Secure messages at the request generator using WSS APIs
We can secure SOAP messages by configuring signing information, encryption, and generator tokens to protect message integrity, confidentiality, and authenticity, respectively. This request (client-side) generator configuration defines the Web Services Security requirements for the outgoing SOAP message request.
To secure web services with WebSphere Application Server, configure the generator and the consumer security constraints. Therefore, in addition to securing messages at the request generator level, you must also secure messages at the response consumer level.
The request (client-side) generator configuration requirements involve generating a SOAP message request that uses a digital signature, incorporates encryption, and attaches security tokens.
To secure web service applications, specify several different configurations. Although there is no specific sequence to specify these different configurations, some configurations reference other configurations. For example, decryption configurations reference encryption configurations.
We can use the following interfaces to configure Web Services Security and to define policy types to secure the SOAP messages:
- Use the console to configure policy sets.
- Use the Web Services Security APIs (WSS API) to configure the SOAP message context (only for the client)
The following high-level steps use the WSS APIs:
- Configure generator signing to protect message integrity.
- Configure encryption to protect message confidentiality.
- Attach generator tokens to protect message authenticity.
- Propagate self-issued SAML bearer tokens using WSS APIs.
- Propagate self-issued SAML sender-vouches tokens with message protection using WSS APIs.
- Propagate self-issued SAML sender-vouches tokens with transport protection using WSS APIs.
- Sending self-issued SAML holder-of-key tokens with symmetric key using WSS APIs.
- Sending self-issued SAML holder-of-key tokens with asymmetric key using WSS APIs.
Results
After completing these procedures, we have secured messages at the request generator level.
What to do next
Next, if not already configured, secure messages with signature verification, decryption, and consumer tokens at the response consumer (client-side) level.
Subtopics
- Configure encryption to protect message confidentiality using the WSS APIs
We can configure encryption information for the client-side request generator (sender) bindings. Encryption information is used to specify how the generators (senders) encrypt outgoing SOAP messages. To configure encryption, specify which message parts to encrypt and specify which algorithm methods and security tokens are to be used for encryption.
- Configure generator signing information to protect message integrity using the WSS APIs
We can configure the signing information to protect message integrity for the request (client side) generator binding. Signing information includes the signature and the signed parts. To keep the integrity of the message, digital signatures are typically applied.
- Attaching the generator token using WSS APIs to protect message authenticity
When specified the token generator, the information is used on the generator side to generate the security token.
- Secure messages at the request generator using WSS APIs
We can secure SOAP messages by configuring signing information, encryption, and generator tokens to protect message integrity, confidentiality, and authenticity, respectively. This request (client-side) generator configuration defines the Web Services Security requirements for the outgoing SOAP message request.
- Sending self-issued SAML bearer tokens using WSS APIs
We can create self-issued SAML tokens with the bearer subject confirmation method and then send these tokens with Web services request messages using the JAX-WS programming model and Web Services Security APIs (WSS API).
- Inserting SAML attributes using WSS APIs
We can insert custom attributes into self-issued SAML tokens using the JAX-WS programming model and Web Services Security APIs (WSS APIs).
- Sending self-issued SAML sender-vouches tokens using WSS APIs with message level protection
We can create self-issued SAML tokens with the sender-vouches subject confirmation method and use the JAX-WS programming model and Web Services Security APIs (WSS APIs) to send these tokens with web services request messages with message level protection.
- Sending self-issued SAML sender-vouches tokens using WSS APIs with SSL transport protection
We can create self-issued SAML tokens with the sender-vouches subject confirmation method and use the JAX-WS programming model and Web Services Security APIs (WSS APIs) to send these tokens with web services request messages with transport protection.
- Sending self-issued SAML holder-of-key tokens with symmetric key using WSS APIs
We can create self-issued SAML tokens with the holder-of-key subject confirmation method and use the JAX-WS programming model and Web Services Security APIs (WSS APIs) to send these tokens with web services request messages.
- Sending self-issued SAML holder-of-key tokens with asymmetric key using WSS APIs
We can create self-issued SAML tokens with the holder-of-key subject confirmation method and use the JAX-WS programming model and Web Services Security APIs (WSS APIs) to send these tokens with web services request messages.
- Requesting SAML bearer tokens from an external STS using WSS APIs and transport level protection
We can request SAML tokens with the bearer subject confirmation method from an external Security Token Service (STS). After obtaining the SAML bearer token, we can then send these tokens with web services request messages using the JAX-WS programming model and Web Services Security APIs (WSS API).
- Requesting SAML sender-vouches tokens from an external STS using WSS APIs and message level protection
We can request SAML tokens with the sender-vouches subject confirmation method from an external Security Token Service (STS). After obtaining the SAML sender-vouches token, we can then send these tokens with web services request messages using the JAX-WS programming model and Web Services Security APIs (WSS API) with message level protection.
- Requesting SAML sender-vouches tokens from an external STS using WSS APIs and transport level protection
We can request SAML tokens with the sender-vouches subject confirmation method from an external Security Token Service (STS). After obtaining the SAML sender-vouches token, we can then send these tokens with web services request messages using the JAX-WS programming model and Web Services Security APIs (WSS API) with transport level protection.
- Requesting SAML holder-of-key tokens with symmetric key from external security token service using WSS APIs
We can request an external security token service (STS) to issue SAML tokens with the holder-of-key subject confirmation method with symmetric key that is encrypted for a target service. Use the JAX-WS programming model and Web Services Security APIs (WSS APIs) to complete this task.
- Requesting SAML holder-of-key tokens with asymmetric key from External Security Token Service using WSS APIs
We can request an external Security Token Service (STS) to issue SAML tokens with the holder-of-key subject confirmation method with a public key in an X.509 certificate with the JAX-WS programming model and Web Services Security APIs (WSS APIs).
- Sending a security token using WSSAPIs with a generic security token login module
We can request an authentication token from an external Security Token Service (STS), and then send the token with web service request messages using the JAX-WS programming model and Web Services Security APIs (WSS API), with message or transport level protection.
Related tasks
Secure messages at the response consumer using WSS APIs Sending self-issued SAML bearer tokens using WSS APIs Sending self-issued SAML sender-vouches tokens using WSS APIs with message level protection Sending self-issued SAML sender-vouches tokens using WSS APIs with SSL transport protection