Basic Security Profile compliance tips
The Web Services Interoperability Organization (WS-I) Basic Security Profile (BSP) 1.0 promotes interoperability by providing clarifications and amplifications to a set of nonproprietary web services specifications. WebSphere Application Server Web Services Security provides configuration options to ensure that the BSP recommendations and security considerations can be enabled to ensure interoperability. The degree to which you follow these recommendations is then a measure of how well the application we are configuring complies with the Basic Security Profile (BSP).
Support for applications to comply to the Basic Security Profile (BSP) is new in WAS v9.0. For more information on the Basic Security Profile, see Web Services Interoperability Organization (WS-I) Basic Security Profile (BSP), Basic Security Profile Version 1.0.
Use either a predefined list of keywords or XPath expressions to comply to the BSP. Both the keywords and the XPath expressions are specified in the deployment descriptor configuration file and are configured using an assembly tool.
Basic Security Profile recommendations
Follow these recommendations to ensure that your configured applications are Basic Security Profile (BSP) compliant.
- Do not use the original XPath transform, http://www.w3.org/TR/1999/REC-xpath-19991116
When we refer to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE element, use the XPath Filter 2.0 transform, http://www.w3.org/2002/06/xmldsig-filter2 to refer to that element.
Any ds:Transform/@Algorithm attribute in a SIGNATURE element must have one of these values:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2002/06/xmldsig-filter2
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- http://www.w3.org/2000/09/xmldsig#enveloped-signature
- http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Only-Transform
- http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Transform
- Do not use the http://www.w3.org/2000/09/xmldsig#dsa-sha1 signature algorithm.
Any ds:SignatureMethod/@Algorithm element in a SIGNATURE based on a symmetric key must have one of the following values:
- Do not specify the digestvalue keyword for the message part to encrypt. Instead, use the signature keyword.
If the value of a ds:DigestValue element in a SIGNATURE element requires encryption, the entire parent ds:Signature element must be encrypted. A SIGNATURE must not have any xenc:EncryptedData elements among its descendants.
- Do not use the KEYNAME key information type
KEYNAME references can be ambiguous and compliance with the BSP disallows the use of KEYNAME.
A SECURITY_TOKEN_REFERENCE must not use a key name to reference a SECURITY_TOKEN. The child element of a ds:KeyInfo element in an ENCRYPTED_KEY must be either a SECURITY_TOKEN_REFERENCE or a ds:MgmtData element. Using a KEYNAME key information type for an encryption key results in a KeyName child element of a ds:KeyInfo element and is disallowed for BSP compliance.
- Do not use the http://www.w3.org/2001/04/xmlenc#aes192-cbc bit data encryption algorithm.
Any xenc:EncryptionMethod/@Algorithm attribute in an ENCRYPTED_DATA element must have one of these values:
- http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- http://www.w3.org/2001/04/xmlenc#aes128-cbc
- http://www.w3.org/2001/04/xmlenc#aes256-cbc
- Do not use the advanced encryption standard (AES) key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192 key encryption algorithm.
When used for key wrap, any xenc:EncryptionMethod/@Algorithm attribute in an ENCRYPTED_KEY element must have one of these values:
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes256
Configuration Options for BSP Compliance
You achieve BSP compliance when certain configuration choices are made. The assembly tool assists you in using appropriate choices when configuring the application by issuing warning messages. The following configuration descriptions comprise these warnings:
- When configuring the ds:Transforms element in a signature, the list of transforms must include as its last child element http://www.w3.org/2001/10/xml-exc-c14n# or http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- Add a wsse:Nonce or wsse:Created element to a Username token to prevent replay. After the element is added, sign the Username token to prevent undetected alteration of these fields; otherwise, replay can occur.
Security considerations for web services http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html