+

Search Tips   |   Advanced Search

Tuning WS-Security for V7.0 applications


The JCE is integrated into the software development kit (SDK) Version 1.4.x and later. This is no longer an optional package. However, the default JCE jurisdiction policy file shipped with the SDK enables you to use cryptography to enforce this default policy. In addition, we can modify the Web services ecurity configuration options to achieve the best performance for Web services ecurity protected applications.

Use the unrestricted JCE policy files

Due to export and import regulations, the default JCE jurisdiction policy file shipped with the SDK enables you to use strong, but limited, cryptography only. To enforce this default policy, WAS uses a JCE jurisdiction policy file that might introduce a performance impact. The default JCE jurisdiction policy might have a performance impact on the cryptographic functions that are supported by Web services security. If we have Web services applications that use TLS for XML encryption or digital signatures, we might encounter performance degradation over previous releases of WAS. However, IBM and Sun Microsystems provide versions of these jurisdiction policy files that do not have restrictions on cryptographic strengths. If permitted by the governmental import and export regulations, download one of these jurisdiction policy files. After downloading one of these files, the performance of JCE and WS-Security might improve.

Fix packs that include updates to the SDK might overwrite unrestricted policy files. Back up unrestricted policy files before you apply a fix pack and reapply these files after the fix pack is applied. For WAS platforms using IBM Developer Kit, Java Technology Edition Version 6, we can obtain unlimited jurisdiction policy files by completing the following steps:

  1. Go to the following Web site: http://www.ibm.com/developerworks/java/jdk/security/IBM_HTTP_Server_v735.html

  2. Click Java SE 6

  3. Scroll down and click IBM SDK Policy files.

    The Unrestricted JCE Policy files for the SDK Web site is displayed.

  4. Click Sign in and provide the IBM intranet ID and password or register with IBM to download the files.

  5. Select the appropriate Unrestricted JCE Policy files and then click Continue.

  6. View the license agreement and then click I Agree.

  7. Click Download Now.

 

Results

After following these steps, two JAR files are placed in the JVM jre/lib/security/ directory.

 

Example

Use configuration options to tune WASWhen using WS-Security for message-level protection of SOAP message in WAS, the choice of configuration options can affect the performance of the application.

The following guidelines will help you achieve the best performance for the WS-Security protected applications.

  1. Use WS-SecureConversation when appropriate for JAX-WS applications. The use of symmetric keys with a Secure Conversation typically performs better than asymmetric keys used with X.509.

    The use of WS-SecureConversation is supported for JAX-WS applications only, not JAX-RPC applications.

  2. Use the standard token types provided by WAS. Use of custom tokens is supported, but higher performance is achieved with the use of the provided token types.

  3. For signatures, use only the exclusive canonicalization transform algorithm. See the W3 Recommendation Web page (http://www.w3.org/2001/10/xml-exc-c14n#) for more information.

  4. Whenever possible, avoid the use of the XPath expression to select which SOAP message parts to protect. The WS-Security policies shipped with WAS for JAX-WS applications use XPath expressions to specify the protection of some elements in the security header, such as Timestamp, SignatureConfirmation, and UsernameToken. The use of these XPath expressions is optimized, but other uses are not.

  5. Although there are Websphere Application Server extensions to WS-Security that can be used to insert nonce and timestamp elements into SOAP message parts before signing or encrypting the message parts, you should avoid the use of these extensions for improved performance.

  6. There is an option to send the base-64 encoded CipherValue of WS-Security encrypted elements as MTOM attachments. For small encrypted elements, the best performance is achieved by avoiding this option. For larger encrypted elements, the best performance is achieved by using this option.

  7. When signing and encrypting elements in the SOAP message, specify the order as sign first, then encrypt.

  8. When adding a timestamp element to a message, the timestamp should be added to the security header before the signature element. This is accomplished by using the Strict or LaxTimestampFirst security header layout option in the WS-Security policy configuration.

  9. For JAX-WS applications, use the policy-based configuration rather than WSS API-based configuration.

 

Next steps

In IBM WAS Version 6.1 and later, WS-Security supports the use of cryptographic hardware devices. There are two ways in which to use hardware cryptographic devices with WS-Security. See Hardware cryptographic device support for WS-Security for more information.

 

Related concepts


Hardware cryptographic device support for WS-Security

 

Related tasks


Secure Web services applications using message level security