Supported functionality from OASIS specifications

Supported functionality from OASIS specifications

WAS V6 and later support Organization for the Advancement of Structured Information (OASIS) Web Services Security (WS-Security) specifications. WAS supports these OASIS Web Services Security V1.0 specifications.

OASIS: Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)

OASIS: Web Services Security: UsernameToken Profile 1.0

OASIS: Web Services Security X.509 Certificate Token Profile 1.0

These OASIS standards have been updated to support the latest versions of Web Service Security (WS-Security) specifications and tokens. V1.1 provides better security verification for signature, a standard way of encrypting SOAP headers, and meets the requirement from some of the interoperability scenarios that use features from Web Service Security V1.1.

OASIS: Web Services Security SOAP Message Security 1.0

The following list shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 specification that are supported in WebSphere Application Server Versions 6 and later.

Supported topic Specific aspect that is supported

Security header

@S11:actor (for an intermediary)

@S11:mustUnderstand

Security tokens

Username token (user name and password)

Binary security token (X.509 and LTPA)

Custom token

Other binary security token

XML token
WAS does not provide an implementation, but you can use an XML token with plug-in point.

Token references

Direct reference

Key identifier

Key name

Embedded reference

Signature algorithms

Digest

SHA1

http://www.w3.org/2000/09/xmldsig#sha1

SHA256

http://www.w3.org/2001/04/xmlenc#sha256

SHA512

http://www.w3.org/2001/04/xmlenc#sha512

MAC

HMAC-SHA1

http://www.w3.org/2000/09/xmldsig#hmac-sha1

Signature

DSA with SHA1

http://www.w3.org/2000/09/xmldsig#dsa-sha1
Do not use this algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP)

RSA with SHA1

http://www.w3.org/2000/09/xmldsig#rsa-sha1

Canonicalization

Canonical XML (with comments)

http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

Canonical XML (without comments)

http://www.w3.org/TR/2001/REC-xml-c14n-20010315

Exclusive XML canonicalization (with comments)

http://www.w3.org/2001/10/xml-exc-c14n#WithComments

Exclusive XML canonicalization (without comments)

http://www.w3.org/2001/10/xml-exc-c14n#

Transform

STR transform

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform
XPath

http://www.w3.org/TR/1999/REC-xpath-19991116Do not use the original XPATH transform if you want your configured application to be in compliance with the Basic Security Profile (BSP).
When referring to an element in a SECURE_ENVELOPE that does not carry an attribute of type ID from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2

Enveloped signature

http://www.w3.org/2000/09/xmldsig#enveloped-signature

XPath Filter2

http://www.w3.org/2002/06/xmldsig-filter2
When referring to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform,

Decryption transform

http://www.w3.org/2002/07/decrypt#XML

Signature signed parts

WAS key words:

body, which signs the SOAP message body

timestamp, which signs all of the time stamps

securitytoken, which signs all of the security tokens

dsigkey, which signs the signing key

enckey, which signs the encryption key

messageid, which signs the wsa :MessageID element in WS-Addressing.

to, which signs the wsa:To element in WS-Addressing

action, which signs the wsa:Action element in WS-Addressing

relatesto, which signs the wsa:RelatesTo element in WS-Addressing
wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing

wscontext, which specifies the WS-Context header for the SOAP header. For more information, see Propagating work area context over Web services.

wsafrom, which specifies the <wsa:From> WS-Addressing From element in the SOAP header.

wsareplyto, which specifies the <wsa:ReplyTo> WS-Addressing ReplyTo element in the SOAP header.

wsafaultto, which specifies the <wsa:FaultTo> WS-Addressing FaultTo element in the SOAP header.

wsaall, which specifies all of the WS-Addressing elements in the SOAP header.

XPath expression to select an XML element in a SOAP message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.

Encryption algorithms

Data encryption

Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc

AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc

AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).

AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

Key encryption

Key transport (public key cryptography)

http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.

When running with Software Development Kit (SDK) V1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK V1.5.

Use of the Federal Information Processing Standard (FIPS)-compliant Java cryptography engine does not support this transport algorithm.

RSA V1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5

Symmetric key wrap (private key cryptography)

Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes

AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128

AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.
Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).

AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts.

Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core

xenc:ReferenceList

xenc:EncryptedKey

Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, it is recommended that you use AES, if possible, for symmetric key encryption.
Encryption message parts

WAS keywords

bodycontent, which is used to encrypt the SOAP body content

usernametoken, which is used to encrypt the username token

digestvalue, which is used to encrypt the digest value of the digital signature

signature, which is used to encrypt the entire digital signature

wscontextcontent, which encrypts the content in the WS-Context header for the SOAP header. For more information, see Propagating work area context over Web services.

XPath expression to select the XML element in the SOAP message

XML elements

XML element contents

Time stamp

Within Web services security header

WAS is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.

Error handling SOAP faults

OASIS: Web Services Security UsernameToken Profile 1.0

The following list shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification that is supported in WebSphere Application Server.

Supported topic Specific aspect that is supported

Password types Text
Token references Direct reference

OASIS: Web Services Security X.509 Certificate Token Profile 1.0

The following list shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that is supported in WAS Versions 6 and later.

Supported topic Specific aspect that is supported

Token types

X.509 V3: Single certificate
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3

X.509 V3: X509PKIPathv1 without certificate revocation lists (CRL)
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1

X.509 V3: PKCS7 with or without CRLs. The IBM software development kit (SDK) supports both. The Sun Java Development Kit (JDK) supports PKCS7 without CRL only.

Token references

Key identifier – subject key identifier

Direct reference

Custom reference – issuer name and serial number

Functionality that is not supported by WebSphere Application Server Versions 6 and later
The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations but is not supported by WAS V6 and later:

The Web services security binding is not collected during the application installation process. It can be configured after the application is deployed.

Security header

@S12:role
S12 is the namespace prefix of http://www.w3.org/2003/05/soap-envelope

Nonmanaged client with Web services security. For example, a Java 2 Platform, Standard Edition (J2SE) client or a Dynamic Invocation Interface (DII) client

Web services security for SOAP attachment

Security Assertion Markup Language (SAML) token profile, WS-SecurityKerberos token profile, and XrML token profile

XML enveloping digital signature

XML enveloping digital encryption

The following transform algorithms for digital signatures are not supported:

XSLT: http://www.w3.org/TR/1999/REC-xslt-19991116

SOAP Message Normalization
See SOAP V1.2 Message Normalization for information, such as an empty header or header entry with mustUnderstand=false is removed, and so forth.

The following key agreement algorithm for encryption is not supported:

Diffie-Hellman: http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-DHKeyValue

The following canonicalization algorithm for encryption, which is optional in the XML encryption specification, is not supported:

Canonical XML with or without comments

Exclusive XML Canonicalization with or without comments

DSA digital signature is not supported.

Pre-agreed symmetric key data encryption is not supported.

Auditing for nonrepudiation for digital signatures is not supported.

In both versions of the Username Token Profile specification, the digest password type is not supported.

Related concepts

Basic Security Profile compliance tips
What is new for securing Web services

Related Reference

Encryption information configuration settings: Message parts

Supported topic	Specific aspect that is supported
Security header	@S11:actor (for an intermediary) @S11:mustUnderstand
Security tokens	Username token (user name and password) Binary security token (X.509 and LTPA) Custom token Other binary security token XML token WAS does not provide an implementation, but you can use an XML token with plug-in point.
Token references	Direct reference Key identifier Key name Embedded reference
Signature algorithms	Digest SHA1 http://www.w3.org/2000/09/xmldsig#sha1 SHA256 http://www.w3.org/2001/04/xmlenc#sha256 SHA512 http://www.w3.org/2001/04/xmlenc#sha512 MAC HMAC-SHA1 http://www.w3.org/2000/09/xmldsig#hmac-sha1 Signature DSA with SHA1 http://www.w3.org/2000/09/xmldsig#dsa-sha1 Do not use this algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP) RSA with SHA1 http://www.w3.org/2000/09/xmldsig#rsa-sha1 Canonicalization Canonical XML (with comments) http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments Canonical XML (without comments) http://www.w3.org/TR/2001/REC-xml-c14n-20010315 Exclusive XML canonicalization (with comments) http://www.w3.org/2001/10/xml-exc-c14n#WithComments Exclusive XML canonicalization (without comments) http://www.w3.org/2001/10/xml-exc-c14n# Transform STR transform http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform XPath http://www.w3.org/TR/1999/REC-xpath-19991116Do not use the original XPATH transform if you want your configured application to be in compliance with the Basic Security Profile (BSP). When referring to an element in a SECURE_ENVELOPE that does not carry an attribute of type ID from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, http://www.w3.org/2002/06/xmldsig-filter2 Enveloped signature http://www.w3.org/2000/09/xmldsig#enveloped-signature XPath Filter2 http://www.w3.org/2002/06/xmldsig-filter2 When referring to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE, use the XPATH Filter 2.0 Transform, Decryption transform http://www.w3.org/2002/07/decrypt#XML
Signature signed parts	WAS key words: body, which signs the SOAP message body timestamp, which signs all of the time stamps securitytoken, which signs all of the security tokens dsigkey, which signs the signing key enckey, which signs the encryption key messageid, which signs the wsa :MessageID element in WS-Addressing. to, which signs the wsa:To element in WS-Addressing action, which signs the wsa:Action element in WS-Addressing relatesto, which signs the wsa:RelatesTo element in WS-Addressing wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing wscontext, which specifies the WS-Context header for the SOAP header. For more information, see Propagating work area context over Web services. wsafrom, which specifies the <wsa:From> WS-Addressing From element in the SOAP header. wsareplyto, which specifies the <wsa:ReplyTo> WS-Addressing ReplyTo element in the SOAP header. wsafaultto, which specifies the <wsa:FaultTo> WS-Addressing FaultTo element in the SOAP header. wsaall, which specifies all of the WS-Addressing elements in the SOAP header. XPath expression to select an XML element in a SOAP message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.
Encryption algorithms	Data encryption Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts. Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP). AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts. Key encryption Key transport (public key cryptography) http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p. When running with Software Development Kit (SDK) V1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK V1.5. Use of the Federal Information Processing Standard (FIPS)-compliant Java cryptography engine does not support this transport algorithm. RSA V1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5 Symmetric key wrap (private key cryptography) Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128 AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192 This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts. Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP). AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256 This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts. Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core xenc:ReferenceList xenc:EncryptedKey Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, it is recommended that you use AES, if possible, for symmetric key encryption.
Encryption message parts	WAS keywords bodycontent, which is used to encrypt the SOAP body content usernametoken, which is used to encrypt the username token digestvalue, which is used to encrypt the digest value of the digital signature signature, which is used to encrypt the entire digital signature wscontextcontent, which encrypts the content in the WS-Context header for the SOAP header. For more information, see Propagating work area context over Web services. XPath expression to select the XML element in the SOAP message XML elements XML element contents
Time stamp	Within Web services security header WAS is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.
Error handling	SOAP faults