:CredentialMapping>
<tpa:Fixed>
<wssp:UsernameToken>
<wsse:Username>schalla</wsse:Username>
<wsse:Password>password</wsse:Password>
</wssp:UsernameToken>
<tpa:IdentityProvider
ResourceInstance="IdPasswordProvider" />
</tpa:Fixed>
<wssp:SupportingTokens>
<wssp:UsernameToken>
<tpa:NoNonce/>
</wssp:UsernameToken>
</wssp:SupportingTokens>
</tpa:CredentialMapping>
</wsp:All>
</wsp:Policy>
</wsp:All>
</wsp:Policy>
</sca:policySet>
</ep:policySetContainer>