+

Search Tips   |   Advanced Search

 

What is new for securing Web services

 

In WAS Versions 6 and later, there are many security enhancements for Web services. The enhancements include supporting sections of the Web services security specifications and providing architectural support for plugging in and extending the capabilities of security tokens.

 

Enhancements from the supported Web services security specifications

Since September 2002, the Organization for the Advancement of Structured Information Standards (OASIS) has been developing the Web Services Security (WS-Security) for SOAP message standard.

In April 2004, OASIS released the Web Services security V1.0 specification, which is a major milestone for securing Web services. This specification is the foundation for other Web services security specifications and is also the basis for the Basic Security Profile (WS-I BSP) V1.0 work, which is a working draft. See Basic Security Profile for more information.

Web services security V1.0 is a strategic move towards Web services security interoperability, and it is the first step in the Web services security roadmap. For more information on the Web services security roadmap, see Security in a Web Services World: A Proposed Architecture and Roadmap. WebSphere Application Server V6.0.x and later support the following OASIS specifications and WS-I profiles:

For details on what parts of the previous specifications are supported in WAS V6.0.x and later, see Supported functionality from OASIS specifications.

 

High level features overview in WAS V6.0.x and later

The Web Services Security for SOAP Message V1.0 specification is designed to be flexible and accommodate the requirements of Web services. For example, the specification does not have a mandatory security token definition in the Web services security V1.0 specification. Rather the specification defines a generic mechanism to associate the security token with a SOAP message. The use of security tokens is defined in the various V1.0 security token profiles, such as:

For more information on security token profile development at OASIS, see Organization for the Advancement of Structured Information Standards.

The wire format in the Web services security V1.0 specification changed and is not compatible with the previous drafts of the Web services security specification. It is not possible to make an implementation of the wire format using a previous draft of the Web services security specification to inter-operate with the Web Services Security V1.0 specification. Support for pluggable security tokens has been available since WebSphere Application Server V5.0.2. However, in WAS V6.0.x and later, the pluggable architecture is enhanced to support the Web services security specifications, other profiles, and other Web services security specifications. WAS V6 and later include the following key enhancements:

For more information on some of these enhancements, see Web services security enhancements.

 

Configuration

WebSphere Application Server uses the deployment model for implementing the Web services security V1.0 specification, the Username token V1.0 profile, and the X.509 token V1.0 profile. The deployment model is an extension of the Web services deployment model for J2EE. The Web services security constraints are defined in the IBM extension deployment descriptor and the binding file that is based on the Web service port. The format of the deployment descriptor and the binding file is IBM proprietary material and is not available. However, WAS provides the following tools used to to edit the deployment descriptor and the binding file:

Rational Application Developer

You can use to develop Web services and configure the deployment descriptor and the binding file for Web services security. Rational Application Developer enables you to assemble both Web and EJB modules.

Application Server Toolkit

You can use the Application Server Toolkit (AST), which is an assembly tool designer for WAS to specify the deployment descriptor and the binding file for Web services security.

console

You can use the console to configure the Web services security binding of a deployed application with Web services security constraints that are defined in the deployment descriptor.

The format of the deployment descriptor and the binding file for Web services security in WAS V6.0.x and later is different from WAS Versions 5.0.2, 5.1, and 5.1.1. Web services security support in WebSphere Application Server Versions 5.0.2, 5.1, and 5.1.1 is based on the Web services security draft 13 specification and the Username token draft 2 profile. Thus, this support is deprecated. However, applications that you configured using the Web service security Versions 5.0.2, 5.1, and 5.1.1 deployment descriptor and binding file can work with WAS V6 and later. These applications use a deployment descriptor and binding file that emit SOAP message security using the draft 13 specification format. The Web services security deployment descriptor and binding file for WebSphere Application Server V6.0.x and later is available for a J2EE V1.4 application only. Therefore, the Web services security V1.0 specification is supported for a J2EE V1.4 application only. To take advantage of implementations associated with the Web services security Version 1.0 specification, :

An automatic process does not exist for migrating the deployment descriptor and the binding file for Web services security from the V5.0.2, 5.1, and 5.1.1 format to the new V6.0.x and later format using the Rational Application Developer and Application Server Toolkit. You must migrate the configuration manually.

The Web services security support in WAS V6.0 is based in part on the OASIS specification titled Web Services Security: X.509 Token Profile 1.0 plus the first errata (Errata 1.0).

In the first errata, the URIs for the X.509 token type and the X.509 Subject Key Identifier value type were modified. WAS Version 6.0 was based on these modified URIs. After WAS Version 6.0 shipped, the OASIS Technical Committee reversed those changes, reverting back to the original 1.0 profile URIs.

There could be interoperability problems between WAS V6.0 and other vendor’s Web services products that are based on the current version of the profile. WAS was fixed in Versions 6.0.2 and 6.0.1.2 to comply with the latest version of the profile. If WAS Version 6.0 is used in a heterogeneous environment with other vendor's Web services products, it is recommended that the server be upgraded to V6.0.1.2, 6.0.2, or later, or to install a service fix that includes APAR PK03507.

 

FIPS support in WAS

In WAS, Federal Information Processing Standard (FIPS) compliant algorithms for key encryption, data encryption, signature and digest are supported. To enable this mode on the WebSphere console, click Security > SSL certificate and key management. Then select Use the United States Federal Information Processing Standard (FIPS) algorithms.

After this option has been selected, and the WAS has been restarted, the lists of available algorithms that are displayed in the Web services security binding configuration panels of the console are then FIPS compliant algorithms.

If a previously deployed application was configured to use a noncompliant algorithm, that application no longer starts after the FIPS mode has been enabled in WAS. The error message Unauthorized data encryption method appears in the case of a noncompliant data encryption algorithm. Similar errors are displayed for unauthorized key encryption, digest and signature methods.

 

What is not supported

Web service security is still fairly new and some of the standards are still being defined or standardized. The following functionality is not supported in WAS:

For information on what is supported for Web services security in WAS V6.0.x and later, see Supported functionality from OASIS specifications.


Sub-topics


Web services security specification for V6 and later- a chronology

Supported functionality from OASIS specifications

Web services security enhancements

 

Related concepts


Basic Security Profile compliance tips
XML token

 

Related tasks


Securing Web services applications using JAX-RPC at the message level