Skip to main content
Skip table of contents


Endpoint URL

An endpoint is uniquely identified by an endpoint URL:

Request Type

Endpoint URL











The parallel requests are limited to 100 requests. All requests above this limit will drop and a 503 Server busy will be returned.

Endpoint Configuration

Normally the defaults are fine and you don't need this file, except if you want to tune a specific endpoint eg. ocsp or allow big attachments.




Size in MB of request allowed to be sent through the servlet
0 for no restriction.

requestTypeParameterName / requestTypeDefault

parameter acting as the requestType, and default that should be taken if it wasn't found.


true or false
Do we want to parse the http headers sent to the TrustBuilder servlet.
if set to true these headers will we placed into the RequestHeaders of the incomming resquest.


Specific ocsp endpoint setting.
Defines the type of keystore used.


Specific OCSP endpoint setting.
Absolute path to the store


Specific OCSP endpoint setting.
Password of the store [Base64].


Specific OCSP endpoint setting.
Alias of the private key in the keystore used to sign the response.
Only used when type is set to 'JKS'


Specific OCSP endpoint setting.
Password of the private key in the keystore.


Whenever a request comes into the workflow as an entry in your workItem it request will have a couple of attributes. These attributes are depending on the endpoint on which the request comes in. Note, the attributes are always there, but not necessarily filled in. The request object available as a real javascript object contains the following properties/function .

  • headers: containing all headers

  • cookies: containing all cookies

  • parameters: containing all passed parameters (empty for every endpoint except html-endpoint), value is an array !!

  • parameter('myparam'): function!! returning the value if there is only one value for a certain parameter, array in every other case

  • body: string containing the body

  • bodyAsXml(): function returning the body as an xml object (if it actually is one)


When sending something out via the FinalState property the engine requires a response the endpoint can understand.

This is where the tb.generateResponse comes in. This is a helper function requires the following parameters:

  • body: whatever you want to have in the body of your endpoint, html/xml/soap

  • headers: object key/value pairs rendered as headers in the endpoint

  • cookies: object key/value pairs rendered as cookies in the endpoint (only applies to http protocol, not to cdas)

  • status: number to be used as http statuscode


var cookies = {
    "TbSession": {
        value: 'someIdentifier',
        maxage: '300',
        path: "/"
    "RememberMe": {
        value: '1',
        maxage: '300',
        path: "/"
var header = { "Content-type": "text/html", 'X-Application': 'Trustbuilder' };
tb.generateResponse('\<html\>my doc\</html\>', headers, cookies, 200);

Endpoint Authorisation

These pages describe the authorisation mechanism applied to the TrustBuilder Endpoints. There are currently five HTTP endpoints within TrustBuilder (TB) being XML, SOAP, HTML, GENERIC and OCSP.Each endpoint consumes a different kind of request with its own authorisation structure.

The mechanism for authentication and authorization is the standard J2EE implementation where roles are defined in the deployment descriptor of the application and then mapped on the application server.

Not only can the endpoints be secured, but are some of the parameters of the request taken into account in the decision: config, workflow and RequestType. If none of these parameters are present (via HTTP headers, URL or Form values) the authorisation is applied on the default requestType on the condition that this is configured naturally.

Through services in the configuration of TrustBuilder it is possible to add an Radius and LDAP endpoint.

Many applications and network access management solutions use these interfaces for such requests. Now they can take advantage of the power of TrustBuilder's Policy and Workflow Engine to handle the requests independently from the actual repository containing the user and validation data.

The deployment descriptor (DD) is where the roles are defined. These roles are read by the application server upon installation of the application and can then be mapped to users and groups. These can be from ITIM or LDAP or any other mechanism that your application server provides. The destinations for authorisation and the authentication method are also defined in the deployment descriptor.

Security Roles

Roles are defined in the DD that are used by the following definitions to map the application to the container: WebSphere. Ultimately the security; users, credentials, groups, roles, are defined by the container these roles provide hooks to the container and need to be mapped on installation of TB.

Security Constraints

The constraints map the endpoint servlets to roles and transport restrictions securing SOAP, XML, HTML or Genric types of requests. The constraints are mapped to URLs so one constraint can be set for each request type or the trustbuilder/* root could be constrained covering all the instances. The role-name elements map to security-role elements.

      <description>SSL or MSSL not required</description>
Authentication Configuration

For authorisation to function authentication needs to be performed. This is also specified in the web.xml file. Initially this is set to BASIC authentication but can be set to DIGEST or FORM.


The roles defined in the deployment descriptor of TrustBuilder (TB) must be mapped to users that are defined within WebSphere (WAS). This is performed at the application level within WAS and for it all to function application security needs to be enabled.

Application Security Settings

For the authentication that is setup within the web.xml file to function application authentication must be enabled in WebSphere.

For WAS 7 and WAS 8 this is set here:

> Security > Global Security > Application Security > Enable application security 

Creating Internal Users

NB. This is only one way to create users in WAS for more information view WAS documentation.

Once TrustBuilder has been installed within WAS then the roles defined in the deployment descriptor(web.xml) need to be assigned to users within the organisation, however they are managed. WebSphere can use a number of resources for users and groups.

If using the internal federated repository then users can be seen here (in WAS 7 or 8):

> Users and Groups > Manage Users 

Mapping Application Roles

To map the TrustBuilder roles created in the deployment descriptor (web.xml) enter the WAS administrative console and go here for WAS 7 and WAS 8:

> Applications > Application Types > Websphere enterprise applications > trustbuilder > Security role to user/group mapping 

Within this page all the roles defined in the deployment descriptor with be visible. To map a role to users within WAS select the roles you wish to work with then click the Map Users or Map Groups buttons. On the following page search for the users or groups that are to be assigned to the selected roles. These users or groups define the credentials that are used when authenticating to the TrustBuilder endpoints and authorising to specific resources.

XSD Validation

This section describes how to configure XSD validation of requests for TrustBuilder. This can be used to validate transactions or portions of a request to TrustBuilder against a pre-written XSD file.


In order to use the xsd validation the config file should contain the 'ValidationResource' element referencing an absolute path to a validation properties file.

This properties file contains the element to be validated against which XSD. For each type of request that must be validated the request type name and the name and location of the XSD file to perform the validation must be specified within the property file (

An example property set for one element that is to be validated







Defines which element in the payload defines against which xsd this payload should be validated


Optional namespace of the element


Optional absolute path containing xsd's defined for every type



The relative path from xsd.home to validate against


Data (TransactionDataSet)

The name of the element that contatins the data that is to be validated



The optional namespace of the Data if needed


Within each request that is sent to TrustBuilder the body will be searched for the validation.element, for instance a transactionType. The value of this element will be looked up with a relevant namespace if appropriate. Which will determine:

  • If this type of request should be validated (ie. is there a key found in the properties file)

  • The location of the XSD file to validate this request (dependent upon 1)

  • The part of the request that should be validated (dependent upon 1)

Kerberos authentication

In order to enable kerberos authentication on an http endpoint the following steps is required. In TBHOME a should be created with the following parameters: (note: all paths are relative from TBHOME) After modifying this file, a restart of trustbuilder is required.

// krb5 config, eg. /etc/krb5.conf
// login config, jaas configuration file containing the configuration for the kerberos modules
// module to use in the jaas configuration file (referrably using keytab)
// if basic auth is permitted, not recommended

Now trustbuilder will 'negotiate' with clients asking for a kerberos ticket.

An example krb5.conf could look like:

        default_realm = TRUSTBUILDER

        TRUSTBUILDER = {
                kdc = kdc01.trustbuilder
                admin_server = kdc01.trustbuilder

Example jaas.config

{ required debug = true
            tryFirstPass = true doNotPrompt = true
            principal = "HTTP/trustbuilder"
            storeKey = true useKeyTab = true keyTab = "/Users/koen/tb.keytab"
            debug = true;

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.