Securing JAX-RPC Web services manually based on WS-Security

If the Web services security wizards do not meet your needs, you have the option of manually securing your Web services. Standards and profiles address how to provide protection for messages that are exchanged in a JAX-RPC Web service environment.

Web service security is supported in the managed Web service container. To establish a managed environment and to enforce constraints for Web services security, perform a Java™ Naming and Directory Interface (JNDI) lookup on the client to resolve the service reference. For more information on the recommended client programming model, see "Service lookup" in the Java Specification Request (JSR) 109 specification available at: ftp://www-126.ibm.com/pub/jsr109/spec/1.0/websvcs-1_0-fr.pdf.

WebSphere® Application Server Version 6 and Version 5.x compatibility

In WAS Version 6, you can run a version 5.x Web services-secured application on a v6 application server. However, when you use a Web services-secured application, the client and the server must use the same version of the application server. For example, a Web services-secured application does not work properly when the client uses WAS Version 6 and the server uses version 5.x. Conversely, a Web services-secured application does not work properly when the client uses WAS Version 5.x and the server uses v6. This issue occurs because the SOAP message format is different between a version 5.x application and a v6 application.

Configurations

To secure Web services with WAS, specify several different configurations. Although there is not a specific sequence in which specify these different configurations, some configurations reference other configurations. The following table shows an example of the relationship between each of the configurations. However, the requirements for the bindings depend upon the deployment descriptor. Some binding information depends upon other information in the binding or server and cell-level configuration. For instance, the signing information references the key information.

Table 1. The relationship between the configurations.

Configuration level	Configuration name	Configurations it references
Application-level request generator	Token generator	Collection certificate store Nonce Timestamp Callback handler
Application-level request generator	Key information	Key locator Key name Token
Application-level request generator	Signing information	Key information
Application-level request generator	Encryption information	Key information
Application-level request consumer	Token consumer	Trust anchor Collection certificate store Trusted ID evaluators Java Authentication and Authorization Service (JAAS) configuration
Application-level request consumer	Key information	Key locator Token
Application-level request consumer	Signing information	Key information
Application-level request consumer	Encryption information	Key information
Application-level response generator	Token generator	Collection certificate store Callback handler
Application-level response generator	Key information	Key locator Token
Application-level response generator	Signing information	Key information
Application-level response generator	Encryption information	Key information
Application-level response consumer	Token consumer	Trust anchor Collection certificate store JAAS configuration
Application-level response consumer	Key information	Key locator Key name Token
Application-level response consumer	Signing information	Key information
Application-level response consumer	Encryption information	Key information
Server-level default generator bindings	Token generator	Collection certificate store Callback handler
Server-level default generator bindings	Key information	Key locator Token
Server-level default generator bindings	Signing information	Key information
Server-level default generator bindings	Encryption information	Key information
Server-level default consumer bindings	Token consumer	Trust anchor Collection certificate store Trusted ID evaluator JAAS configuration
Server-level default consumer bindings	Key information	Key locator Token
Server-level default consumer bindings	Signing information	Key information
Server-level default consumer bindings	Encryption information	Key information
Cell-level default generator bindings	Token generator	Collection certificate store Callback handler
Cell-level default generator bindings	Key information	Key locator Token

If multiple applications will use the same binding information, consider configuring the binding information on the server level. For example, you might have a global key locator configuration that is used by multiple applications.

Because of the relationship between the different Web services security configurations, it is recommended that you specify the configurations in following order:

• Assemble your Web services security-enabled application using an assembly tool such as the Rational® Developer products or the WAS Toolkit. Prior to modifying an Web services security-enabled application in the WAS administrative console, assemble your application using an assembly tool. Although you can modify some of the application settings using the administrative console, configure the generator and the consumer security constraints using an assembly tool such as the Application Server Toolkit or the Rational Application Developer. For information on how to add Web services security to an application using an assembly tool, see Configuring an application for Web services security. Return to this article after you have assembled your application and imported it into the administrative console.

• Optional:

  Modify the application-level configurations in the administrative console.

  1. Configure the trust anchors for the generator binding. For more information, see Configuring trust anchors for the generator binding on the application level.

  2. Configure the collection certificate store for the generator binding. For more information, see Configuring the collection certificate store for the generator binding on the application level.

  3. Configure the token for the generator binding. For more information, see Configuring the token generator on the application level.

  4. Configure the key locators for the generator binding. For more information, see Configuring the key locator for the generator binding on the application level.

  5. Configure the key information for the generator binding. For more information, see Configuring the key information for the generator binding on the application level.

  6. Configure the signing information for the generator binding. For more information, see Configuring the signing information for the generator binding on the application level.

  7. Configure the encryption information for the generator binding. For more information, see Configuring the encryption information for the generator binding on the application level.

  8. Configure the trust anchors for the consumer binding. For more information, see Configuring trust anchors for the consumer binding on the application level.

  9. Configure the collection certificate store for the consumer binding. For more information, see Configuring the collection certificate store for the consumer binding on the application level.

  10. Configure the token for the consumer binding. For more information, see Configuring token consumer on the application level

  11. Configure the key locators for the consumer binding. For more information, see Configuring the key locator for the consumer binding on the application level.

  12. Configure the key information for the consumer binding. For more information, see Configuring the key information for the consumer binding on the application level.

  13. Configure the signing information for the consumer binding. For more information, see Configuring the signing information for the consumer binding on the application level.

  14. Configure the encryption information for the consumer binding. For more information, see Configuring the encryption information for the consumer binding on the application level.

• Specify the server-level configurations.

  1. Configure the trust anchors for the server level. For more information, see Configuring trust anchors on the server or cell level

  2. Configure the collection certificate store for the server level. For more information, see Configuring the collection certificate store on the server or cell-level bindings

  3. Configure a token generator. For more information, see Configuring token generators on the server or cell level.

  4. Configure a nonce for the server level. For more information, see Configuring a nonce on the server or cell level.

  5. Configure the key locators for the generator binding. For more information, see Configuring the key locator on the server or cell level.

  6. Configure the key information for the generator binding. For more information, see Configuring the key locator on the server or cell level.

  7. Configure the signing information for the generator binding. For more information, see Configuring the signing information for the generator binding on the server or cell level.

  8. Configure the encryption information for the generator binding. For more information, see Configuring the encryption information for the generator binding on the server or cell level.

  9. Configure the trusted ID evaluators for the server level. For more information, see Configuring trusted ID evaluators on the server or cell level

  10. Configure a token consumer. For more information, see Configuring token consumers on the server or cell level.

  11. Configure the key information for the consumer binding. For more information, see Configuring the key information for the consumer binding on the server or cell level.

  12. Configure the signing information for the consumer binding. For more information, see Configuring the signing information for the consumer binding on the server or cell level.

  13. Configure the encryption information for the consumer binding. For more information, see Configuring the encryption information for the consumer binding on the server or cell level.

After completing these steps on the appropriate level of WAS, you have secured Web services.

Note: Configuration information for the application-level precedes similar configuration information on the server-level.

• What is new for securing Web services
  In WAS Version 6.0.x, and later there are many security enhancements for Web services. The enhancements include supporting sections of the Web services security specifications and providing architectural support for plugging in and extending the capabilities of security tokens.

• Web services security enhancements
  

• High-level architecture for Web services security
  

• Configuration overview
  

• Security model mixture
  

• Security considerations for Web services
  

• Migrating Version 5.x applications with Web services security to Version 6 applications
  

• Default implementations of the Web services security service provider programming interfaces
  

• Default Web services security configuration
  

• Nonce, a randomly generated token
  Nonce is a randomly generated, cryptographic token used to prevent replay attacks. Although Nonce can be inserted anywhere in the SOAP message, it is typically inserted in the <UsernameToken> element.

• Configuring an application for Web services security
  To secure your Web service application, you need to secure the SOAP messages sent and received by the Web service using an assembly tool such as the WAS Toolkit or the Rational Developer products. In either product, the Web service editor can be used for this purpose.

• Configuring trust anchors for the generator binding on the application level
  

• Configuring the collection certificate store for the generator binding on the application level
  

• Username token element
  You can use the UsernameToken element to propagate a user name and, optionally, password information. Also, you can use this token type to carry basic authentication information. Both a user name and a password are used to authenticate the message. A UsernameToken containing the user name is used in identity assertion, which establishes the identity of the user based on the trust relationship.

• Configuring the token generator on the application level
  

• Configuring the key locator for the generator binding on the application level
  

• Configuring the key information for the generator binding on the application level
  

• Configuring the signing information for the generator binding on the application level
  

• Configuring the encryption information for the generator binding on the application level
  

• Configuring trust anchors for the consumer binding on the application level
  

• Configuring the collection certificate store for the consumer binding on the application level
  

• Binary security token
  The ValueType attribute identifies the type of the security token, for example, a Lightweight Third Party Authentication (LTPA) token. The EncodingType type indicates how the security token is encoded, for example, Base64Binary. The BinarySecurityToken element defines a security token that is binary encoded. The encoding is specified using the EncodingType attribute. The value type and space are specified using the ValueType attribute. The Web services security implementation for WAS, Version 6.x supports both LTPA and X.509 certificate binary security tokens.

• Configuring token consumer on the application level
  

• Configuring the key locator for the consumer binding on the application level
  

• Configuring the key information for the consumer binding on the application level
  

• Configuring the signing information for the consumer binding on the application level
  

• Configuring the encryption information for the consumer binding on the application level
  

• Retrieving tokens from the JAAS Subject in a server application
  

• Retrieving tokens from the JAAS Subject in a client application
  

• Configuring trust anchors on the server or cell level
  

• Configuring the collection certificate store on the server or cell-level bindings
  

• Distributed nonce caching
  The distributed nonce caching feature enables you to distribute the cache for a nonce to different servers in a cluster.

• Configuring a nonce on the server or cell level
  

• Configuring token generators on the server or cell level
  

• Configuring the key locator on the server or cell level
  

• Configuring the key information for the generator binding on the server or cell level
  

• Configuring the signing information for the generator binding on the server or cell level
  

• Configuring the encryption information for the generator binding on the server or cell level
  

• Configuring trusted ID evaluators on the server or cell level
  

• Configuring token consumers on the server or cell level
  

• Configuring the key information for the consumer binding on the server or cell level
  

• Configuring the signing information for the consumer binding on the server or cell level
  

• Configuring the encryption information for the consumer binding on the server or cell level
  

• Tuning Web services security
  

 

Related tasks

Configuring an application for Web services security

---