+

Search Tips   |   Advanced Search

 

Supported functionality from OASIS specifications

 

WAS V6 and later support Organization for the Advancement of Structured Information (OASIS) Web Services Security (WS-Security) specifications. WAS supports these OASIS Web Services Security V1.0 specifications.

These OASIS standards have been updated to support the latest versions of Web Service Security (WS-Security) specifications and tokens. V1.1 provides better security verification for signature, a standard way of encrypting SOAP headers, and meets the requirement from some of the interoperability scenarios that use features from Web Service Security V1.1.

 

OASIS: Web Services Security SOAP Message Security 1.0

The following list shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 specification that are supported in WebSphere Application Server Versions 6 and later.

Supported topic Specific aspect that is supported
Security header

  • @S11:actor (for an intermediary)

  • @S11:mustUnderstand

Security tokens

Token references

  • Direct reference

  • Key identifier

  • Key name

  • Embedded reference

Signature algorithms

     

  • Digest

    SHA1

    http://www.w3.org/2000/09/xmldsig#sha1

    SHA256

    http://www.w3.org/2001/04/xmlenc#sha256

    SHA512

    http://www.w3.org/2001/04/xmlenc#sha512

     

  • MAC

    HMAC-SHA1

    http://www.w3.org/2000/09/xmldsig#hmac-sha1

     

  • Signature

    DSA with SHA1

    http://www.w3.org/2000/09/xmldsig#dsa-sha1

    Do not use this algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP)

    RSA with SHA1

    http://www.w3.org/2000/09/xmldsig#rsa-sha1

     

  • Canonicalization

    Canonical XML (with comments)

    http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

    Canonical XML (without comments)

    http://www.w3.org/TR/2001/REC-xml-c14n-20010315

    Exclusive XML canonicalization (with comments)

    http://www.w3.org/2001/10/xml-exc-c14n#WithComments

    Exclusive XML canonicalization (without comments)

    http://www.w3.org/2001/10/xml-exc-c14n#

     

  • Transform

    STR transform

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform

    XPath

    http://www.w3.org/TR/1999/REC-xpath-19991116Do not use the original XPATH transform if you want your configured application to be in compliance with the Basic Security Profile (BSP).

    When referring to an element in a SECURE_ENVELOPE that does not carry an attribute of type ID from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2

    Enveloped signature

    http://www.w3.org/2000/09/xmldsig#enveloped-signature

    XPath Filter2

    http://www.w3.org/2002/06/xmldsig-filter2

    When referring to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform,

    Decryption transform

    http://www.w3.org/2002/07/decrypt#XML

Signature signed parts

  • WAS key words:

    • body, which signs the SOAP message body

    • timestamp, which signs all of the time stamps

    • securitytoken, which signs all of the security tokens

    • dsigkey, which signs the signing key

    • enckey, which signs the encryption key

    • messageid, which signs the wsa :MessageID element in WS-Addressing.

    • to, which signs the wsa:To element in WS-Addressing

    • action, which signs the wsa:Action element in WS-Addressing

    • relatesto, which signs the wsa:RelatesTo element in WS-Addressing

      wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing

    • wscontext, which specifies the WS-Context header for the SOAP header. For more information, see Propagating work area context over Web services.

    • wsafrom, which specifies the <wsa:From> WS-Addressing From element in the SOAP header.

    • wsareplyto, which specifies the <wsa:ReplyTo> WS-Addressing ReplyTo element in the SOAP header.

    • wsafaultto, which specifies the <wsa:FaultTo> WS-Addressing FaultTo element in the SOAP header.

    • wsaall, which specifies all of the WS-Addressing elements in the SOAP header.

  • XPath expression to select an XML element in a SOAP message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.

Encryption algorithms

  • Data encryption

    • Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc

    • AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc

    • AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

      Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).

    • AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

  • Key encryption

  • Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core

    • xenc:ReferenceList

    • xenc:EncryptedKey

Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, it is recommended that you use AES, if possible, for symmetric key encryption.

Encryption message parts

  • WAS keywords

    • bodycontent, which is used to encrypt the SOAP body content

    • usernametoken, which is used to encrypt the username token

    • digestvalue, which is used to encrypt the digest value of the digital signature

    • signature, which is used to encrypt the entire digital signature

    • wscontextcontent, which encrypts the content in the WS-Context header for the SOAP header. For more information, see Propagating work area context over Web services.

  • XPath expression to select the XML element in the SOAP message

    • XML elements

    • XML element contents

Time stamp

  • Within Web services security header

  • WAS is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.

Error handling SOAP faults

 

OASIS: Web Services Security UsernameToken Profile 1.0

The following list shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification that is supported in WebSphere Application Server.

Supported topic Specific aspect that is supported
Password types Text
Token references Direct reference

 

OASIS: Web Services Security X.509 Certificate Token Profile 1.0

The following list shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that is supported in WAS Versions 6 and later.

Supported topic Specific aspect that is supported
Token types

  • X.509 V3: Single certificate

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3

  • X.509 V3: X509PKIPathv1 without certificate revocation lists (CRL)

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1

  • X.509 V3: PKCS7 with or without CRLs. The IBM software development kit (SDK) supports both. The Sun Java Development Kit (JDK) supports PKCS7 without CRL only.

Token references

  • Key identifier – subject key identifier

  • Direct reference

  • Custom reference – issuer name and serial number

 

Functionality that is not supported by WebSphere Application Server Versions 6 and later

The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations but is not supported by WAS V6 and later:




 

Related concepts


Basic Security Profile compliance tips
What is new for securing Web services

 

Related Reference


Encryption information configuration settings: Message parts