WebSphere Application Server Version 6.1 Feature Pack for Web Services
             Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

             Personalize the table of contents and search results
             New or updated topic for this feature pack

What is new for securing Web services

In WebSphere Application Server, there are many security enhancements for Web services. The enhancements include supporting sections of the Web Services Security (WS-Security) specifications and providing architectural support for plugging in and extending the capabilities of security tokens.

Enhancements from the supported Web Services Security specifications

Since September 2002, the Organization for the Advancement of Structured Information Standards (OASIS) has been developing the Web Services Security (WS-Security) for SOAP message standard.

In April 2004, OASIS released the Web Services security Version 1.0 specification, which is a major milestone for securing Web services. This specification is the foundation for other Web services security specifications and is also the basis for the Basic Security Profile (WS-I BSP) Version 1.0 work, which is a working draft. See Basic Security Profile for more information.

Web Services Security Version 1.0 is a strategic move towards Web services security interoperability, and it is the first step in the Web services security roadmap. For more information on the Web services security roadmap, see Security in a Web Services World: A Proposed Architecture and Roadmap.

WebSphere Application Server Version 6.0.x and later supports the following OASIS specifications and WS-I profiles:

For details on what parts of the previous specifications are supported in WebSphere Application Server, see Supported functionality from OASIS specifications.

High level features overview in WebSphere Application Server Version 6.0.x and later

In WebSphere Application Server Version 6.0.x and later, the Web Services Security for SOAP Message Version 1.0 specification is designed to be flexible and accommodate the requirements of Web services. For example, the specification does not have a mandatory security token definition in the Web services security Version 1.0 specification. Rather the specification defines a generic mechanism to associate the security token with a SOAP message. The use of security tokens is defined in the various Version 1.0 security token profiles, such as:

For more information on security token profile development at OASIS, see Organization for the Advancement of Structured Information Standards.

New or updated for this feature pack The Web Services Security for SOAP Message Version 1.1 updates the Web Services Security for SOAP Message core specification and updates the various security token profiles, and the schemas.

For this release, WebSphere Application Server implements the Username Token Profile 1.1 and the X.509 Token Profile 1.1, which includes support for the Thumbprint type of security token reference. In addition, it supports the signature confirmation and encrypted header portions of the Web Services Security Version 1.1 standard.

Important: The wire format in the Web services security Version 1.0 specification changed and is not compatible with the previous drafts of the Web services security specification. It is not possible to make an implementation of the wire format using a previous draft of the Web services security specification to interoperate with the Web Services Security Version 1.0 specification.
Support for pluggable security tokens has been available since WebSphere Application Server Version 5.0.2. However, in WebSphere Application Server Version 6.0.x and later, the pluggable architecture is enhanced to support the Web services security specifications, other profiles, and other Web services security specifications. WebSphere Application Server Version 6 and later include the following key enhancements:
  • Support for the client (sender or generator) to send multiple security tokens in a SOAP message.
  • Ability to derive keys from a security token for digital signature (verification) and encryption (decryption).
  • Support to sign or encrypt any element in a SOAP message. However, some limitations exist. For example, encrypting some parts of a message might break the SOAP message format. If you encrypt the SOAP body element, the SOAP message format breaks.
  • Support for signing the SOAP envelope, the SOAP header, and the Web services security header.
  • Ability to configure the order of the digital signature and encryption.
  • Support for various mechanisms to reference the security tokens such as direct references, key identifiers, key names, and embedded references.
  • Support for the PKCS#7 format certificate revocation list (CRL) encoding for an X.509 security token.
  • Support for CRL verification.
  • Ability to insert nonce and time stamps into elements within the Web services security header, into signed elements, or into encrypted elements.
  • Support for identity assertion using the Run As (invocation) identity in the current security context for WebSphere Application Server.
  • Support for a default binding, which is a set of default Web services security bindings for applications.
  • Ability to use pluggable digital signature (verification) and encryption (decryption) algorithms
  • Support for the acceleration of hardware cryptographic devices.
  • Support for secure keys.
  • Support for the Basic Security Profile (WS-I BSP).
  • Supports Web services security SOAP messages with an attachments profile (SwA).
  • New or updated for this feature pack Support for a new Web Services Security API programming model, which is based on an early JSR-183 draft.
  • New or updated for this feature pack Ability to provide attachments with Web services security SOAP messages by using the new MTOM and XOP standards.
  • New or updated for this feature pack Ability to use policy sets, which are assertions about how services are defined, to simplify your Web services Quality of Service configuration.
  • New or updated for this feature pack Support for a filter-based architecture for performance improvement.
  • New or updated for this feature pack Supports signature confirmation to enhance XML digital signature security and to provide a more secured message level security.
  • New or updated for this feature pack Supports an encrypted header to provide a standard way of encrypting the SOAP header to be compliant with the SOAP mustUnderstand processing guidelines and to prevent disclosure of information that is contained in attributes on a SOAP header block.
  • New or updated for this feature pack Supports creating and authenticating a security token and using a security token reference (STR) with a key identifier and thumbprint in the <KeyInfo> element.

For more information on some of these enhancements, see Web services security enhancements.

Configuration New or updated for this feature pack

In the Feature Pack for Web Services, WebSphere Application Server uses the policy set model for implementing the Web Services Security Version 1.1 specification, the Username token Version 1.1 profile, and the X.509 token Version 1.1 profile. Policy sets combine configuration settings, including those for transport and message level configuration, such as WS-Addressing, WS-ReliableMessaging, WS-SecureConversation, and WS-Security.

You can use the administrative console to configure the Web services security binding of a deployed application with Web services security constraints that are defined in the policy set.

For the X.509 Certificate Token Profile, one new type of security token reference is the Thumbprint reference, which is specified in the binding. WebSphere Application Server now supports creating and authenticating a security token by using a security token reference (STR) with a key identifier and a Thumbprint in the <KeyInfo> element. The Thumbprint key information type requires that there be a keystore with the public and private key pair instead of a shared key. To use the Thumbprint of the specified certificate, specify the keyInfo type THUMBPRINT in the bindings.

For example, a decryption key is referenced by means of the thumbprint of an associated certificate. The certificate is not included in the message. Instead, the <ds:KeyInfo> element contains a <wsse:SecurityTokenReference> element that specified the thumbprint of the specified certificate by means of the http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 attribute of the <wsse:KeyIdentifier> element.

To take advantage of implementations associated with the Web services security Version 1.1 specification, you must:
  • Ensure that your applications use the Java API for XML Web Services (JAX-WS) programming model.
  • Re-configure the Web services security constraints in the new policy set and binding format.
WebSphere Application Server provides the following tools that you can use to edit the policy set file and the binding file:
Rational Application Developer
You can use to develop Web services and configure the policy set and the binding file for Web services security. Rational Application Developer enables you to assemble both Web and Enterprise JavaBeans (EJB) modules.
Application Server Toolkit
You can use the Application Server Toolkit, which is an assembly tool designer for WebSphere Application Server, to specify the policy set and the binding file for Web services security.
WebSphere Application Server administrative console
You can use the administrative console to configure the Web services security binding of a deployed application with Web services security constraints that are defined in the policy set.

Configuration

WebSphere Application Server uses the deployment model for implementing the Web services security Version 1.0 specification, the Username token Version 1.0 profile, and the X.509 token Version 1.0 profile. The deployment model is an extension of the Web services deployment model for Java 2 Platform, Enterprise Edition (J2EE). The Web services security constraints are defined in the IBM extension deployment descriptor and the binding file that is based on the Web service port.

The format of the deployment descriptor and the binding file is IBM proprietary material and is not available. However, WebSphere Application Server provides the following tools that you can use to edit the deployment descriptor and the binding file:
Rational Application Developer
You can use to develop Web services and configure the deployment descriptor and the binding file for Web services security. Rational Application Developer enables you to assemble both Web and Enterprise JavaBeans (EJB) modules.
Application Server Toolkit
You can use the Application Server Toolkit, which is an assembly tool designer for WebSphere Application Server to specify the deployment descriptor and the binding file for Web services security.
WebSphere Application Server administrative console
You can use the administrative console to configure the Web services security binding of a deployed application with Web services security constraints that are defined in the deployment descriptor.
Important: The format of the deployment descriptor and the binding file for Web services security in WebSphere Application Server Version 6.0.x and later is different from WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1. Web services security support in WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1 is based on the Web services security draft 13 specification and the Username token draft 2 profile. Thus, this support is deprecated. However, applications that you configured using the Web service security Versions 5.0.2, 5.1, and 5.1.1 deployment descriptor and binding file can work with WebSphere Application Server Version 6 and later. These applications use a deployment descriptor and binding file that emit SOAP message security using the draft 13 specification format. The Web services security deployment descriptor and binding file for WebSphere Application Server Version 6.0.x and later is available for a J2EE Version 1.4 application only. Therefore, the Web services security Version 1.0 specification is supported for a J2EE Version 1.4 application only.
To take advantage of implementations associated with the Web services security Version 1.0 specification, you must:
  • Migrate existing applications to J2EE Version 1.4
  • Re-configure the Web services security constraints in the new deployment descriptor and binding format
Important: An automatic process does not exist for migrating the deployment descriptor and the binding file for Web services security from the Version 5.0.2, 5.1, and 5.1.1 format to the new Version 6.0.x and later format using the Rational Application Developer and Application Server Toolkit. You must migrate the configuration manually.

The Web services security support in WebSphere Application Server Version 6.0 is based in part on the OASIS specification titled Web Services Security: X.509 Token Profile 1.0 plus the first errata (Errata 1.0).

In the first errata, the URIs for the X.509 token type and the X.509 Subject Key Identifier value type were modified. WebSphere Application Server Version 6.0 was based on these modified URIs. After WebSphere Application Server Version 6.0 shipped, the OASIS Technical Committee reversed those changes, reverting back to the original 1.0 profile URIs.

There could be interoperability problems between WebSphere Application Server Version 6.0 and other vendor’s Web services products that are based on the current version of the profile. WebSphere Application Server was fixed in Versions 6.0.2 and 6.0.1.2 to comply with the latest version of the profile. If WebSphere Application Server Version 6.0 is used in a heterogeneous environment with other vendor's Web services products, it is recommended that the server be upgraded to Version 6.0.1.2, 6.0.2, or later, or to install a service fix that includes APAR PK03507.

What is not supported

Web service security is still fairly new and some of the standards are still being defined or standardized. The following functionality is not supported in WebSphere Application Server:

For information on what is supported for Web services security in WebSphere Application Server Version 6.0.x and later, see Supported functionality from OASIS specifications.




Subtopics
Web services security specification for Version 6 and later- a chronology
Supported functionality from OASIS specifications
Web services security enhancements
Related concepts
Basic Security Profile compliance tips
XML token
Related tasks
Managing policy sets using the administrative console
Securing Web services applications using JAX-RPC at the message level
Concept topic    

Terms of Use | Feedback

Last updated: Nov 25, 2008 2:35:59 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/cwbs_welcwebsvcsec.html