WebSphere Application Server Version 6.1 Feature Pack for Web Services
             Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

             Personalize the table of contents and search results
             New or updated topic for this feature pack

Web Services Secure Conversation

Web Services Secure Conversation (WS-SecureConversation) provides a secured session for long running message exchanges and leveraging of the symmetric cryptographic algorithm.

WS-SecureConversation provides session-based security. Session-based security optimizes long message exchanges, as symmetric cryptography can be used to sign and encrypt the message. Typically, symmetric cryptographic algorithm is less CPU intensive than the asymmetric cryptography. Symmetric cryptographic algorithms should provide better performance and throughput when compared to the asymmetric cryptographic algorithms.

The symmetric cryptographic algorithm also provides a means to secure other session-based protocol and exchange patterns, such as Web Services Reliable Messaging (WS-ReliableMessaging).

Security context token for secure conversation

The Web Services Security specification defines the basic mechanisms for providing secure messaging. The Web Services Trust (WS-Trust) specification defines extensions to Web Services Security that provide ways to establish and broker trust relationships between two parties. The WS-Trust protocol defines the syntax of the request that can be sent to a security token service and the corresponding or subsequent response of the security token service. The security token service provided with WebSphere Application Server is called the trust service.

Using the WS-Trust protocol, a party can request the trust service issue a security context token (SCT). Then, this token can be used to establish a secure conversation (WS-SecureConversation). The request for a security token is sent to an application endpoint. The request is intercepted by the Websphere Application Server and routed to the trust service.

A policy can be defined as the default for all trust issue operations, renew operations, validate operations, or cancel operations. Additionally, a policy can be attached to a specific URL and operation pair.

WS-SecureConversation defines extensions to allow security context establishment and sharing, and session key derivation, which allows contexts to be established and potentially more efficient keys or new key material to be exchanged. The WebSphere Application Server support for WS-Trust and WS-SecureConversation focuses on the issuing, renewing, validating, and cancelling of the security context token for secure conversation.

Policy set and bootstrap policy

In addition to describing the functions, the OASIS WS-SecureConversation draft submission describes the multiple ways of establishing a secure session between the initiator and the recipient of the SOAP messages.

The bootstrap security policy is the security policy for the initiating party to acquire the security token for secure conversation from the trust service by using a token-issuing WS-Trust or WS-SecureConversation protocol message. The policy set configuration consists of the security policy for communication with the application service and the bootstrap policy for communication with the trust service.

What is supported for Web Services Secure Conversation

The following list highlights some of the key functions that are supported in WebSphere Application Server. The list is not exhaustive.
  • A security context token (SCT) established between the initiating party and the recipient party.
  • The WS-SecureConversation operations that are supported on the security context token (SCT), such as Issue token, Renew token, and Cancel token. Validate token is supported using WS-Trust protocol.
  • A derived key (explicit and implied)

What is not supported for Web Services Secure Conversation

The following list highlights some of the key functions that are not supported in WebSphere Application Server. The list is not exhaustive.

Secure conversation scenarios

The following scenarios describe the WS-SecureConversation functions that WebSphere Application Server supports:
  • WS-SecureConversation

    This scenario is based on establishing a security context token with the recipient and using the derived key to sign and encrypt the message. It describes how to establish a security context by using session-based security. Session-based security is where the flow of the initiator establishes the security context token by using the WS-SecureConversation protocol with the recipient.

  • WS-SecureConversation with WS-ReliableMessaging

    This scenario is a composite scenario that includes functions that are required for the composition scenario of Web Services Reliable Messaging (WS-ReliableMessaging), WS-SecureConversation, and WS-Trust. This scenario describes how to use WS-SecureConversation with WS-ReliableMessaging where the flow is similar to the previous scenario, but which is from the secure conversation prospective. However, the main difference is that the WS-ReliableMessaging sequence is secured with the security context token and scopes the WS-ReliableMessaging sequence to the security context token. This description focuses on the message exchanges that are using the security context token in the overall flow.




Related concepts
Trust service
Interoperation with other WS-ReliableMessaging providers: use pattern
Related tasks
Enabling secure conversation
Related reference
Example: Establishing a security context token to secure a secure conversation
Example: Establishing a security context token to secure reliable messaging
Related information
Web Services Secure Conversation Language specification
Concept topic    

Terms of Use | Feedback

Last updated: Nov 25, 2008 2:35:59 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/cwbs_wssecureconv.html