Supported functionality from OASIS specifications
WAS V6.0.x supports the following OASIS Web services security specifications and profiles.
- SOAP Message Security 1.0 (WS-Security 2004)
- UsernameToken Profile 1.0
- Web Services Security X.509 Certificate Token Profile 1.0
SOAP Message Security 1.0 (WS-Security 2004)
The following list shows the aspects of the SOAP Message Security 1.0 (WS-Security 2004) specification that is supported in WAS V6.0.x.
Supported topic Specific aspect that is supported Security header
- @S11:actor (for an intermediary)
- @S11:mustUnderstand
Security tokens
- Username token (user name and password)
- Binary security token (X.509 and LTPA)
- Custom token
Token references
- Direct reference
- Key identifier
- Key name
- Embedded reference
Signature algorithms
- Digest - SHA1
- MAC - HMAC-SHA1
- Signature
- DSA with SHA1
- RSA with SHA1- Canonicalization
- Canonical XML (with comments)
- Canonical XML (without comments)
- Exclusive XML canonicalization (with comments)
- Exclusive XML canonicalization (without comments)- Transform
- STR transform
- XPath
- Enveloped signature
- XPath Filter2
- Decryption transformSignature signed parts
- WAS key words:
Key Word Signs body SOAP message body timestamp All of the time stamps securitytoken All of the security tokens dsigkey The signing key enckey The encryption key messageid The wsa :MessageID element in WS-Addressing. to The wsa:To element in WS-Addressing action The wsa:Action element in WS-Addressing relatesto The wsa:RelatesTo element in WS-Addressing wsa Namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing - XPath expression to select an XML element in a Simple Object Access protocol (SOAP) message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.
Encryption algorithms
- Block encryption
- Triple DES in CBC
- AES128 in CBC
- AES192 in CBC
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.
- AES256 in CBC
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.
- Key transport
- Symmetric key wrap
- Triple DES key wrap
- AES key wrap (aes128)
- AES key wrap (aes192)
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.
- AES key wrap (aes256)
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.
- Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core
- xenc:ReferenceList
- xenc:EncryptedKey
Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES. Therefore, it is recommended that you use AES, if possible, for symmetric key encryption.
Encryption message parts
- WAS keywords
bodycontent used to encrypt the SOAP body content usernametoken used to encrypt the username token digestvalue used to encrypt the digest value of the digital signature - XPath expression to select the XML element in the SOAP message
- XML elements
- XML element contents
Time stamp
- Within Web services security header
- WAS is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.
Error handling SOAP faults UsernameToken Profile 1.0
The following list shows the aspects of the UsernameToken Profile 1.0 specification that is supported in WAS V6.0.x.
Supported topic Specific aspect that is supported Password types Text Token references Direct reference X.509 Certificate Token Profile
The following list shows the aspects of the X.509 Certificate Token Profile specification that is supported in WAS V6.0.x.
Supported topic Specific aspect that is supported Token types
- X.509 V3: Single certificate
- X.509 V3: X509PKIPathv1 without certificate revocation lists (CRL)
- X.509 V3: PKCS7 with or without CRLs. The IBM SDK supports both. The Sun JDK supports PKCS7 without CRL only.
Token references
- Key identifier – subject key identifier
- Direct reference
- Custom reference – issuer name and serial number
Functionality that is not supported
The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations, but is not supported by WAS V6.0.x:
- Non-managed client with Web services security. For example, a J2SE client or a Dynamic Invocation Interface (DII) client
- The Web services security binding is not collected during the application installation process. It can be configured after the application is deployed.
- Web services security for SOAP attachment
- SAML token profile, WS-SecurityKerberos token profile, and XrML token profile
- Web Services Interoperability Organization (WS-I) basic security profile
- XML enveloping digital signature
- XML enveloping digital encryption
- Security header
- @S12:role
S12 is the namespace prefix of http://www.w3.org/2003/05/soap-envelope
- The following transport algorithms for digital signatures are not supported:
- XSLT: http://www.w3.org/TR/1999/REC-xslt-19991116
- SOAP Message Normalization
For more information, see SOAP V1.2 Message Normalization.
- The following key transport algorithm for encryption is not supported:
- The following key agreement algorithm for encryption is not supported:
- The following canonicalization algorithm for encryption, which is optional in the XML encryption specification, is not supported:
- Canonical XML with or without comments
- Exclusive XML canonicalization with or without comments
- In the Username Token V1.0 Profile specification, the digest password type is not supported.
See Also
Encryption information configuration settings
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.