Web Services Security configuration considerations
To secure web services for WebSphere Application Server, specify several different configurations. Although there is not a specific sequence in which specify these different configurations, some configurations reference other configurations.
Best practice: IBM WAS supports JAX-WS and JAX-RPC. JAX-WS extends JAX-RPC. JAX-WS supports annotations. best-practices
We can configure Web Services Security on the application level, server level, and the cell level. The following table shows an example of the relationships between each of the configurations that apply to just the application, to an entire server, or to the entire cell. However, the requirements for the bindings depend upon the deployment descriptor. Some binding information depends upon other information in the binding or server and cell-level configuration. Within the table, the configurations in the Referenced configurations column are referenced by the configuration listed in the Configuration name column. For example, the token generator on the application-level for the request generator references the collection certificate store, the nonce, time stamp, and callback handler configurations.
Configuration level Configuration name Referenced configurations Application-level request generator Token generator Collection certificate store
Nonce
Timestamp
Callback handlerApplication-level request generator Key information Key locator
Key name
TokenApplication-level request generator Signing information Key information Application-level request generator Encryption information Key information Application-level request consumer Token consumer Trust anchor Collection certificate store
Trusted ID evaluators
JAAS configurationApplication-level request consumer Key information Key locator
TokenApplication-level request consumer Signing information Key information Application-level request consumer Encryption information Key information Application-level response generator Token generator Collection certificate store
Callback handlerApplication-level response generator Key information Key locator
TokenApplication-level response generator Signing information Key information Application-level response generator Encryption information Key information Application-level response consumer Token consumer Trust anchor Collection certificate store JAAS configuration Application-level response consumer Key information Key locator
Key name
TokenApplication-level response consumer Signing information Key information Application-level response consumer Encryption information Key information Server-level default generator bindings Token generator Collection certificate store
Callback handlerServer-level default generator bindings Key information Key locator
TokenServer-level default generator bindings Signing information Key information Server-level default generator bindings Encryption information Key information Server-level default consumer bindings Token consumer Trust anchor Collection certificate store Trusted ID evaluator JAAS configuration Server-level default consumer bindings Key information Key locator
TokenServer-level default consumer bindings Signing information Key information Server-level default consumer bindings Encryption information Key information Cell-level default generator bindings Token generator Collection certificate store
Callback handlerCell-level default generator bindings Key information Key locator
TokenCell-level default generator bindings Signing information Key information Cell-level default generator bindings Encryption information Key information Cell-level default consumer bindings Token consumer Trust anchor Collection certificate store Trusted ID evaluator JAAS configuration Cell-level default consumer bindings Key information Key locator
TokenCell-level default consumer bindings Signing information Key information Cell-level default consumer bindings Encryption information Key information When multiple applications will use the same binding information, consider configuring the binding information on the server or cell level. For example, we might have a global key locator configuration used by multiple applications. Configuration information for the application-level precedes similar configuration information on the server-level and the cell level.
Related concepts
Overview of standards and programming models for web services message-level securityWeb Services Security troubleshooting tips