IBM Tivoli Enablement Tools
to participate
619 replies
Latest Post
Answered question
This question has been answered.
This thread is for questions and comments on Web Services Wrappers for ITIM API.
http://www-/software/brandcatalog/portal/opal/details?catalog.label=1TW10IM12
I am currently trying to get the provided clients to work with the ITIM API WebService.
I've installed the Web Service using the extracted option and deploying the .ear file manually as it is a clustered ITIM environment.
the ITIMWebService.ear deploys and starts fine with no errors.
When calling the WebService I get the following error:
&& java.lang.InstantiationException: com.ibm.itim.ws.services.WSSessionService
The error seems to occur when the client attempts to instantiate the WSSessionService from the factory, the code i'm using to call this is:
&& WSSession session = sessionService.login(admin_userid, admin_password);
I am also experiencing the same problem whether I'm using a custom axis webservice client, or the ITIM Rich Client, which leads me to believe there is something wrong with the web service itself.
Full error trace:
AxisFault faultCode: http:
//schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: faultString: java.lang.InstantiationException: com.ibm.itim.ws.services.WSSessionService faultActor: faultNode: faultDetail: http:
//xml.apache.org/axis/}hostname:ITIM5DC
java.lang.InstantiationException: com.ibm.itim.ws.services.WSSessionService at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222) at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129) at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Unknown Source) at javax.xml.parsers.SAXParser.parse(Unknown Source) at org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:227) at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696) at org.apache.axis.Message.getSOAPEnvelope(Message.java:435) at org.apache.axis.handlers.soap.MustUnderstandChecker.invoke(MustUnderstandChecker.java:62) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:206) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at com.ibm.itim.ws.services.WSSessionServiceSoapBindingStub.login(WSSessionServiceSoapBindingStub.java:359) at com.decipherworks.itim.ws.password.PasswordClient.main(PasswordClient.java:40)
I would like to correct my previous post. It is not exactly the same error that Dave has posted but looks like related. Both are Axis exceptions. Any help is appreciated.
SenKan and DaveHong,
Could you post what version of ITIM are you deploying the Web Services Wrappers on? Please post the Websphere version as well. DaveHong mentioned he was deploying in a clustered WAS. What about SenKan's deployment?
SenKan and DaveHong,
Could you post what version of ITIM are you deploying the Web Services Wrappers on? Please post the Websphere version as well. DaveHong mentioned he was deploying in a clustered WAS. What about SenKan's deployment?
For those having connection issues when connecting to ITIM web services from a client, here is a simple self contained test jar. This test jar is for ITIM Web Services 1.2, please ensure that you have v1.2 before attempting to run this test jar. You can verify your version of ITIM Web Services as follows by navigating to webservice.properties and looking at webServices.version property. The webservice.properties file is located at
Navigate to WAS_ROOT/installedApps/NODENAME/ITIMWebServicesEAR.ear/ITIMWebServices.war/WEB-INF/classes/resourceBundle
WAS_ROOT/profiles/PROFILENAME/installedApps/CELLNAME/ITIMWebServicesEAR.ear/ITIMWebServices.war/WEB-INF/classes/resourceBundle
If you are running an older version of ITIM Web Services, this test jar will not work. You will need to upgrade to ITIM Web Services v1.2. The ITIM Web Services upgrade does not affect or upgrade the underlying ITIM product other than running on the same Websphere server.
After ascertaining you have ITIM Web Services v1.2 installed, copy the attached testClient1.2.jar to your client system, make sure you have a JVM in your path (at least v 1.4.x for 4.6, v 1.5 for ITIM 5.x), change directory to the folder where you placed the jar file, and type
java -jar testClient1.2.jar ServerAddress UserName Password
where ServerAddress is the serverAddress URL of ITIM Web Services written as http://YOURHOST:YOURPORT. The UserName and Password values should be valid on ITIM. If the username or password values have spaces, enclose in double quotes.
Please note that testClient1.2.jar is not a part of the delivery of Web Services Wrapper for ITIM, and is only provided here for testing purposes.
Here is sample output from the testClient1.2.jar
java -jar testClient1.2.jar http://greenserver:9080 gverma xxxxxx
Trying connection to ITIMWebServices
Communication successful, the ITIM Web Services Wrapper version is 1.2
The ITIM version is 5.0
Trying authentication for user gverma
User id gverma logged in succesfully to http://greenserver:9080
User name from ITIM is Girish Verma
Trying to get list of accounts owned by Girish Verma
Found 5 accounts for Girish Verma
9b0123896 on service LDAP base service
gverma on service Windows Local
gverma on service ITIM Service
user1 on service LDAP base service
user2 on service LDAP base service
End of test
Attachments
For those having connection issues when connecting to ITIM web services from a client, here is a simple self contained test jar. This test jar is for ITIM Web Services 1.2, please ensure that you have v1.2 before attempting to run this test jar. You can verify your version of ITIM Web Services as follows by navigating to webservice.properties and looking at webServices.version property. The webservice.properties file is located at
Navigate to WAS_ROOT/installedApps/NODENAME/ITIMWebServicesEAR.ear/ITIMWebServices.war/WEB-INF/classes/resourceBundle
WAS_ROOT/profiles/PROFILENAME/installedApps/CELLNAME/ITIMWebServicesEAR.ear/ITIMWebServices.war/WEB-INF/classes/resourceBundle
If you are running an older version of ITIM Web Services, this test jar will not work. You will need to upgrade to ITIM Web Services v1.2. The ITIM Web Services upgrade does not affect or upgrade the underlying ITIM product other than running on the same Websphere server.
After ascertaining you have ITIM Web Services v1.2 installed, copy the attached testClient1.2.jar to your client system, make sure you have a JVM in your path (at least v 1.4.x for 4.6, v 1.5 for ITIM 5.x), change directory to the folder where you placed the jar file, and type
java -jar testClient1.2.jar ServerAddress UserName Password
where ServerAddress is the serverAddress URL of ITIM Web Services written as http://YOURHOST:YOURPORT. The UserName and Password values should be valid on ITIM. If the username or password values have spaces, enclose in double quotes.
Please note that testClient1.2.jar is not a part of the delivery of Web Services Wrapper for ITIM, and is only provided here for testing purposes.
Here is sample output from the testClient1.2.jar
java -jar testClient1.2.jar http://greenserver:9080 gverma xxxxxx
Trying connection to ITIMWebServices
Communication successful, the ITIM Web Services Wrapper version is 1.2
The ITIM version is 5.0
Trying authentication for user gverma
User id gverma logged in succesfully to http://greenserver:9080
User name from ITIM is Girish Verma
Trying to get list of accounts owned by Girish Verma
Found 5 accounts for Girish Verma
9b0123896 on service LDAP base service
gverma on service Windows Local
gverma on service ITIM Service
user1 on service LDAP base service
user2 on service LDAP base service
End of test
For those having connection issues when connecting to ITIM web services from a client, here is a simple self contained test jar. This test jar is for ITIM Web Services 1.2.1 only, please ensure that you have v1.2.1 before attempting to run this test jar. You can verify your version of ITIM Web Services as follows by navigating to webservice.properties and looking at webServices.version property. The webservice.properties file is located at
Navigate to WAS_ROOT/installedApps/NODENAME/ITIMWebServicesEAR.ear/ITIMWebServices.war/WEB-INF/classes/resourceBundle
WAS_ROOT/profiles/PROFILENAME/installedApps/CELLNAME/ITIMWebServicesEAR.ear/ITIMWebServices.war/WEB-INF/classes/resourceBundle
IMPORTANT: If the webServices.version property value is 1.2.1, please change the value to 1.21 and restart Websphere.
If you are running an older version of ITIM Web Services, this test jar will not work. You will need to upgrade to ITIM Web Services v1.2.1. The ITIM Web Services upgrade does not upgrade the underlying ITIM product or affect it other than running on the same Websphere server.
After ascertaining you have ITIM Web Services v1.2.1 installed, copy the attached testClient1.2.jar to your client system, make sure you have a JVM in your path (at least v 1.4.x for 4.6, v 1.5 for ITIM 5.x), change directory to the folder where you placed the jar file, and type
java -jar testClient1.2.1.jar ServerAddress UserName Password
where ServerAddress is the serverAddress URL of ITIM Web Services e.g. http://YOURHOST:YOURPORT. The UserName and Password values should be valid on ITIM. If the username or password values have spaces, enclose in double quotes.
Please note that testClient1.2.1.jar is not a part of the delivery of Web Services Wrapper for ITIM API, and is only provided here for testing purposes.
Attachments
For those having connection issues when connecting to ITIM web services from a client, here is a simple self contained test jar. This test jar is for ITIM Web Services 1.2.1 only, please ensure that you have v1.2.1 before attempting to run this test jar. You can verify your version of ITIM Web Services as follows by navigating to webservice.properties and looking at webServices.version property. The webservice.properties file is located at
Navigate to WAS_ROOT/installedApps/NODENAME/ITIMWebServicesEAR.ear/ITIMWebServices.war/WEB-INF/classes/resourceBundle
WAS_ROOT/profiles/PROFILENAME/installedApps/CELLNAME/ITIMWebServicesEAR.ear/ITIMWebServices.war/WEB-INF/classes/resourceBundle
IMPORTANT: If the webServices.version property value is 1.2.1, please change the value to 1.21 and restart Websphere.
If you are running an older version of ITIM Web Services, this test jar will not work. You will need to upgrade to ITIM Web Services v1.2.1. The ITIM Web Services upgrade does not upgrade the underlying ITIM product or affect it other than running on the same Websphere server.
After ascertaining you have ITIM Web Services v1.2.1 installed, copy the attached testClient1.2.jar to your client system, make sure you have a JVM in your path (at least v 1.4.x for 4.6, v 1.5 for ITIM 5.x), change directory to the folder where you placed the jar file, and type
java -jar testClient1.2.1.jar ServerAddress UserName Password
where ServerAddress is the serverAddress URL of ITIM Web Services e.g. http://YOURHOST:YOURPORT. The UserName and Password values should be valid on ITIM. If the username or password values have spaces, enclose in double quotes.
Please note that testClient1.2.1.jar is not a part of the delivery of Web Services Wrapper for ITIM API, and is only provided here for testing purposes.
Thanks Girish, the test jar is very helpful for my test on ITIM 4.6 FP40. Is it possible that you upload the source for the test jar?
Thanks Girish, the test jar is very helpful for my test on ITIM 4.6 FP40. Is it possible that you upload the source for the test jar?
Jin (and anyone else who wants the source of the test client),
The source for TestClient.java is attached. You should have all the jars from the client folder of the ITIM Web Services installation directory in your classpath when you compile / run this class. These jars are:
commons-discovery-0.2.jar
commons-logging-1.0.4.jar
ITIMWebServicesClient.jar
ITIMWebServicesClientUtils.jar
jaxrpc.jar
wsdl4j-1.5.1.jar
The source code of TestClient.java is provided on an AS-IS basis for reference purposes to those users who can follow it. It is not part of the delivery of Web Services Wrapper for ITIM API.
Attachments
Do you have any additional sample code that I could look at? The connectivity test is great. Currently I need to assign a uid to a TIM identity (and probably erAliases as well), then add a role to the identity (which with your prior was successful), and lastly submit a password change that synchronizes all of the accounts assigned to the TIM identity. Thanks - Matt.
I also received your email with your code sample and replied to it regarding uid assignment and role / access provisioning. There was an issue in your code sample for uid modification - your code was inserting extraneous values into the DN. Removing that will fix the issue.
If you are using Web Services Wrapper on ITIM 5.0, the download has a reference UI application called the ITIM Web Services Rich Client with complete source code. You can use this as a reference on how to use the Web Services Wrapper API. See the Design and Deployment doc for v 1.2.1, page 64 for details. You do not need to run the Rich Client application, only install it to access its source code.
I'm attempting to utilize the ITIM web services wrapper via a Netbeans project. I have no problem executing an operation such as getChallengeQuestions(), but I'm having a bit of trouble dealing with the WSSession object that is returned from login() and lostPasswordLoginDirectEntry().
Basically, when I execute login(), passing it a valid user and password, the sessionID returned is always 0 and the clientSession is always null. What is interesting is that I can change my test user id to something non-existent and I will get a login exception, which tells me that the user is being authenticated, but something is wrong with my returned WSSession.
I can execute a login() request with the same credentials using soapUI and I will receive a proper sessionID and clientSession, so I know that the ITIM API is properly setup.
I know this isn't a Netbeans forum, but I will include a bit of code in case I'm doing something wrong.
WSSessionServiceService service = WSSessionServiceService();
WSSessionService port = service.getWSSessionService();
String principal = "sad4039";
String credential = "xxxxx";
WSSession result = port.login(principal, credential);
System.out.println("clientSession: " + result.getClientSession()); // returns 'null'
System.out.println("sessionID: " + result.getSessionID()); // returns 0
System.out.println("enforceChallengeResponse: " + result.isEnforceChallengeResponse()); // returns false
} catch (Exception ex) {
System.out.println("ERROR: " + ex.toString());
Any help would be greatly appreciated.
The sample code you posted is not clear, e.g.
WSSessionServiceService service = WSSessionServiceService();
WSSessionService port = service.getWSSessionService();
The first line you posted under the try clause is invalid, WSSessionServiceService is an interface.
A few questions will help in getting information:
1. Did you generate your own client stubs from the WSDL or are you using the pre-generated client supplied with the download?
2. When you say you "I can execute a login() request with the same credentials using soapUI and I will receive a proper sessionID and clientSession", can you elaborate what API did you use?
If you are using the pre generated Java client supplied with the web services donwload, you can leverage the web service factory class to get a web service. Add all the client jars to your application's classpath (the client jars are under the client folder where you installed/extracted the web services download). You should now be able to leverage the web services factory class to get a reference to a web service:
Sample code
ITIMWebServiceFactory webServiceFactory = new ITIMWebServiceFactory("http://YourHost:YourPort");
WSSessionService sessionService = webServiceFactory.getWSSessionService();
WSSession session = sessionService.login("username","password");
-end sample code
See the ITIM_WS_DOC.pdf chapter 6 for more code examples on web services. Depending on the state saving method you are using, the clientSession property of session may be null. Reference the state saving method section in the document.
The sample code you posted is not clear, e.g.
WSSessionServiceService service = WSSessionServiceService();
WSSessionService port = service.getWSSessionService();
The first line you posted under the try clause is invalid, WSSessionServiceService is an interface.
A few questions will help in getting information:
1. Did you generate your own client stubs from the WSDL or are you using the pre-generated client supplied with the download?
2. When you say you "I can execute a login() request with the same credentials using soapUI and I will receive a proper sessionID and clientSession", can you elaborate what API did you use?
If you are using the pre generated Java client supplied with the web services donwload, you can leverage the web service factory class to get a web service. Add all the client jars to your application's classpath (the client jars are under the client folder where you installed/extracted the web services download). You should now be able to leverage the web services factory class to get a reference to a web service:
Sample code
ITIMWebServiceFactory webServiceFactory = new ITIMWebServiceFactory("http://YourHost:YourPort");
WSSessionService sessionService = webServiceFactory.getWSSessionService();
WSSession session = sessionService.login("username","password");
-end sample code
See the ITIM_WS_DOC.pdf chapter 6 for more code examples on web services. Depending on the state saving method you are using, the clientSession property of session may be null. Reference the state saving method section in the document.
Thank you for your reply. First things first, let me try to answer your questions. Please bear with me though, as I'm just picking this stuff up as I go along...
1) Yes, I generated my own artifacts using the wizards provided by Netbeans, which utilize JAX_WS 2.1 (wsimport). The code I posted earlier was auto-generated by Netbeans when I dragged the login method to my code. It appears that JAX-WS generates the WSSessionServiceService as a class rather than an interface. I tested this by generating artifacts with JAX-WS from a command line (outside of Netbeans) and have posted that file to this message.
2) soapUI (www.soapui.org) is a web service testing utility that we use extensively here. We have found that it can handle just about anything we throw at it. I just created a project pointed at the ITIM SessionService WSDL and executed the login() operation. With a valid user/pass I am able to get a sessionID and clientSession returned, something I haven't been able to do with my Netbeans stubs. I'm not sure what soapUI uses to create its artifacts, because from the user side all you provide is a WSDL location.
I took your suggestion of trying the client jars and login worked as expected: I was able to get a session and clientSession returned to me. With that as my backup plan, I'll be doing more research and testing to try and get Netbeans/JAX-WS to work. I will post back with my results.
Attachments
Hi really nice work on this. It was much needed and is much appreciated!
My question is in regard to setting a user defined challenge response question and answer using the ITIM webservices. I understand that WSChallengeResponseInfo()can bring back the CR information that has already been set. And that a defined answer can be pulled back and evaluated against user input. What is not immediately apparent is if I actually set challenge question and answer. Is there method for this using the webservice wrappers? I'm sure there must be, I'm perhaps not looking in the right place? If not, knowing that would be great so as I don't waste a bunch of time trying to force something that won't work :)
Again, really nice job and thanks for the effort!
Yes, you can set a user's challenge questions and answers using the ITIM Web Services. This is System User (ITIM account) information, and you can use the WSSystemUserService's setChallengeResponseInfo method. It inputs an array of WSChallengeResponseInfo objects that contain the new question answer pairs. See the Javadoc for WSSystemUserService for method signatures.
Yes, you can set a user's challenge questions and answers using the ITIM Web Services. This is System User (ITIM account) information, and you can use the WSSystemUserService's setChallengeResponseInfo method. It inputs an array of WSChallengeResponseInfo objects that contain the new question answer pairs. See the Javadoc for WSSystemUserService for method signatures.
Thank you for the response. I didn't make myself clear in the first message (my apologies). At issue is the capability to set a challenge response question and answer on behalf of the user as the itim admin principal. The webservices call will be made outside the user web session context, even though we are using TAM in a SSO configuration to ITIM, we have no means of offering the principal name AND credential in the subsequent WSSystemUserService constructor, nor withing the SetChallengeResponseQuestion method specifically. If we had a mechanism like string personDN = "something" such as is offered within getSystemUserforPerson this could probably be done, but it doesn't look as though SetChallengeResponseQuestion can work that way.
To boil all this down, we are looking for a way to set the user Challenge Response question and answer on behalf of the user using the ITIM administrator prinicpal using the webservices. If you could let me know if this is possible I would be grateful. Thank you again for the hard work on this and taking the time to answer my questions...
Thank you for the response. I didn't make myself clear in the first message (my apologies). At issue is the capability to set a challenge response question and answer on behalf of the user as the itim admin principal. The webservices call will be made outside the user web session context, even though we are using TAM in a SSO configuration to ITIM, we have no means of offering the principal name AND credential in the subsequent WSSystemUserService constructor, nor withing the SetChallengeResponseQuestion method specifically. If we had a mechanism like string personDN = "something" such as is offered within getSystemUserforPerson this could probably be done, but it doesn't look as though SetChallengeResponseQuestion can work that way.
To boil all this down, we are looking for a way to set the user Challenge Response question and answer on behalf of the user using the ITIM administrator prinicpal using the webservices. If you could let me know if this is possible I would be grateful. Thank you again for the hard work on this and taking the time to answer my questions...
If ITIM is SSO enabled and protected behind TAM, and the real user is available in the HTTP headers (inserted by TAM), your client app can extract the real userid from the HTTP headers and use it create a web services session by supplying the real userid as the principal with a null credential. Use this WS session to create the password challenge questions. This behavior is similar what you would see using the ITIM Java API in an SSO enabled ITIM. BTW, if you have ITIM in an SSO configuration protected behind TAM, then protect ITIM Web Services URLs also behind TAM to complete your security model.
The newer version of ITIM Web Services (v1.3) which will be released on OPAL in about two months can be configured to automatically extract TAM header variables to retrieve the userid and establish a web services session. Backward compatibility will be maintained with v1.21.
If ITIM is SSO enabled and protected behind TAM, and the real user is available in the HTTP headers (inserted by TAM), your client app can extract the real userid from the HTTP headers and use it create a web services session by supplying the real userid as the principal with a null credential. Use this WS session to create the password challenge questions. This behavior is similar what you would see using the ITIM Java API in an SSO enabled ITIM. BTW, if you have ITIM in an SSO configuration protected behind TAM, then protect ITIM Web Services URLs also behind TAM to complete your security model.
The newer version of ITIM Web Services (v1.3) which will be released on OPAL in about two months can be configured to automatically extract TAM header variables to retrieve the userid and establish a web services session. Backward compatibility will be maintained with v1.21.
Thank you again for the reply! We are proceeding as you have suggested and will be trying again presently. I look forward to the next version of the ITIM webservices as this implementation has proven invaluable to both my team and the customer we are working at!
Thank you again for the reply! We are proceeding as you have suggested and will be trying again presently. I look forward to the next version of the ITIM webservices as this implementation has proven invaluable to both my team and the customer we are working at!
Can you email me at gverma@?
Is it possible to setup security for ITIM Web Service ?
Please let me know if anyone modified ITIM webservice to configure security.
Thanks in advance.
Point # 3 below has a link that shows how to setup security using Tivoli Access Manager without requiring any change in the web services server side code. Points 1 and 2 have additional info on the ITIM Web Services security setup.
1. ITIM Web Service uses a threaded conversation model which requires the client to first establish a session by authenticating to ITIM via the session service, and to subsequently use the session handle in all subsequent web services calls. Calls without a valid session will throw an exception. The only exceptions to this are calls to methods that return the version info, or password challenge related calls which are an alternate authentication mechanism.
2. You can secure ITIM Web Services behind Tivoli Access Manager so that unauthenticated users will cause an ITAM challenge that is not expected by the client, resulting in an exception and access denial.
3. You can secure ITIM Web Services using Tivoli Access Manager so that the WS client can supply TAM credentials to gain access to the web services. There is a developerWorks article at
that describes this. Note that you will need to install and configure TAM and SSL which is beyond the scope of this forum.
I deployed ITIM WebService wrapper in WAS along with ITIM API.I am invoking the ITIM WebServices Wrapper using plain java code and in the same code I am getting the pricipal by calling ITIM API. I secured the ITIM WebService so that only authenticated users have access to invoke it. I modified the itimconnection.properties and WebService.properties files so that it will overwrite enRole.properties file. When I use blank id as ejbuser.principal value in itimconnection.properties file, getting an exception saying user guest not found. I wonder from where guest user is coming from?Is there a way so that I can use thread Id which is coming from the java client to pass it to ITIM API?
Thanks in advance.
Your post is not very clear on your setup whether you are using the ITIM API or Web Services or both. When you say "When I use blank id as ejbuser.principal value in itimconnection.properties file, getting an exception saying user guest not found", what are you using when the error occurs?
Is there a specific reason why you decided to use your own itimConnection.properties instead of enRole.properties - do you need different values for the properties that are not specified by enRole.properties? If your WAS is security enabled, you need to specify enrole.appServer.ejbuser.principal and credential property values. In most cases your enRole.properties and itimConnection.properties should have the same property values.
Your last point "Is there a way so that I can use thread Id which is coming from the java client to pass it to ITIM API?" - the web services client is running in your local JVM, not the ITIM websphere JVM, so each has its own threads. You can reuse the authenticated Subject object between your web services session and ITIM API calls by reusing the clientSession property of the WSSession object. You will also need to modify webservice.properties to set the webServices.encryptClientState to false and webServices.stateSavingMethod to client. I would not recommend this since it passes unencrypted authenticated objects over your network, unless you have established HTTPS as your web service protocol. Send me an email at gverma@ to describe your scenario.
You should consider sending a request on this forum to include whatever you are using via the ITIM API into the Web Services Wrapper, this may eliminate your need to use both.}