Web services policy sets that are included with the product

You can use the policy sets in this product to simplify configuring the qualities of service for your web services. Using these policy sets, you can combine configurations for different policies.

Important: Applicable to WebSphere® Application Server traditional

WebSphere Application Server V7.0.0.7 and later policy sets

Starting in WebSphere Application Server V7 Fix Pack 7, you can secure web services with Security Assertion Markup Language (SAML). Use SAML assertions to represent user identity and user security attributes, and optionally, to sign and to encrypt SOAP message elements. WebSphere Application Server supports SAML assertions using the bearer subject confirmation method and the holder-of-key subject confirmation method as defined in the OASIS WSS SAML Token Profile Version 1.1 specification. Policy sets and general bindings that support SAML are included with the product SAML function. To use SAML assertions, you must modify the provided sample general binding.

Tip: Read the WebSphere Application Server documentation on SAML policy sets before you apply them to your web service. This documentation describes how SAML is supported within WebSphere Application Server and what limitations exist. See Securing Web services using Security Assertion Markup Language (SAML).

WebSphere Application Server V7.0 and V8.0 policy sets

The following WebSphere Application Server V7.0 and V8.0 policy sets are included with the product:
Kerberos V5 HTTPS default
This policy set provides message authentication with a Kerberos Version 5 token. Message integrity and confidentiality are provided by Secure Sockets Layer (SSL) transport security. This policy set follows the OASIS Kerberos Token Profile V1.1 and WS-Security specifications.

When you use this policy set, configure the basic authentication data and custom properties such as the com.ibm.wsspi.wssecurity.krbtoken.targetServiceName and com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost custom properties in the client bindings. For more information, see the Authentication generator or consumer token settings and Protection token settings (generator or consumer) topics.

LTPA WSSecurity default
This policy set provides the following features:
  • Message integrity through digital signature (using RSA public-key cryptography) to sign the body, time stamp, and WS-Addressing headers using WS-Security specifications.
  • Message confidentiality through encryption (using RSA public-key cryptography) to encrypt the body, signature, and signature elements using WS-Security specifications.
  • A Lightweight Third Party Authentication (LTPA) token included in the request message to authenticate the client to the service.
SSL WSTransaction
Use this policy set to coordinate distributed transactional work atomically, interoperably and securely, by using the WS-AtomicTransaction specification and SSL Transport security. Also, use this policy set to coordinate loosely coupled business processes, with the ability to compensate actions if a failure occurs in the business activity using the WS-BusinessActivity specification and SSL Transport security.
Username SecureConversation
This policy set provides the following features:
  • Message integrity through digital signature that includes signing the body, time stamp, and WS-Addressing headers using WS-SecureConversation and WS-Security specifications
  • Message confidentiality through encryption that includes encrypting the body, signature and signature confirmation elements, using WS-SecureConversation and WS-Security specifications
  • A user name token included in the request message to authenticate the client to the service. The user name token is encrypted in the request
Username WSSecurity default
This policy set provides the following features:
  • Message integrity by digital signature (using RSA public-key cryptography) to sign the body, time stamp, and WS-Addressing headers using WS-Security specifications
  • Message confidentiality by encryption (using RSA public-key cryptography) to encrypt the body, signature, and signature confirmation elements using WS-Security specifications
  • A user name token included in the request message to authenticate the client to the service. The user name token is encrypted in the request
WS-I RSP
This policy set enables unmanaged non-persistent WS-ReliableMessaging, which provides the ability to deliver a message reliably to its intended receiver. This policy set works only in a single-server environment and does not work in a clustered environment. Message integrity is provided by digitally signing the body, the time stamp, and the WS-Addressing headers. Message confidentiality is provided by encrypting the body and the signature. This policy set follows the WS-SecureConversation and WS-Security specifications.

Web Services Reliable Messaging policy sets must be applied at the service level for the Reliable Messaging quality of service to be respected by the runtime environment. Policy sets that are applied at the endpoint level or the operation level are ignored by the runtime environment.

WSAddressing default
The WSAddressing default policy set provides a transport-neutral way to uniformly address web services and messages. The WSAddressing default policy set is based on the WS-Addressing specification. The WS-Addressing standard uses endpoint references and message-addressing properties to facilitate the addressing of web services in a standard and interoperable way. Use the WSAddressing default policy set as provided with the application server. To customize the policy set, you must first copy the policy set, and then configure custom policy settings and bindings to meet your needs.
WSHTTPS default
This policy set provides SSL transport security for the HTTP protocol with web services applications.
WSReliableMessaging persistent
This policy set enables both WS-ReliableMessaging and WS-Addressing and uses the maximum quality of service, managed persistent. This quality of service supports asynchronous web service invocations and uses a service integration messaging engine and message store to manage the sequence state. Messages are processed within transactions and persisted at the web service requester server and at the web service provider server, and they are recoverable if the server fails. In-order delivery is set to "false", so messages are not necessarily delivered in the order in which they were sent.

Because this policy set specifies managed persistent quality of service, you must define bindings to the service Integration Bus and messaging engine that you want to use to manage the WS-ReliableMessaging state. You can attach and bind a WS-ReliableMessaging policy set to a web service application by using the administrative console or the wsadmin tool.

Web Services Reliable Messaging policy sets must be applied at the service level for the Reliable Messaging quality of service to be respected by the runtime environment. Policy sets that are applied at the endpoint level or the operation level are ignored by the runtime environment.

WebSphere Application Server V6.1 policy sets

The following WebSphere Application Server V6.1 policy sets are included with the product:
RAMP default policy sets
RAMP default
Default Reliable Asynchronous Messaging Profile (RAMP) 1.0. This policy set provides the following features:
  • Reliable message delivery to the intended receiver by enabling WS-ReliableMessaging
  • Message integrity by digital signature that includes signing the body, time stamp, WS-Addressing headers, and WS-ReliableMessaging headers using the WS-SecureConversation and WS-Security specifications
  • Confidentiality by encryption that includes encrypting the body, signature and signature confirmation elements, using the WS-SecureConversation and WS-Security specifications
LTPA RAMP default
This policy set provides the following features:
  • Reliable message delivery to the intended receiver by enabling WS-ReliableMessaging
  • Message integrity by digital signature that includes signing the body, time stamp, WS-Addressing headers, and WS-ReliableMessaging headers using the WS-SecureConversation and WS-Security specifications
  • Confidentiality by encryption that includes encrypting the body, signature and signature confirmation elements, using the WS-SecureConversation and WS-Security specifications
  • A Lightweight Third Party Authentication (LTPA) token included in the request message to authenticate the client to the service
Username RAMP default
This policy set provides the following features:
  • Reliable message delivery to the intended receiver by enabling WS-ReliableMessaging
  • Message integrity by digital signature that includes signing the body, time stamp, WS-Addressing headers, and WS-ReliableMessaging headers using the WS-SecureConversation and WS-Security specifications
  • Confidentiality by encryption that includes encrypting the body, signature and signature confirmation elements, using the WS-SecureConversation and WS-Security specifications
  • A user name token included in the request message to authenticate the client to the service. The user name token is encrypted in the request
SecureConversation policy sets
SecureConversation
This policy set provides the following features:
  • Message integrity by digital signature that includes signing the body, time stamp, and WS-Addressing headers using WS-SecureConversation and WS-Security specifications
  • Message confidentiality by encryption that includes encrypting the body, signature and signature confirmation elements, using WS-SecureConversation and WS-Security specifications
LTPA SecureConversation
This policy set provides the following features:
  • Message integrity by digital signature that includes signing the body, time stamp, and WS-Addressing headers using WS-SecureConversation and WS-Security specifications
  • Message confidentiality by encryption that includes encrypting the body, signature and signature confirmation elements, using WS-SecureConversation and WS-Security specifications
  • A Lightweight Third Party Authentication (LTPA) token included in the request message to authenticate the client to the service
Username SecureConversation
This policy set provides the following features:
  • Message integrity by digital signature that includes signing the body, time stamp, and WS-Addressing headers using WS-SecureConversation and WS-Security specifications
  • Message confidentiality by encryption that includes encrypting the body, signature and signature confirmation elements, using WS-SecureConversation and WS-Security specifications
  • A user name token included in the request message to authenticate the client to the service. The user name token is encrypted in the request
WSReliableMessaging policy sets
WSReliableMessaging default
This policy set enables both WS-ReliableMessaging and WS-Addressing, and the policy set uses the minimum quality of service unmanaged non-persistent. This quality of service requires minimal configuration. However, it is non-transactional and, although it allows for the resending of messages that are lost in the network, failure of a server results in lost messages. This quality of service is for single server only; it does not work in a cluster.
WSReliableMessaging 1_0
This policy set enables both WS-ReliableMessaging Version 1.0 and WS-Addressing, and it uses the minimum quality of service unmanaged non-persistent. This quality of service requires minimal configuration. This quality of service is non-transactional, however. Although it allows for the resending of messages that are lost in the network, failure of a server results in lost messages. This quality of service is for single-server use only; it does not work in a cluster. You can use this policy set with .NET-based web services.
WSReliableMessaging persistent
This policy set enables both WS-ReliableMessaging and WS-Addressing, and the policy set uses the maximum quality of service managed persistent. This quality of service supports asynchronous web service invocations, and uses a service integration messaging engine and message store to manage the sequence state. Messages are processed within transactions and are persisted at the web service requester server and at the web service provider server. The messages are recoverable if the server fails.
Web Services Reliable Messaging policy sets must be applied at the service level for the Reliable Messaging quality of service to be respected by the runtime environment. Policy sets that are applied at the endpoint level or the operation level are ignored by the runtime environment.
WSSecurity default policy sets
WSSecurity default
This policy set provides the following features:
  • Message integrity by digital signature (using RSA public-key cryptography) to sign the body, time stamp, and WS-Addressing headers using WS-Security specifications
  • Message confidentiality by encryption (using RSA public-key cryptography) to encrypt the body, signature and signature confirmation elements using WS-Security specifications
LTPA WSSecurity default
This policy set provides the following features:
  • Message integrity by digital signature (using RSA public-key cryptography) to sign the body, time stamp, and WS-Addressing headers using WS-Security specifications
  • Message confidentiality by encryption (using RSA public-key cryptography) to encrypt the body, signature, and signature confirmation elements using WS-Security specifications
  • A Lightweight Third Party Authentication (LTPA) token included in the request message to authenticate the client to the service
Username WSSecurity default
This policy set provides the following features:
  • Message integrity by digital signature (using RSA public-key cryptography) to sign the body, time stamp, and WS-Addressing headers using WS-Security specifications
  • Message confidentiality by encryption (using RSA public-key cryptography) to encrypt the body, signature, and signature confirmation elements using WS-Security specifications
  • A user name token included in the request message to authenticate the client to the service. The user name token is encrypted in the request
WSTransaction policy sets
WSTransaction
This policy set enables WS-Transaction, which provides the ability to coordinate distributed transactional work atomically and interoperably using the WS-AtomicTransaction specification.
SSL WSTransaction
This policy set enables WS-Transaction, which provides the ability to coordinate distributed transactional work atomically, interoperably and securely using the WS-AtomicTransaction specification and SSL Transport security.
Other default policy sets
WSAddressing default
This policy set enables WS-Addressing support, which uses endpoint references and message-addressing properties to facilitate the addressing of web services in a standard and interoperable way.
WSHTTPS default
This policy set provides SSL transport security for the HTTP protocol with web services applications.

WebSphere Application Server V7.0 and V8.0 system policy sets

The following WebSphere Application Server V7.0 and V8.0 system policy sets are included with the product:
SystemWSSecurityDefault
This system policy set specifies the asymmetric algorithm and both the public and private keys to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using RSA encryption. Message confidentiality is provided by encrypting the body and signature using RSA encryption. This policy set follows the WS-Security specifications for the issue and renew trust operation requests.
Icon that indicates the type of topic Concept topic
Timestamp icon Last updated: July 17, 2017 21:58

File name: cpsui002.html