+

Search Tips   |   Advanced Search

WS-Security configuration considerations when using the WSS API


To secure Web services security for WAS, we can specify several different configurations using the WS-Security APIs (WSS API). The WS-Security spec provides a flexible way to secure Web services messages using XML digital signature, XML encryption, and attaching security tokens. We can enable WS-Security by either configuring a policy set or by using the WS-Security APIs (WSS API). The implementation for WSS API has default values for which message parts are to be signed or encrypted. The default values for the WSS APIs help end users to enable WS-Security quickly.

Different message parts can be specified in the message protection for request or response, and different standalone tokens can be sent in request or response. However, there is only one symmetric or one asymmetric binding assertion to describe the token type and the algorithm used for message protection.

Use the WSS API, we can override any default values. However, when you alter the protection parts, note that all the default protection parts are cleared. For example, if we specify to encrypt the Username token instead of the default X.509 token, all the default values of the encrypting protection parts are cleared.

The following table shows an example of the relationships between each of the configurations:


Table 1. Request generator and response consumer configurations

Type of configuration Configuration name Configurations and default values
Request generator Signing information

  • Canonicalization method: WSSSignature.EXC_C14N

  • Signature method: WSSSignature.RSA_SHA1

  • Digest method: WSSSignPart.SHA1

  • Transform method: WSSSignPart.TRANSFORM_EXC_C14N
  • Signed part - Body: WSSSignature.BODY
  • Signed part - Addressing: WSSSignature.ADDRESSING_HEADERS
  • Signed part - Timestamp: WSSSignature.TIMESTAMP
  • Token reference: SecurityToken.REF_STR

  • Token - Value type: X509Token.ValueType

  • Token - JAAS login configuration name: system.wss.generate.x509

Response consumer Signature verification information

  • Canonicalization method: WSSVerification.EXC_C14N

  • Signature method: WSSVerification.RSA_SHA1

  • Transform method: WSSVerifyPart.TRANSFORM_EXC_C14N
  • Signed part - Body: WSSVerification.BODY
  • Signed part - Addressing: WSSVerification.ADDRESSING_HEADERS
  • Signed part - Timestamp: WSSVerification.TIMESTAMP

  • Token - Value type: X509Token.ValueType

  • Token - JAAS login configuration name: system.wss.consume.x509

Request generator Encryption information

  • Encrypted key: true

  • Key encryption method: WSSEncryption.KW_RSA_OAEP

  • Data encryption method: WSSEncryption.AES128

  • Encryption part: WSSEncryption.BODY_CONTENT
  • Token reference: SecurityToken.REF_KEYID

  • Token - Value type: X509Token.ValueType

  • Token - JAAS login configuration name: system.wss.generate.x509

Response consumer Decryption information

  • Encrypted key: true

  • Key decryption method: WSSDecryption.KW_RSA_OAEP

  • Data decryption method: WSSDecryption.AES128

  • Decryption part: WSSDecryption.BODY_CONTENT

  • Token - Value type: 509Token.ValueType

  • Token - JAAS login configuration name: system.wss.consume.x509




 

Related tasks


Set the signature information using the WSSSignature API
Verifying the signature using the WSSVerification API
Encrypting the SOAP message using the WSSEncryption API
Decrypting the SOAP message using the WSSDecryption API
Manage policy sets
Set WS-Security using the WSS APIs