Web Services Security configuration considerations when using the WSS API
To secure Web Services Security for WebSphere Application Server, we can specify several different configurations using the Web Services Security APIs (WSS API). The Web Services Security specification provides a flexible way to secure web services messages using XML digital signature, XML encryption, and attaching security tokens. We can enable Web Services Security by either configuring a policy set or using the Web Services Security APIs (WSS API). The implementation for WSS API has default values for which message parts are to be signed or encrypted. The default values for the WSS APIs help end users to enable Web Services Security quickly.
Different message parts can be specified in the message protection for request or response, and different stand-alone tokens can be sent in request or response. However, there is only one symmetric or one asymmetric binding assertion to describe the token type and the algorithm used for message protection.
Use the WSS API, we can override any default values. However, when you alter the protection parts, note that all the default protection parts are cleared. For example, if we specify to encrypt the Username token instead of the default X.509 token, all the default values of the encrypting protection parts are cleared.
The following table shows an example of the relationships between each of the configurations:
Type of configuration Configuration name Configurations and default values Request generator Signing information
- Canonicalization method: WSSSignature.EXC_C14N
- Signature method: WSSSignature.RSA_SHA1
- Digest method: WSSSignPart.SHA1
- Transform method: WSSSignPart.TRANSFORM_EXC_C14N
- Signed part - Body: WSSSignature.BODY
- Signed part - Addressing: WSSSignature.ADDRESSING_HEADERS
- Signed part - Timestamp: WSSSignature.TIMESTAMP
- Token reference: SecurityToken.REF_STR
- Token - Value type: X509Token.ValueType
- Token - JAAS login configuration name: system.wss.generate.x509
Response consumer Signature verification information
- Canonicalization method: WSSVerification.EXC_C14N
- Signature method: WSSVerification.RSA_SHA1
- Transform method: WSSVerifyPart.TRANSFORM_EXC_C14N
- Signed part - Body: WSSVerification.BODY
- Signed part - Addressing: WSSVerification.ADDRESSING_HEADERS
- Signed part - Timestamp: WSSVerification.TIMESTAMP
- Token - Value type: X509Token.ValueType
- Token - JAAS login configuration name: system.wss.consume.x509
Request generator Encryption information
- Encrypted key: true
- Key encryption method: WSSEncryption.KW_RSA_OAEP
- Data encryption method: WSSEncryption.AES128
- Encryption part: WSSEncryption.BODY_CONTENT
- Token reference: SecurityToken.REF_KEYID
- Token - Value type: X509Token.ValueType
- Token - JAAS login configuration name: system.wss.generate.x509
Response consumer Decryption information
- Encrypted key: true
- Key decryption method: WSSDecryption.KW_RSA_OAEP
- Data decryption method: WSSDecryption.AES128
- Decryption part: WSSDecryption.BODY_CONTENT
- Token - Value type: 509Token.ValueType
- Token - JAAS login configuration name: system.wss.consume.x509
Configure signing information using the WSSSignature API Verifying the signature using the WSSVerification API Encrypting the SOAP message using the WSSEncryption API Decrypting SOAP messages using the WSSDecryption API Manage policy sets