Security header |
- @S11:actor (for an intermediary)
- @S11:mustUnderstand
|
Security tokens |
- Username token (user name and password)
- Binary security token (X.509 and Lightweight Third Party Authentication
(LTPA))
- Custom token
|
Token references |
- Direct reference
- Key identifier
- Key name
- Embedded reference
|
Signature algorithms |
- Digest
- SHA1
- http://www.w3.org/2000/09/xmldsig#sha1
- SHA256
- http://www.w3.org/2001/04/xmlenc#sha256
- SHA512
- http://www.w3.org/2001/04/xmlenc#sha512
- MAC
- HMAC-SHA1
- http://www.w3.org/2000/09/xmldsig#hmac-sha1
- Signature
- DSA with SHA1
- http://www.w3.org/2000/09/xmldsig#dsa-sha1
Do
not use this algorithm if you want your configured application to
be in compliance with the Basic Security Profile (BSP)
- RSA with SHA1
- http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Canonicalization
- Canonical XML (with comments)
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Canonical XML (without comments)
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- Exclusive XML canonicalization (with comments)
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- Exclusive XML canonicalization (without comments)
- http://www.w3.org/2001/10/xml-exc-c14n#
- Transform
- STR transform
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-
security-1.0#STR-Transform
- XPath
- http://www.w3.org/TR/1999/REC-xpath-19991116
Do
not use the original XPATH transform if you want your configured application
to be in compliance with the Basic Security Profile (BSP). Note: When referring to an element in a SECURE_ENVELOPE
that does not carry an attribute of type ID from a ds:Reference in
a SIGNATURE, you must use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2
- Enveloped signature
- http://www.w3.org/2000/09/xmldsig#enveloped-signature
- XPath Filter2
- http://www.w3.org/2002/06/xmldsig-filter2
Note: When
referring to an element in a SECURE_ENVELOPE that does not carry an
ID attribute type from a ds:Reference in a SIGNATURE, you must use
the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2
- Decryption transform
- http://www.w3.org/2002/07/decrypt#XML
|
Signature signed parts |
|
Encryption algorithms |
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
- Data encryption
- Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc
- AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc
This
algorithm requires the unrestricted JCE policy file. For more information,
see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
Do not use the 192-bit data encryption algorithm
if you want your configured application to be in compliance with the
Basic Security Profile (BSP).
- AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc
This
algorithm requires the unrestricted JCE policy file. For more information,
see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
- Key encryption
- Key transport (public key cryptography)
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
Note:
- When running with Software Development Kit (SDK) Version 1.4,
the list of supported key transport algorithms does not include this
one. This algorithm appears in the list of supported key transport
algorithms when running with SDK Version 1.5.
- Use of the Federal Information Processing Standard (FIPS)-compliant
Java cryptography engine does not support this transport algorithm.
- RSA Version 1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5
- Symmetric key wrap (private key cryptography)
- Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes
- AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128
- AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192
This
algorithm requires the unrestricted JCE policy file. For more information,
see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
Do not use the 192-bit data encryption algorithm
if you want your configured application to be in compliance with the
Basic Security Profile (BSP).
- AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256
This
algorithm requires the unrestricted JCE policy file. For more information,
see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
- Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core
- xenc:ReferenceList
- xenc:EncryptedKey
Advanced Encryption Standard (AES) is designed to provide
stronger and better performance for symmetric key encryption over
Triple-DES (data encryption standard). Therefore, it is recommended
that you use AES, if possible, for symmetric key encryption.
|
Encryption message parts |
- WebSphere Application Server keywords
- bodycontent, which is used to encrypt the SOAP body content
- usernametoken, which is used to encrypt the username token
- digestvalue, which is used to encrypt the digest value of the
digital signature
- signature, which is used to encrypt the entire digital signature
- wscontextcontent, which encrypts the content in the WS-Context
header for the SOAP header. See the additional information about how
to propogate the work area context over Web Services.
- XPath expression to select the XML element in the SOAP message
- XML elements
- XML element contents
|
Time stamp |
- Within Web services security header
- WebSphere Application Server is extended to allow you to insert
time stamps into other elements so that the age of those elements
can be determined.
|
Error handling |
SOAP faults |