Configuring an application for Web services security
To secure your Web service application, you need to secure the SOAP messages sent and received by the Web service using an assembly tool such as the WebSphere® Application Server Toolkit or the Rational® Developer products. In either product, the Web service editor can be used for this purpose.
There are eight parts of Web services security that configure to secure your Simple Object Access Protocol (SOAP) messages using either digital signature or encryption. Four of these parts involve the deployment descriptor extensions and four parts involve the bindings that correspond to the deployment descriptors. The following table illustrates these eight parts that involve both the client and the server or a server acting as a client. It is recommended that you configure each of these parts in order from left to right in the table. For example, configure the request generator extensions and then the request consumer extensions because the configurations must match. After you configure the request generator and request consumer extensions, configure the request generator and the request consumer bindings, and so on.
Table 1. Client and server extensions and bindings relationship Client Server 1. Request generator extensions 2. Request consumer extensions 3. Request generator bindings 4. Request consumer bindings 5. Response consumer extensions 6. Response generator extensions 7. Response consumer bindings 8. Response generator bindings In Web services security for WAS Version 6, integrity refers to digital signature and confidentiality refers to encryption. Integrity decreases the risk of data modification when data is transmitted across a network. Confidentiality reduces the risk of someone intercepting the message as it moves across a network. With confidentiality, however, the message is encrypted before it is sent and decrypted when it is received by its target server. The article provides the steps needed to secure your Web services using either integrity or confidentiality.
In the generator bindings, you can specify which message parts to sign (integrity) or encrypt (confidentiality) and what method is used. In the consumer bindings, you specify when the message parts are signed or encrypted. After you verify the digital signature or encryption in the consumer, the consumer verifies that the specified message parts are actually signed or encrypted. If the digital signature or encryption is required and the message is not signed or encrypted, the message is rejected by the consumer.
There are two different methods to specify what needs to be signed (integrity) or encrypted (confidentiality). You can use either keywords or an XPath expression to configure message parts, a nonce, or a time stamp. When you use keywords, you can specify only certain elements within a message. With an XPath expression, you can specify any part of the message.
- Configure the client and the server for integrity.
To properly configure Web services security for integrity, complete the following steps for the request generator and the request consumer and then repeat the steps for the response generator and the response consumer.
- Specify which message elements to sign in the generator security constraints using either keywords on an XPath expression. For more information, see either Signing message elements in generator security constraints with keywords or Signing message elements in generator security constraints with an XPath expression. When you sign the message elements, you can also add a nonce or a time stamp configuration. For more information on these configurations, see:
- Adding time stamps for integrity to generator security constraints with keywords
- Adding time stamps for integrity to generator security constraints with an XPath expression
- Adding a nonce for integrity in generator security constraints with keywords
- Adding a nonce for integrity to generator security constraints with an XPath expression
- Configure a collection certificate store for the generator security constraints. For more information, see Configuring the collection certificate store for the generator binding.
- Configure the token generator. For more information, see Configuring token generators with an assembly tool.
- Configure the key locators in the generator binding. For more information, see Configuring key locators for the generator binding.
- Configure the key information in the generator binding. For more information, see Configuring key information for the generator binding.
- Configure the signing information in the generator binding. For more information, see Configuring signing information for the generator binding with an assembly tool.
- Specify which message elements to sign in the consumer security constraints using either keywords on an XPath expression. For more information, see either Signing message elements in consumer security constraints with keywords or Signing message elements in consumer security constraints with an XPath expression. When you sign the message elements, you can also add a nonce or a time stamp configuration. For more information on these configurations, see:
- Adding time stamps for integrity in consumer security constraints with keywords
- Adding a nonce for integrity in consumer security constraints with keywords
- Adding time stamps for integrity in consumer security constraints with an XPath expression
- Adding a nonce for integrity in consumer security constraints with an XPath expression
- Configure a collection certificate store for the consumer security constraints. For more information, see Configuring the collection certificate store for the consumer binding.
- Configure a token consumer. For more information, see Configuring token consumers with an assembly tool.
- Configure the key locators in the consumer binding. For more information, see Configuring the key locator for the consumer binding with an assembly tool.
- Configure the key information in the consumer bindings. For more information, see Configuring key information for the consumer binding.
- Configure the signing information in the consumer binding. For more information, see Configuring signing information for the consumer binding.
- Configure the client and the server for confidentiality.
To properly configure Web services security for confidentiality, complete the following steps for the request generator and the request consumer, and then repeat the steps for the response generator and the response consumer.
- Specify which message elements to encrypt in the generator security constraints using either keywords on an XPath expression. For more information, see either Encrypting the message elements in generator security constraints with keywords or Encrypting the message elements in generator security constraints with an XPath expression. When you encrypt the message elements, you can also add a nonce or a time stamp configuration. For more information on these configurations, see:
- Adding time stamps for confidentiality to generator security constraints with keywords
- Adding the nonce for confidentiality to generator security constraints with keywords
- Adding time stamps for confidentiality to generator security constraints with an XPath expression
- Adding the nonce for confidentiality to generator security constraints with an XPath expression
- Configure the token generator. For more information, see Configuring token generators with an assembly tool.
- Configure the key locators in the generator binding. For more information, see Configuring key locators for the generator binding.
- Configure the key information in the generator binding. For more information, see Configuring key information for the generator binding.
- Configure the encryption information in the generator binding. For more information, see Configuring encryption information for the consumer binding.
- Specify which message elements to encrypt in the consumer security constraints using either keywords on an XPath expression. For more information, see either Encrypting message elements in consumer security constraints with keywords or Encrypting message elements in consumer security constraints with an XPath expression. When you encrypt the message elements, you can also add a nonce or a time stamp configuration. For more information on these configurations, see:
- Adding time stamps for confidentiality in consumer security constraints with keywords
- Adding a nonce for confidentiality in consumer security constraints with keywords
- Adding time stamps for confidentiality in consumer security constraints with an XPath expression
- Adding the nonce for confidentiality in consumer security constraints with an XPath expression
- Configure a token consumer. For more information, see Configuring token consumers with an assembly tool.
Also, the token consumer article provides the steps that are needed to optionally configure a trust anchor.
- Configure the key locators in the consumer binding. For more information, see Configuring the key locator for the consumer binding with an assembly tool.
- Configure the key information in the consumer bindings. For more information, see Configuring key information for the consumer binding.
- Configure the encryption information in the consumer binding. For more information, see Configuring encryption information for the generator binding.
By completing the previous steps, you have configured your application for either digital signature (integrity) or encryption (confidentiality).
In addition to securing Web services for integrity and confidentiality, the assembly tools enable you to complete the following tasks:
- Configure a stand-alone time stamp for the generator and the consumer extensions. For more information, see Adding a stand-alone time stamp to generator security constraints and Adding a stand-alone time stamp in consumer security constraints.
- Configure the security token in the generator and consumer constraints. For more information, see Configuring the security token in generator security constraints and Configuring the security token requirement in consumer security constraints.
- Configure a caller part for the consumer security constraints. For more information, see Configuring the caller in consumer security constraints.
- Configure identity assertion. For more information, see Configuring identity assertion.
- XML digital signature
XML-Signature Syntax and Processing (XML digital signature) is a specification that defines XML syntax and processing rules to sign and verify digital signatures for digital content. The specification was developed jointly by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF).- Signing message elements in generator security constraints with keywords
- Signing message elements in generator security constraints with an XPath expression
- Collection certificate store
A collection certificate store is a collection of non-root, certificate authority (CA) certificates and certificate revocation lists (CRLs). This collection of CA certificates and CRLs is used to check the signature of a digitally signed Simple Object Access Protocol (SOAP) message.- Configuring the collection certificate store for the generator binding
- Trust anchor
A trust anchor specifies the key stores that contain trusted root certificates. These certificates are used to validate the X.509 certificate that is embedded in the Simple Object Access Protocol (SOAP) message.- Configuring token generators with an assembly tool
- Key locator
A key locator or the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator class, is an abstraction of the mechanism that retrieves the key for digital signature and encryption.- Configuring key locators for the generator binding
- Configuring key information for the generator binding
- Configuring signing information for the generator binding with an assembly tool
- Signing message elements in consumer security constraints with keywords
- Signing message elements in consumer security constraints with an XPath expression
- Configuring the collection certificate store for the consumer binding
- Trusted ID evaluator
A trusted ID evaluator (com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl) is an abstraction of the mechanism that evaluates whether the given ID name is trusted.- Configuring token consumers with an assembly tool
- Configuring the key locator for the consumer binding with an assembly tool
- Configuring key information for the consumer binding
- Configuring signing information for the consumer binding
- Encrypting the message elements in generator security constraints with keywords
- Encrypting the message elements in generator security constraints with an XPath expression
- XML encryption
XML encryption is a specification developed by World Wide Web (WWW) Consortium (W3C) in 2002 that contains the steps to encrypt data, the steps to decrypt encrypted data, the XML syntax to represent encrypted data, the information used to decrypt the data, and a list of encryption algorithms such as triple DES, AES, and RSA.- Configuring encryption information for the consumer binding
- Encrypting message elements in consumer security constraints with keywords
- Encrypting message elements in consumer security constraints with an XPath expression
- Configuring encryption information for the generator binding
- Adding a stand-alone time stamp to generator security constraints
- Adding a stand-alone time stamp in consumer security constraints
- Security token
A security token represents a set of claims made by a client that might include a name, password, identity, key, certificate, group, privilege, and so on.- Configuring the security token in generator security constraints
- Configuring the security token requirement in consumer security constraints
- Configuring the caller in consumer security constraints
- Configuring identity assertion
Related concepts
Nonce, a randomly generated token