WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Secure requests to the trust service using system policy sets > Enable secure conversation
Web Services Secure Conversation standard
Web Services Secure Conversation (WS-SecureConversation) is a proposed Organization for the OASIS standard that defines mechanisms for establishing and sharing security contexts, and deriving keys from security contexts, to enable a secure conversation.
The base WS-Security standard from OASIS defines how to digitally sign and encrypt the SOAP message to provide message level protection. The standard also defines how to attach and reference a security token for digital signature and encryption. However, it does not provide session-based protection when a long series of related messages were exchanged. The WS-Security specification focuses on the message authentication model. This approach, while useful in many situations, could be subject to several forms of attack.
The WS-SecureConversation specification introduces the concept of a security context and its usage. The security context token is a new WS-Security token type that represents the security context abstract concept. The token is identified by a URI and consists of negotiated keys as well as other security related properties. The context authentication model authenticates a series of messages and, therefore, addresses these concerns. The context authentication model increases the overall performance and security of the subsequent exchanges, but it requires additional communications when authentication happens prior to normal application exchanges.
v1.0 of the OASIS WS-SecureConversation specification defines extensions that build on the WS-Security and Web Services Trust (WS-Trust) standards to provide secure communication across one or more messages.
IBM , Microsoft, and other vendors have been working on the WS-SecureConversation specification since 2004. A draft of this document was jointly published in February, 2005. The WS-SecureConversation draft was submitted to the OASIS Web Service Secure Exchange Technical Committee (WS-SX TC), which was formed in December 2005, along with Web Services Trust (WS-Trust) and Web Services Security Policy (WS-SecurityPolicy) drafts in order to begin the standardization process.
A revised v1.1 draft of the WS-SecureConversation specification standard was submitted to OASIS in February 2005 and further defines the extensions in v1.0. This specification defines extensions to allow security context establishment and sharing, and session key derivation. These extensions allow contexts to be established and potentially more efficient keys or new key material to be exchanged.
The most recent version of the specification standard is version 1.3, which was approved by the WS-SX TC on March 1, 2007. Key requirements in this level of the specification include derived keys and per-message keys, and extensible security contexts. WebSphere Application Server adds support for version 1.3 of WS-SecureConversation, providing improved error handling using the standard fault codes as defined in the specification.
The Web Services Secure Conversation (WS-SecureConversation) standard is a building block used in conjunction with the other web service and application-specific protocols such as Web Services Security and Web Services Trust to accommodate a wide variety of security models and technologies. WS-SecureConversation is built on top of the WS-Security and WS-Trust models to provide secure communication between services. The WS-SecureConversation draft specification describes how to establish a security context token between two parties, and the WS-Trust specification describes how to issue and exchange security tokens.
This WS-SecureConversation draft specification includes extensions to Web Services Security and the following:
- Describes the security context token.
- Defines how security contexts are established.
- Describes how security contexts are amended, renewed, and cancelled. Amending context is not supported by WAS.
- How derived keys are computed.
- How to associate a specific security context with an action, if multiple security contexts exist.
WAS supports the client establishing a secured conversation with the target service endpoint.
WAS supports the OASIS v1.1 submission draft, which became available in February 2005. The WAS does not support all of the functions in the submission draft. WAS support of WS-SecureConversation focuses on:
- A security context token that is established between the initiating party and the recipient party.
- The operations that are supported on security context token, such as Issue token, Renew token, and Cancel token.
- The derived key (both explicit and implied)
Secure conversation provided with WAS does not provide support for a security context token (SCT) that is acquired from a third-party trust server, and does not provide support for a security context token that is created by the client.
For information about WS-SecureConversation:
- See the IBM developerWorks website.
- See the schema for this specification: WS-SecureConversation schema
- Refer to the following namespace prefixes used for WS-SecureConversation: http://schemas.xmlsoap.org/ws/2005/02/sc and http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512
Subtopics
- Configure the token generator and token consumer to use a specific level of WS-SecureConversation
Use the dmgr console to configure the token generator or token consumer to use a specific level of the WS-SecureConversation OASIS specification standard. Select one of the two levels of token types supported: Secure Conversation Token v200502, or Secure Conversation Token v1.3.
Related concepts:
Web Services Secure Conversation
Trust service
Scoping of Web Services Secure Conversation
Related information:
Web Services Secure Conversation
Language