Supported functionality from OASIS specifications

WebSphere Application Server supports the Organization for the Advancement of Structured Information (OASIS) Web Services Security (WS-Security) specifications.

WebSphere Application Server supports these OASIS Web Services Security Version 1.0 specifications.
New or updated for this feature pack In IBM WebSphere Application Server Version 6.1 Feature Pack for Web Services, these OASIS standards have been updated to support the latest versions of Web Service Security (WS-Security) specifications and tokens. Web Services Security Version 1.1 provides better security verification for signature, a standard way of encrypting SOAP headers, and meets the requirement from some of the interoperability scenarios that use features from Web Service Security Version 1.1.

OASIS: Web Services Security SOAP Message Security 1.0

The following list shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 specification that are supported in WebSphere Application Server Versions 6 and later.

Supported topic Specific aspect that is supported
Security header
  • @S11:actor (for an intermediary)
  • @S11:mustUnderstand
Security tokens
  • Username token (user name and password)
  • Binary security token (X.509 and Lightweight Third Party Authentication (LTPA))
  • Custom token
    • Other binary security token
    • XML token
      Note: WebSphere Application Server does not provide an implementation, but you can use an XML token with plug-in point.
Token references
  • Direct reference
  • Key identifier
  • Key name
  • Embedded reference
Signature algorithms
  • Digest
    SHA1
    http://www.w3.org/2000/09/xmldsig#sha1
    SHA256
    http://www.w3.org/2001/04/xmlenc#sha256
    SHA512
    http://www.w3.org/2001/04/xmlenc#sha512
  • MAC
    HMAC-SHA1
    http://www.w3.org/2000/09/xmldsig#hmac-sha1
  • Signature
    DSA with SHA1
    http://www.w3.org/2000/09/xmldsig#dsa-sha1

    Do not use this algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP)

    RSA with SHA1
    http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • Canonicalization
    Canonical XML (with comments)
    http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
    Canonical XML (without comments)
    http://www.w3.org/TR/2001/REC-xml-c14n-20010315
    Exclusive XML canonicalization (with comments)
    http://www.w3.org/2001/10/xml-exc-c14n#WithComments
    Exclusive XML canonicalization (without comments)
    http://www.w3.org/2001/10/xml-exc-c14n#
  • Transform
    STR transform
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform
    XPath
    http://www.w3.org/TR/1999/REC-xpath-19991116
    Do not use the original XPATH transform if you want your configured application to be in compliance with the Basic Security Profile (BSP).
    Note: When referring to an element in a SECURE_ENVELOPE that does not carry an attribute of type ID from a ds:Reference in a SIGNATURE, you must use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2
    Enveloped signature
    http://www.w3.org/2000/09/xmldsig#enveloped-signature
    XPath Filter2
    http://www.w3.org/2002/06/xmldsig-filter2
    Note: When referring to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE, you must use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2
    Decryption transform
    http://www.w3.org/2002/07/decrypt#XML
Signature signed parts
  • WebSphere Application Server key words:
    • body, which signs the SOAP message body
    • timestamp, which signs all of the time stamps
    • securitytoken, which signs all of the security tokens
    • dsigkey, which signs the signing key
    • enckey, which signs the encryption key
    • messageid, which signs the wsa :MessageID element in WS-Addressing.
    • to, which signs the wsa:To element in WS-Addressing
    • action, which signs the wsa:Action element in WS-Addressing
    • relatesto, which signs the wsa:RelatesTo element in WS-Addressing

      wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing

    • wscontext, which specifies the WS-Context header for the SOAP header. See the information about how to propagate the work area context over Web Services.
    • wsafrom, which specifies the <wsa:From> WS-Addressing From element in the SOAP header.
    • wsareplyto, which specifies the <wsa:ReplyTo> WS-Addressing ReplyTo element in the SOAP header.
    • wsafaultto, which specifies the <wsa:FaultTo> WS-Addressing FaultTo element in the SOAP header.
    • wsaall, which specifies all of the WS-Addressing elements in the SOAP header.
  • XPath expression to select an XML element in a SOAP message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.
Encryption algorithms
Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, you must check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
  • Data encryption
    • Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
    • AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

      Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).

    • AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

  • Key encryption
    • Key transport (public key cryptography)
      • http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
        Note:
        • When running with Software Development Kit (SDK) Version 1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK Version 1.5.
        • Use of the Federal Information Processing Standard (FIPS)-compliant Java cryptography engine does not support this transport algorithm.
      • RSA Version 1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5
    • Symmetric key wrap (private key cryptography)
      • Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes
      • AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128
      • AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192

        This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

        Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).

      • AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256

        This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

  • Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core
    • xenc:ReferenceList
    • xenc:EncryptedKey

Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, it is recommended that you use AES, if possible, for symmetric key encryption.

Encryption message parts
  • WebSphere Application Server keywords
    • bodycontent, which is used to encrypt the SOAP body content
    • usernametoken, which is used to encrypt the username token
    • digestvalue, which is used to encrypt the digest value of the digital signature
    • signature, which is used to encrypt the entire digital signature
    • wscontextcontent, which encrypts the content in the WS-Context header for the SOAP header. See the additional information about how to propogate the work area context over Web Services.
  • XPath expression to select the XML element in the SOAP message
    • XML elements
    • XML element contents
Time stamp
  • Within Web services security header
  • WebSphere Application Server is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.
Error handling SOAP faults

OASIS: Web Services Security SOAP Message Security 1.1 New or updated for this feature pack

IBM WebSphere Application Server Version 6.1 Feature Pack for Web Services. The following list shows the aspects of the OASIS: Web Services Security SOAP Message Security 1.1 specification that are supported in WebSphere Application Server. Items that were previously supported for Web Services Security: SOAP Message Security 1.0 are not listed but are still supported, unless noted otherwise.

Supported topic Specific aspect that is supported
Security header
  • @S12:role
  • @S12:mustUnderstand
Signature Signature confirmation
Signed parts Header - specify QName to select header elements in the SOAP header of the SOAP message to be integrity protected
  • Name
  • Namespace
Encryption EncryptedHeader element
Encrypted parts Header - specify QName to select header elements in the SOAP header of the SOAP message to be confidentiality protected
  • Name
  • Namespace

This results in an EncryptedHeader element which contains the EncryptedData element. For Web Services Security Version 1.0 behavior, specify the com.ibm.ws.wssecurity.encryptedHeader.generate.WSS1.0 property with a value of true in the EncryptionInfo in the bindings. Specifying this property results in an EncryptedData element.

Error handling SOAP faults
  • New failure SOAP fault with faultcode
  • The message has expired text has been added

OASIS: Web Services Security UsernameToken Profile 1.0

The following list shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification that is supported in WebSphere Application Server.

Supported topic Specific aspect that is supported
Password types Text
Token references Direct reference

OASIS: Web Services Security UsernameToken Profile 1.1 New or updated for this feature pack

The following list shows the aspects of the OASIS: Web Services Security Username Token Profile 1.1 specification that is supported in WebSphere Application Server. Items that were previously supported for Web Services Security UsernameToken Profile 1.0 are not listed but are still supported, unless noted otherwise.

Supported topic Specific aspect that is supported
Password types Text
Token references Direct reference

OASIS: Web Services Security X.509 Certificate Token Profile 1.0

The following list shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that is supported in WebSphere Application Server Versions 6 and later.

Supported topic Specific aspect that is supported
Token types
  • X.509 Version 3: Single certificate

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3

  • X.509 Version 3: X509PKIPathv1 without certificate revocation lists (CRL)

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1

  • X.509 Version 3: PKCS7 with or without CRLs. The IBM software development kit (SDK) supports both. The Sun Java Development Kit (JDK) supports PKCS7 without CRL only.
Token references
  • Key identifier – subject key identifier
  • Direct reference
  • Custom reference – issuer name and serial number

OASIS: Web Services Security X.509 Certificate Token Profile 1.1 New or updated for this feature pack

The following list shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile 1.1 specification that is supported in WebSphere Application Server. Items that were previously supported for Web Services Security X.509 Certificate Token Profile 1.0 are not listed but are still supported, unless noted otherwise.

Supported topic Specific aspect that is supported
Token types X.509 Version 1: Single certificate
Token references Key identifier – subject key identifier
  • Can only reference an X.509v3 certificate
  • Can specify the thumbprint of the specified certificate by using the http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 attribute of the wsse:KeyIdentifier> element.

Functionality that is not supported by WebSphere Application Server

The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations but is not supported by WebSphere Application Server Version 6 and later:
  • The Web services security binding is not collected during the application installation process. It can be configured after the application is deployed.
  • Security header
    • @S12:role

      S12 is the namespace prefix of http://www.w3.org/2003/05/soap-envelope

  • Nonmanaged client with Web services security. For example, a Java 2 Platform, Standard Edition (J2SE) client or a Dynamic Invocation Interface (DII) client
  • Web services security for SOAP attachment
  • Security Assertion Markup Language (SAML) token profile, WS-SecurityKerberos token profile, and XrML token profile
  • XML enveloping digital signature
  • XML enveloping digital encryption
  • The following transform algorithms for digital signatures are not supported:
    • XSLT: http://www.w3.org/TR/1999/REC-xslt-19991116
    • SOAP Message Normalization

      See SOAP Version 1.2 Message Normalization for information, such as an empty header or header entry with mustUnderstand=false is removed, and so forth.

    • New or updated for this feature pack Decryption transform
  • The following key agreement algorithm for encryption is not supported:
  • The following canonicalization algorithm for encryption, which is optional in the XML encryption specification, is not supported:
    • Canonical XML with or without comments
    • Exclusive XML Canonicalization with or without comments
  • DSA digital signature is not supported.
  • Pre-agreed symmetric key data encryption is not supported.
  • Auditing for nonrepudiation for digital signatures is not supported.
  • In both versions of the Username Token Profile specification, the digest password type is not supported.
  • New or updated for this feature pack In the Username Token Version 1.1 Profile specification, the key derivation based on a password is not supported.



Related concepts
Basic Security Profile compliance tips
Encrypted SOAP headers
Signature confirmation
What is new for securing Web services
Related reference
Encryption information configuration settings: Message parts
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 1:23:07 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=cwbs_supportfunction
File name: cwbs_supportfunction.html