+

Search Tips   |   Advanced Search

Web services security



Contents

  1. Overview
  2. High-level architecture
  3. Web Services security review tasks
  4. Web services security with WebSphere appserver V6


Overview

WS-Security...

For WAS V6 and later, WS-Security can be applied as transport-level security and as message-level security.

HTTPS and SSL transport-level technology may be used for securing Web services. Web services security includes transport-level SSL.

Applications that require that the document data be secured beyond the HTTPS connection or beyond the transport layer should use message-level security.

Message-level security requirements include:

Traditional Web and message-level security share many of the same mechanisms for handling security, including...

Message-level security applies to XML documents that are sent as SOAP messages, embedding required security information in the SOAP header of a message. Encryption and digital signature apply to the data in the message itself.

With message-level security, the SOAP message itself either...

Message-level security is not tied to any particular transport mechanism. Because the security information is part of the message, it is independent of a transport protocol, such as HTTPS.

Web service clients add to the SOAP message header security information. When the message is received the Web service endpoint uses the security information in the header to...

For example, the service endpoint might verify the message signature and check that the message has not been tampered with. It is possible to add signature and encryption information to the SOAP message headers, as well as other information such as security tokens for identity (for example, an X.509 certificate) that are bound to the SOAP message content.

The authentication mechanism, integrity, and confidentiality can be applied at the message level and at the transport level. When message-level security is applied, we can protect the SOAP message with a security token, digital signature, and encryption.

Without WS-Security, the SOAP message is sent in clear text, and personal information such as a user ID or an account number is not protected. Without applying WS-Security, there is only a SOAP body under the SOAP envelope in the SOAP message. By applying features from the WS-Security specification, the SOAP security header is inserted under the SOAP envelope in the SOAP message when the SOAP body is signed and encrypted.

To maintain the integrity or confidentiality of the message, digital signatures and encryption are typically applied.

Confidentiality specifies the confidentiality constraints that are applied to generated messages. This includes specifying...

Integrity is provided by applying a digital signature to a SOAP message. Confidentiality is applied by SOAP message encryption. Multiple signatures and encryptions are supported. In addition, both signing and encryption can be applied to the same parts, such as the SOAP body.

We can add an authentication mechanism by inserting various types of security tokens, such as the Username token (<UsernameToken>). When the Username token is received by the Web service server, the user name and password are extracted and verified. Only when the user name and password combination is valid, will the message be accepted and processed at the server. Using the Username token is just one of the ways of implementing authentication. This mechanism is also known as basic authentication.

Other forms of authentication include...

With updates to WS-Security v1.1, we can layer additional functionality on top of these basic mechanisms, including signature confirmation and encrypted headers.

The security token profiles supported by WAS include...

When messages are received, the Web service endpoint uses the security information in the header to apply the appropriate security mechanism.

The service endpoint can add signature and encryption information to the SOAP message headers, as well as other information, such as security tokens bound to the SOAP message content.

We can implement these new mechanisms by using a policy set.

WS-SecureConversation was introduced in WAS V6.1 with the Feature Pack for Web Services. Secure Conversation uses a session key to protect SOAP messages more efficiently, particularly when multiple SOAP messages are transmitted in a session.

Other enhancements, added in WAS V 7.0, include:

The WS-Security policy is specified...


High-level architecture

Here is the standard high-level Web services security architecture ...



Web Services security feview tasks


Task Status
Inventory existing JAX-RPC Web services applications
Review to-be JAX-RPC Web services applications
Inventory existing JAX-WS Web services applications
Review to-be JAX-WS Web services applications
Review WS-Security default bindings and runtime properties
Review WAS v7 new Web service security features
Review Web services security enhancements
Review supported functionality from OASIS specifications
Review Web services security configuration considerations
Web services security provides message integrity, confidentiality, and authentication
Review high-level Web services security architecture
Review security model mixture


Review TLS Web services security
Review outbound HTTP outbound TLS security for apps.
Review HTTP transport custom properties

  • Connection pool for HTTP outbound connections
  • Content encoding of the HTTP message
  • HTTP persistent connections
  • Resend the HTTP request when a timeout occurs

Review HTTP SSL configurations
Review any additional HTTP transport properties
Review all Web services clients that use HTTP basic authentication
Review HTTP basic authentication configurion for JAX-RPC Web services
Review HTTP basic authentication settings for JAX-RPC
Review message level security settings
Review Web services custom properties
Web services security custom properties
Review WS-Security policy bindings
Review keys
Review key locators
Review trust anchors
Review trusted ID evaluator
Review hardware cryptographic device options
Review collection certificate store bindings
Default configuration
General sample bindings for JAX-WS applications
Default sample configurations for JAX-RPC
XML digital signature
Certificate revocation list
XML encryption
Security token
LTPA and LTPA V2 tokens
Username token
XML token
Binary security token
Kerberos token
Review Web services Kerberos message protection
Review Web services Kerberos usage overview
Review Web services Kerberos configuration models
Review Web services Kerberos clustering
Kerberos authentication in a single or cross realm environment [Fix Pack 3 or later]
Review Web service security considerations
Nonce, a randomly generated token
Basic Security Profile compliance tips
Distributed nonce cache
Web services security token propagation
Review security for JAX-WS Web services using message-level security
Migration of JAX-WS Web services security bindings from V6.1 to V7.0
Audit the Web services security runtime [Fix Pack 3 or later]
Review security for Web services using policy sets
Example: Set the message-level WS-Security policy set and bindings
Review username and password for WS-Security Username or LTPA token authentication
Review default Web services security bindings
Review general JAX-WS default bindings
Web services security API model
Service Programming Interfaces (SPI)
Review security for Web services applications using the WSS APIs at the message level
Review security for messages at the request generator using WSS APIs
Review encryption to protect message confidentiality using the WSS APIs
Encrypting the SOAP message using the WSSEncryption API
Choose the encryption methods for the generator binding
Encryption methods
Add encrypted parts using the WSSEncryptPart API
Review generator signing information to protect message integrity using the WSS APIs
Review signing information using the WSS APIs
Review signature information using the WSSSignature API
Add signed parts using the WSSSignPart API
Review client for request signing methods
Digital signing methods using the WSSSignature API
Signed parts methods using the WSSSignPart API
Attach the generator token using WSS APIs to protect message authenticity
Review generator security tokens using the WSS API
Review security for messages at the response consumer using WSS APIs
Review decryption to protect message confidentiality using the WSS APIs
Decrypting the SOAP message using the WSSDecryption API
Choose the decryption methods for the consumer binding
Add decrypted parts using the WSSDecryptPart API
Decryption methods
Verifying consumer signing information to protect message integrity using WSS APIs
Verifying the signature information for the consumer binding using the WSS APIs
Verifying the signature using the WSSVerification API
Verifying the signed parts using the WSSVerifyPart API
Review client for response signature verification methods
Signature verification methods using the WSSVerification API
Choose the verify parts methods using the WSSVerifyPart API
Validating the consumer token to protect message authenticity
Review consumer security tokens using the WSS API
Review Web services security using the WSS APIs
Web services security APIs
Web services security configuration considerations when using the WSS API
Encrypted SOAP headers
Signature confirmation
Review security for requests to the trust service using system policy sets
Enable secure conversation
Web Services Secure Conversation
Scoping of Web Services Secure Conversation
Review security for conversation client cache and trust service configuration
Derived key token
Enable secure conversation in a mixed cluster environment
Enable distributed cache and session affinity when using Secure Conversation
Example: Establishing a security context token to secure a secure conversation
Example: Establishing a security context token to secure reliable messaging
Enable the distributed cache using synchronous update and token recovery
Web Services Secure Conversation standard
Review token generator and token consumer to use a specific level of WS-SecureConversation
Trust service
Security context token
System policy sets
Web Services Trust standard
Review system policy sets
Define a new system policy set
System policy set
System policy set settings
Review attachments for the trust service
Create a service endpoint attachment
Trust service attachments
Trust service attachments settings
New general binding settings
Review security context token provider for the trust service
Modify the security context token provider configuration for the trust service
Trust service token custom properties
Disable the submission draft level for the security context token provider
Trust service token provider settings
Trust service token providers
Review trust service endpoint targets
Assigning a new target for the trust service
Trust service targets
Trust service targets settings
Update the Web services security runtime configuration
Web services update runtime settings
Review Web services security distributed cache
Security cache settings
Review Kerberos token for Web services security
Review Kerberos token policy set for JAX-WS applications
Review bindings for message protection for Kerberos
Update the system JAAS login with the Kerberos login module [Fix Pack 1 or later]
Review Kerberos policy sets and V2 general sample bindings [Fix Pack 1 or later]
Develop JAX-WS based Web services server applications that retrieve security tokens
Develop JAX-WS based Web services client applications that retrieve security tokens
Review security for JAX-RPC Web services using message level security
Migrate JAX-RPC Web services security applications to V7.0 applications
Migrate the JAX-RPC server-side extensions configuration
Migrate the client-side extensions configuration
Migrate the server-side bindings file
Migrate the client-side bindings file
View Web services client deployment descriptor
View Web services server deployment descriptor
Review security for messages using JAX-RPC at the request and response generators
Review generator signing using JAX-RPC to protect message integrity
Review signing information using JAX-RPC for the generator binding on the server or cell level
Review signing information using JAX-RPC for the generator binding on the application level
Signing information
Signing information settings
Part reference
Part reference settings
Transformscollection
Transforms settings
Review key information for the generator binding using JAX-RPC on the server or cell level
Review key information using JAX-RPC for the generator binding on the application level
Key informationcollection
Key information settings
Review encryption using JAX-RPC to protect message confidentiality at the application level
Encryption informationcollection
Encryption information settings: Message parts
Encryption information settings: Methods
Review encryption using JAX-RPC to protect message confidentiality at the server or cell level
Review token generators using JAX-RPC to protect message authenticity at the application level
Request generator (sender) binding settings
Response generator (sender) binding settings
Callback handler settings
Keycollection
Key settings
Web services: Client security bindingscollection
Web services: WAS security bindingscollection
Review token generators using JAX-RPC to protect message authenticity at the server or cell level
Token generatorcollection
Token generator settings
Algorithm URIcollection
Algorithm URI settings
Algorithm mappingcollection
Algorithm mapping settings
Default bindings and security runtime properties
Enable or disable single sign-on interoperability mode for the LTPA token
Review security for messages using JAX-RPC at the request and response consumers
Review consumer signing using JAX-RPC to protect message integrity
Review signing information using JAX-RPC for the consumer binding on the application level
Key information referencescollection
Key information reference settings
Review signing information using JAX-RPC for the consumer binding on the server or cell level
Review key information for the consumer binding on the application level
Review key information for the consumer binding using JAX-RPC on the server or cell level
Review encryption to protect message confidentiality at the application level
Review encryption to protect message confidentiality at the server or cell level
Review token consumers using JAX-RPC to protect message authenticity at the application level
Request consumer (receiver) binding settings
Response consumer (receiver) binding settings
JAAS settings
Review token consumers using JAX-RPC to protect message authenticity at the server or cell level
Token consumercollection
Token consumer settings
Review Web services security using JAX-RPC at the platform level
Review a nonce on the server or cell level
Distributing nonce caching to servers in a cluster
Review key locator using JAX-RPC for the generator binding on the application level
Key locatorcollection
Key locator settings
Web services security propertycollection
Web services security property settings
Review key locator using JAX-RPC for the consumer binding on the application level
Review key locator using JAX-RPC on the server or cell level
Review trust anchors for the generator binding on the application level
Trust anchorcollection
Trust anchor settings
Review trust anchors for the consumer binding on the application level
Review trust anchors on the server or cell level
Review collection certificate store for the generator binding on the application level
Collection certificate storecollection
Collection certificate store settings
X.509 certificatescollection
X.509 certificate settings
Certificate revocation listcollection
Certificate revocation list settings
Review collection certificate store for the consumer binding on the application level
Review collection certificate on the server or cell level
Review trusted ID evaluators on the server or cell level
Trusted ID evaluatorcollection
Trusted ID evaluator settings
rrdSecurity.props file
Develop Web services clients that retrieve tokens from the JAAS Subject in an application
Develop Web services applications that retrieve tokens from the JAAS Subject in a server application
Enable hardware cryptographic devices for Web Services Security
Review hardware cryptographic devices for Web Services Security
Enable cryptographic keys stored in hardware devices in Web Services Security
Review security for Web services for V5.x applications based on WS-Security
Web services security specification.a chronology
Web services security support
Web services security and Java EE security relationship
Web services security model in WAS
Propagating security tokens
Web services security constraints
Example: Sample configuration for Web services security for a version 5.x application
Overview of authentication methods
Overview of token types
Username token
Nonce, a randomly generated token
Binary security token
XML token
XML digital signature
Signing parameter settings
Review security for Web services for V5.x applications using XML digital signature
Review nonce using Web services security tokens
Review nonce for the server level
Review nonce for the application level
Review nonce for the cell level
Default binding
ws-security.xml file - Default configuration for WAS ND
Trust anchors
Review trust anchors
Collection certificate store
Review client-side collection certificate store
Review server-side collection certificate store
Review default collection certificate stores at the server level in the WAS admin console
Review default collection certificate stores at the cell level in the WAS admin console
Key locator
Keys
Review key locators
Review server and cell level key locators
Trusted ID evaluator
Review client for request signing: digitally signing message parts
Review client for request signing: choosing the digital signature method
Review servers for request digital signature verification: Verifying the message parts
Review servers for request digital signature verification: choosing the verification method
Review servers for response signing: digitally signing message parts
Review servers for response signing: choosing the digital signature method
Review client for response digital signature verification: verifying the message parts
Review client for response digital signature verification: choosing the verification method
Review security bindings on a server acting as a client
Review servers security bindings
XML encryption
Review security for Web services for V5.x applications using XML encryption
Login bindings settings
Request sender
Request sender bindingcollection
Review client for request encryption: Encrypting the message parts
Review client for request encryption: choosing the encryption method
Request receiver
Request receiver bindingcollection
Review servers for request decryption: decrypting the message parts
Review servers for request decryption: choosing the decryption method
Response sender
Response sender bindingcollection
Review servers for response encryption: encrypting the message parts
Review servers for response encryption: choosing the encryption method
Response receiver
Response receiver bindingcollection
Review client for response decryption: decrypting the message parts
Review client for response decryption: choosing a decryption method
Review security for Web services for V5.x applications using basic authentication
Review client for basic authentication: specifying the method
BasicAuth authentication method
Review client for basic authentication: collecting the authentication information
Identity assertion authentication method
Review servers to handle basic authentication information
Review servers to validate basic authentication information
Identity assertion in a SOAP message
Review security for Web services for V5.x applications using identity assertion authentication
Review client for identity assertion: specifying the method
Review client for identity assertion: collecting the authentication method
Review servers to handle identity assertion authentication
Review servers to validate identity assertion authentication information
Review security for Web services for version 5.x applications using signature authentication
Review client for signature authentication: specifying the method
Signature authentication method
Review client for signature authentication: collecting the authentication information
Review servers to support signature authentication
Review servers to validate signature authentication information
Security token
Review security for Web services for version 5.x applications using a pluggable token
Review pluggable tokens
Pluggable token support
Review client for LTPA token authentication: specifying LTPA token authentication
Review client for LTPA token authentication: collecting the authentication method information
Review servers to handle LTPA token authentication information
Review servers to validate LTPA token authentication information
Lightweight Third Party Authentication
Tune Web services security for V7.0 applications
Tune Web services security for V5.x applications