Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication

Basic Security Profile compliance tips

The WS-I Basic Security Profile (BSP) 1.0 provides clarifications and amplifications to a set of nonproprietary web services specifications. Support for Basic Security Profile (BSP) is new in WAS v8.0. To comply to the BSP we can use either...

• predefined list of keywords
• XPath expressions

Both are configured in the deployment descriptor file using an assembly tool.

To ensure applications are BSP compliant

• When referring to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE element, do not use the original XPath transform, use the XPath Filter 2.0 transform...

  ds:Transform/@Algorithm attributes in a SIGNATURE element must have one of these values:

  • http://www.w3.org/2001/10/xml-exc-c14n#
  • http://www.w3.org/2002/06/xmldsig-filter2
  • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
  • http://www.w3.org/2000/09/xmldsig#enveloped-signature
  • http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Only-Transform
  • http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Transform

• Do not use the signature algorithm.

  Any ds:SignatureMethod/@Algorithm element in a SIGNATURE that is based on a symmetric key must have one of the following values:

  • http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • http://www.w3.org/2000/09/xmldsig#hmac-sha1

• Do not specify the digestvalue keyword for the message part to encrypt. Instead, use the signature keyword.

  If the value of a ds:DigestValue element in a SIGNATURE element requires encryption, the entire parent ds:Signature element must be encrypted. A SIGNATURE must not have any xenc:EncryptedData elements among its descendants.

• Do not use the KEYNAME key information type, which can be ambiguous. Compliance with the BSP disallows the use of KEYNAME.

  A SECURITY_TOKEN_REFERENCE must not use a key name to reference a SECURITY_TOKEN. The child element of a ds:KeyInfo element in an ENCRYPTED_KEY must be either element...

  • SECURITY_TOKEN_REFERENCE
  • ds:MgmtData

  Using a KEYNAME key information type for an encryption key results in a KeyName child element of a ds:KeyInfo element and is disallowed for BSP compliance.

• Do not use the bit data encryption algorithm...

  http://www.w3.org/2001/04/xmlenc#aes192-cbc

  Any xenc:EncryptionMethod/@Algorithm attribute in an ENCRYPTED_DATA element must have one of these values:

  • http://www.w3.org/2001/04/xmlenc#tripledes-cbc
  • http://www.w3.org/2001/04/xmlenc#aes128-cbc
  • http://www.w3.org/2001/04/xmlenc#aes256-cbc

• Do not use the advanced encryption standard (AES) key wrap (aes192):

  http://www.w3.org/2001/04/xmlenc#kw-aes192 key encryption algorithm.

  When used for key wrap, any xenc:EncryptionMethod/@Algorithm attribute in an ENCRYPTED_KEY element must have one of these values:

  • http://www.w3.org/2001/04/xmlenc#kw-tripledes
  • http://www.w3.org/2001/04/xmlenc#kw-aes128
  • http://www.w3.org/2001/04/xmlenc#kw-aes256

Configuration Options for BSP Compliance

You achieve BSP compliance when certain configuration choices are made. The assembly tool assists you in using appropriate choices when configuring the application by issuing warning messages. The following configuration descriptions comprise these warnings:

• When configuring the ds:Transforms element in a signature, the list of transforms must include as its last child element either...
  • http://www.w3.org/2001/10/xml-exc-c14n#
  • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform

• Add either element...
  • wsse:Nonce
  • wsse:Created

  ...to a Username token to prevent replay. After the element is added, sign the Username token to prevent undetected alteration of these fields; otherwise, replay can occur.

Related

Security considerations for web services
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html

+

Search Tips   |   Advanced Search