WAS v8.5 > Reference > Developer best practices

Web Services Security configuration considerations when using the WSS API

To secure Web Services Security for WebSphere Application Server, we can specify several different configurations using the Web Services Security APIs (WSS API). The Web Services Security specification provides a flexible way to secure web services messages using XML digital signature, XML encryption, and attaching security tokens. We can enable Web Services Security by either configuring a policy set or using the Web Services Security APIs (WSS API). The implementation for WSS API has default values for which message parts are to be signed or encrypted. The default values for the WSS APIs help end users to enable Web Services Security quickly.

Different message parts can be specified in the message protection for request or response, and different stand-alone tokens can be sent in request or response. However, there is only one symmetric or one asymmetric binding assertion to describe the token type and the algorithm used for message protection.

Using the WSS API, we can override any default values. However, when we alter the protection parts, note that all the default protection parts are cleared. For example, if we specify to encrypt the Username token instead of the default X.509 token, all the default values of the encrypting protection parts are cleared.

The following table shows an example of the relationships between each of the configurations:

Request generator and response consumer configurations. Use the table to determine the mapping between the configurations and the default values.

Type of configuration Configuration name Configurations and default values
Request generator Signing information

  • Canonicalization method: WSSSignature.EXC_C14N
  • Signature method: WSSSignature.RSA_SHA1
  • Digest method: WSSSignPart.SHA1
  • Transform method: WSSSignPart.TRANSFORM_EXC_C14N
  • Signed part - Body: WSSSignature.BODY
  • Signed part - Addressing: WSSSignature.ADDRESSING_HEADERS
  • Signed part - Timestamp: WSSSignature.TIMESTAMP
  • Token reference: SecurityToken.REF_STR
  • Token - Value type: X509Token.ValueType
  • Token - JAAS login configuration name: system.wss.generate.x509

Response consumer Signature verification information

  • Canonicalization method: WSSVerification.EXC_C14N
  • Signature method: WSSVerification.RSA_SHA1
  • Transform method: WSSVerifyPart.TRANSFORM_EXC_C14N
  • Signed part - Body: WSSVerification.BODY
  • Signed part - Addressing: WSSVerification.ADDRESSING_HEADERS
  • Signed part - Timestamp: WSSVerification.TIMESTAMP
  • Token - Value type: X509Token.ValueType
  • Token - JAAS login configuration name: system.wss.consume.x509

Request generator Encryption information

  • Encrypted key: true
  • Key encryption method: WSSEncryption.KW_RSA_OAEP
  • Data encryption method: WSSEncryption.AES128
  • Encryption part: WSSEncryption.BODY_CONTENT
  • Token reference: SecurityToken.REF_KEYID
  • Token - Value type: X509Token.ValueType
  • Token - JAAS login configuration name: system.wss.generate.x509

Response consumer Decryption information

  • Encrypted key: true
  • Key decryption method: WSSDecryption.KW_RSA_OAEP
  • Data decryption method: WSSDecryption.AES128
  • Decryption part: WSSDecryption.BODY_CONTENT
  • Token - Value type: 509Token.ValueType
  • Token - JAAS login configuration name: system.wss.consume.x509


Related


Configure signing information using the WSSSignature API
Verifying the signature using the WSSVerification API
Encrypting the SOAP message using the WSSEncryption API
Decrypting SOAP messages using the WSSDecryption API
Manage policy sets


+

Search Tips   |   Advanced Search