WS-Security Consumer Policies

You can configure WS-Security Consumer policies by copying a template into an external policy set, and modifying the parameters. You can find sample templates in an archive file under TIBCO_HOME/amx/version/samples/policy/samples.zip.

Several template samples are available.

You can configure this policy to retrieve user credentials from an Identity Provider resource instance. When using an Identity Provider resource instance to retrieve user credentials for a policy, in the Identity Provider resource template, check the Enable Access to Credential Store Containing Identity checkbox. The JCEKS keystore used in the Identity Provider resource template should be able to store symmetric keys.

Template File
WssConsumerAddUsernameTokenTimestampSignAndEncrypt.policysets
WssConsumerCredentailMappingSAMLSigned.policysets
WssConsumerCredentailMappingSAMLUnsigned.policysets
WssConsumerCredentailMappingUsernameTokenFixed.policysets
WssConsumerCredentailMappingUsernameTokenRoleBased.policysets
Can Provide these Intents
scaext:credentialMapping.wssSAML
scaext:credentialMapping.usernameToken
scaext:consumerIntegrity.wss
scaext:consumerConfidentiality.wss

UsernameToken - Nonce and Created Elements

When a Basic Credential Mapping or WSS Credential Mapping policy is used to insert a UsernameToken in the SOAP security header, the Nonce and Created elements can be optionally added.

You can configure a Basic Credential Mapping or WS-Security Consumer Credential Mapping policy to have the UsernameToken without the Nonce and Created elements by copying the template below and modifying the parameters appropriately. See the Policy Sets, Policy Templates Reference section in the Composite Development guide for more information about configuring policy sets.

The sample Basic Credential Mapping policy below generates the UsernameToken without the Nonce and Created elements.

<?xml version="1.0" encoding="UTF-8"?>
<ep:policySetContainer xmlns:ep="http://xsd.tns.tibco.com/amf/models/externalpolicy" 
   xmlns:sca="http://www.osoa.org/xmlns/sca/1.0" 
   xmlns:scaext="http://xsd.tns.tibco.com/amf/models/sca/extensions"  
   xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"  
   xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" 
   xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0
   .xsd"
   xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009"
   xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
   xmlns:tpc="http://xsd.tns.tibco.com/governance/policy/common/2009"
   xmlns:jmsbt="http://xsd.tns.tibco.com/amf/models/sca/bindingtype/jms"
   xmlns:soapbt="http://xsd.tns.tibco.com/amf/models/sca/binding/soap"
   xmlns:webapp="http://xsd.tns.tibco.com/amf/models/sca/implementationtype/webapp"
   targetNamespace="http://www.example.org">
 
  <!-- add the policy sets here -->
  <sca:policySet name="CredentialMappingUsernameToken" 
  provides="scaext:clientAuthentication.usernameToken" 
  appliesTo="soapbt:binding.soap.service">
          <wsp:Policy template="tpt:WssConsumer" xmlns:tpt="
          http://xsd.tns.tibco.com/governance/policy/template/2009">
                <wsp:All>
                    <wsp:Policy>
                        <wsp:All>
                     <tpa:CredentialMapping>
                        <tpa:Fixed>
                            <wssp:UsernameToken>
                               <wsse:Username>schalla</wsse:Username>
                               <wsse:Password>password</wsse:Password>
                            </wssp:UsernameToken>
                            <tpa:IdentityProvider 
                             ResourceInstance="IdPasswordProvider" />    
                        </tpa:Fixed>
                        <wssp:SupportingTokens>  
                             <wssp:UsernameToken>
                                   <tpa:NoNonce/>
                             </wssp:UsernameToken>
                        </wssp:SupportingTokens>
                        </tpa:CredentialMapping>
                        </wsp:All>
                    </wsp:Policy>
                </wsp:All>
        </wsp:Policy>  
  </sca:policySet>
</ep:policySetContainer>