Basic Security Profile compliance
WAS v8.5+ Web Services Security provides options to ensure Basic Security Profile v1.0 compliance. To comply with BSP recommendations we can either use a predefined list of keywords or XPath expressions. Both are specified in the deployment descriptor.
Recommendations include...
- Do not use the original XPath transform...
Elements in a SECURE_ENVELOPE without ID attribute types from a ds:Reference in a SIGNATURE element, can be referenced using the XPath Filter 2.0 transform...
Any ds:Transform/@Algorithm attribute in a SIGNATURE element must have one of these values:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2002/06/xmldsig-filter2
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- http://www.w3.org/2000/09/xmldsig#enveloped-signature
- http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Only-Transform
- http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Transform
- Do not use the http://www.w3.org/2000/09/xmldsig#dsa-sha1 signature algorithm.
Any ds:SignatureMethod/@Algorithm element in a SIGNATURE based on a symmetric key must have one of the following values:
- Do not specify the digestvalue keyword for the message part to encrypt. Instead, use the signature keyword.
If the value of a ds:DigestValue element in a SIGNATURE element requires encryption, the entire parent ds:Signature element must be encrypted. A SIGNATURE must not have any xenc:EncryptedData elements among its descendants.
- Do not use the KEYNAME key information type
KEYNAME references can be ambiguous and compliance with the BSP disallows the use of KEYNAME.
A SECURITY_TOKEN_REFERENCE must not use a key name to reference a SECURITY_TOKEN. The child element of a ds:KeyInfo element in an ENCRYPTED_KEY must be either a SECURITY_TOKEN_REFERENCE or a ds:MgmtData element. Using a KEYNAME key information type for an encryption key results in a KeyName child element of a ds:KeyInfo element and is disallowed for BSP compliance.
- Do not use the http://www.w3.org/2001/04/xmlenc#aes192-cbc bit data encryption algorithm.
Any xenc:EncryptionMethod/@Algorithm attribute in an ENCRYPTED_DATA element must have one of these values:
- http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- http://www.w3.org/2001/04/xmlenc#aes128-cbc
- http://www.w3.org/2001/04/xmlenc#aes256-cbc
- Do not use the advanced encryption standard (AES) key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192 key encryption algorithm.
When used for key wrap, any xenc:EncryptionMethod/@Algorithm attribute in an ENCRYPTED_KEY element must have one of these values:
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes256
Configuration Options for BSP Compliance
You achieve BSP compliance when certain configuration choices are made. The assembly tool assists you in using appropriate choices when configuring the application by issuing warning messages. The following configuration descriptions comprise these warnings:
- When configuring the ds:Transforms element in a signature, the list of transforms must include as its last child element http://www.w3.org/2001/10/xml-exc-c14n# or http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- Add a wsse:Nonce or wsse:Created element to a Username token to prevent replay. After the element is added, sign the Username token to prevent undetected alteration of these fields; otherwise, replay can occur.
Security considerations for web services http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html