Web services security for WebSphere Application Server is based on standards included in the Web services security (WS-Security) specification. These standards address how to provide protection for messages exchanged in a Web service environment.
The specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. Web services security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.
Use the deprecated "Securing Apache SOAP Web services" topics in the WebSphere Application Server, Version 5 documentation if you are still using Apache SOAP Version 2.3.
To secure Web services, you must consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, federation, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to inter-operate between formerly incompatible security technologies, such as public key infrastructure and Kerberos in heterogeneous environments like Microsoft .NET and environments that are based on the Java 2 Platform, Enterprise Edition (J2EE) standards. The complete Web services security protocol stack and technology roadmap is described in Security in a Web Services World: A Proposed Architecture and Roadmap.
Specification: Web Services Security (WS-Security) proposes a standard set of SOAP extensions that you can use to build secure Web services. These standards confirm integrity and confidentiality, which are generally provided with digital signature and encryption technologies. In addition, Web services security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a user name and password token, in which a user name and password are included as text. Web services security defines how to encode binary security tokens using methods such as X.509 certificates and Kerberos tickets.
To establish a secured environment and to enforce constraints for Web services security, you must perform a Java Naming and Directory Interface (JNDI) lookup on the client to resolve the service reference.
An administrator can use any of the following methods to integrate message-level security into a WebSphere Application Server environment:
Default binding (server level)
A sample configuration
The following examples demonstrate what IBM deployment descriptor extensions and bindings can do. The unnecessary information was removed from the examples to improve clarity. Do not copy and paste these examples into your application deployment descriptors or bindings. These examples serve as reference only and are not representative of the recommended configuration.
For the response, the SOAP body and time stamp are signed, the body content is encrypted, and the SOAP message freshness is checked using the time stamp. The freshness of the message indicates whether the message complies with predefined time constraints.
The request sender and the request receiver are a pair. Similarly, the response sender and the response receiver are a pair.Client-side IBM deployment descriptor extension
The client-side IBM deployment descriptor extension describes the following constraints:
Example 1: Sample client IBM deployment descriptor extension
<?xml version="1.0" encoding="UTF-8"?> <com.ibm.etools.webservice.wscext:WsClientExtension xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wscext= http://www.ibm.com/websphere/appserver/schemas/5.0.2/wscext.xmi"> <serviceRefs serviceRefLink="service/myServ"> <portQnameBindings portQnameLocalNameLink="Port1"> <clientServiceConfig actorURI="myActorURI"> <securityRequestSenderServiceConfig actor="myActorURI"> <integrity> <references part="body"/> <references part="timestamp"/> <references part="securitytoken"/> </integrity> <confidentiality> <confidentialParts part="bodycontent"/> <confidentialParts part="usernametoken"/> </confidentiality> <loginConfig authMethod="BasicAuth"/> <addCreatedTimeStamp flag="true" expires="PT3M"/> </securityRequestSenderServiceConfig> <securityResponseReceiverServiceConfig> <requiredIntegrity> <references part="body"/> <references part="timestamp"/> </requiredIntegrity> <requiredConfidentiality> <confidentialParts part="bodycontent"/> </requiredConfidentiality> <addReceivedTimeStamp flag="true"/> </securityResponseReceiverServiceConfig> </clientServiceConfig> </portQnameBindings> </serviceRefs> </com.ibm.etools.webservice.wscext:WsClientExtension>
Client-side IBM extension bindings
Example 2 shows the client-side IBM extension binding for the security constraints described previously in the discussion on client-side IBM deployment descriptor extensions.
The signer key and encryption (decryption) key for the message can be obtained from the keystore key locator implementation (com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator). The signer key is used for encrypting the response. The sample is configured to use the Java Certification Path API to validate the certificate path of the signer of the digital signature. The user name token (basic authentication) data is collected from the standard in (stdin) prompts using one of the default JAAS implementations :javax.security.auth.callback.CallbackHandler implementation (com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler).
Example 2: Sample client IBM extension binding
<?xml version="1.0" encoding="UTF-8"?> <com.ibm.etools.webservice.wscbnd:ClientBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wscbnd= "http://www.ibm.com/websphere/appserver/schemas/5.0.2/wscbnd.xmi"> <serviceRefs serviceRefLink="service/MyServ"> <portQnameBindings portQnameLocalNameLink="Port1"> <securityRequestSenderBindingConfig> <signingInfo> <signatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <signingKey name="clientsignerkey" locatorRef="SampleClientSignerKey"/> <canonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <digestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </signingInfo> <keyLocators name="SampleClientSignerKey" classname= "com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator"> <keyStore storepass="{xor}PDM2OjEr" path= "$${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks" type="JKS"/> <keys alias="soaprequester" keypass="{xor}PDM2OjEr" name="clientsignerkey"/> </keyLocators> <encryptionInfo name="EncInfo1"> <encryptionKey name="CN=Bob, O=IBM, C=US" locatorRef= "SampleSenderEncryptionKeyLocator"/> <encryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <keyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> </encryptionInfo> <keyLocators name="SampleSenderEncryptionKeyLocator" classname= "com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator"> <keyStore storepass="{xor}LCswLTovPiws" path= "$${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks" type="JCEKS"/> <keys alias="Group1" keypass="{xor}NDomLz4sLA==" name="CN=Group1"/> </keyLocators> <loginBinding authMethod="BasicAuth" callbackHandler= "com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler"/> </securityRequestSenderBindingConfig> <securityResponseReceiverBindingConfig> <signingInfos> <signatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <certPathSettings> <trustAnchorRef ref="SampleClientTrustAnchor"/> <certStoreRef ref="SampleCollectionCertStore"/> </certPathSettings> <canonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <digestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </signingInfos> <trustAnchors name="SampleClientTrustAnchor"> <keyStore storepass="{xor}PDM2OjEr" path= "$${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks" type="JKS"/> </trustAnchors> <certStoreList> <collectionCertStores provider="IBMCertPath" name="SampleCollectionCertStore"> <x509Certificates path="$${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer"/> </collectionCertStores> </certStoreList> <encryptionInfos name="EncInfo2"> <encryptionKey locatorRef="SampleReceiverEncryptionKeyLocator"/> <encryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <keyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> </encryptionInfos> <keyLocators name="SampleReceiverEncryptionKeyLocator" classname= "com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator"> <keyStore storepass="{xor}PDM2OjEr" path= "$${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks" type="JKS"/> <keys alias="soaprequester" keypass="{xor}PDM2OjEr" name="clientsignerkey"/> </keyLocators> </securityResponseReceiverBindingConfig> </portQnameBindings> </serviceRefs> </com.ibm.etools.webservice.wscbnd:ClientBinding>
Server-side IBM deployment descriptor extension
The client-side IBM deployment descriptor extension describes the following constraints:
Example 3: Sample server IBM deployment descriptor extension
<?xml version="1.0" encoding="UTF-8"?> <com.ibm.etools.webservice.wsext:WsExtension xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wsext= http://www.ibm.com/websphere/appserver/schemas/5.0.2/wsext.xmi"> <wsDescExt wsDescNameLink="MyServ"> <pcBinding pcNameLink="Port1"> <serverServiceConfig actorURI="myActorURI"> <securityRequestReceiverServiceConfig> <requiredIntegrity> <references part="body"/> <references part="timestamp"/> <references part="securitytoken"/> </requiredIntegrity> <requiredConfidentiality"> <confidentialParts part="bodycontent"/> <confidentialParts part="usernametoken"/> </requiredConfidentiality> <loginConfig> <authMethods text="BasicAuth"/> </loginConfig> <addReceivedTimestamp flag="true"/> </securityRequestReceiverServiceConfig> <securityResponseSenderServiceConfig actor="myActorURI"> <integrity> <references part="body"/> <references part="timestamp"/> </integrity> <confidentiality> <confidentialParts part="bodycontent"/> </confidentiality> <addCreatedTimestamp flag="true" expires="PT3M"/> </securityResponseSenderServiceConfig> </serverServiceConfig> </pcBinding> </wsDescExt> </com.ibm.etools.webservice.wsext:WsExtension>
Server-side IBM extension bindings
For example, request receiver is referencing the SampleCollectionCertStore certification store and the SampleServerTrustAnchor trust store is defined in the default binding. However, the encryption information in the request receiver is referencing a SampleReceiverEncryptionKeyLocator key locator defined in the application-level binding (the same ibm-webservices-bnd.xmi file). The response sender is configured to use the signer key of the digital signature of the request to encrypt the response using one of the default key locator (com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator) implementations.
Example 4: Sample server IBM extension binding
<?xml version="1.0" encoding="UTF-8"?> <com.ibm.etools.webservice.wsbnd:WSBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wsbnd= http://www.ibm.com/websphere/appserver/schemas/5.0.2/wsbnd.xmi"> <wsdescBindings wsDescNameLink="MyServ"> <pcBindings pcNameLink="Port1" scope="Session"> <securityRequestReceiverBindingConfig> <signingInfos> <signatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <certPathSettings> <trustAnchorRef ref="SampleServerTrustAnchor"/> <certStoreRef ref="SampleCollectionCertStore"/> </certPathSettings> <canonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <digestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </signingInfos> <encryptionInfos name="EncInfo1"> <encryptionKey locatorRef="SampleReceiverEncryptionKeyLocator"/> <encryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <keyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> </encryptionInfos> <keyLocators name="SampleReceiverEncryptionKeyLocator" classname= "com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator"> <keyStore storepass="{xor}LCswLTovPiws" path="$${USER_INSTALL_ROOT}/ etc/ws-security/samples/enc-receiver.jceks" type="JCEKS"/> <keys alias="Group1" keypass="{xor}NDomLz4sLA==" name="CN=Group1"/> <keys alias="bob" keypass="{xor}NDomLz4sLA==" name="CN=Bob, O=IBM, C=US"/> </keyLocators> </securityRequestReceiverBindingConfig> <securityResponseSenderBindingConfig> <signingInfo> <signatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <signingKey name="serversignerkey" locatorRef="SampleServerSignerKey"/> <canonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <digestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </signingInfo> <encryptionInfo name="EncInfo2"> <encryptionKey locatorRef="SignerKeyLocator"/> <encryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <keyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> </encryptionInfo> <keyLocators name="SignerKeyLocator" classname= "com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator"/> </securityResponseSenderBindingConfig> </pcBindings> </wsdescBindings> <routerModules transport="http" name="StockQuote.war"/> </com.ibm.etools.webservice.wsbnd:WSBinding>
In this information ...Subtopics
Related tasks
Related reference
| IBM Redbooks, demos, education, and more(Index) |