Configure Web Services Security using JAX-RPC at the platform level

In the platform configuration, general properties and additional properties can be specified, and the default binding is included. We can configure security for web services at a platform level with a variety of tasks including configuring key locators, trust anchors, and the collection certificate at the generator, consumer binding, and sever levels.

IBM WebSphere Application Server supports JAX-WS and JAX-RPC. Using the strategic JAX-WS programming model, development of web services and clients is simplified through support of a standards-based annotations model. Although JAX-RPC and applications are still supported, take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients.best-practices

Besides the application-level constraints, there is a cell-level and server-level Web Services Security (WSS) configuration called a platform-level configuration:

• These configurations are global for all applications and include some configurations only for WAS v5.x applications and some only for version 6.0.x applications.

• Use the default binding as an application-level binding configuration so that applications do not have to define the binding in the application. There is only one set of default bindings that can be shared by multiple applications. This set is only available for WAS Version 6.x applications.

Therefore, binding configuration files can be specified at these levels: application, server, and cell. Each binding configuration overrides the next higher one. For any deployed application, the nearest configuration binding is applied. The visibility scope of the binding depends on where the file is located. If the binding is defined in an application, its visibility is scoped to that particular application. If it is located at the server level, the visibility scope is all applications deployed on that server. For WAS ND, if it is located at the cell level, the visibility scope is all applications deployed on all servers of the cell.

To ensure Web Services Security at the platform level, we can configure:

• A nonce on the server or cell level

• The key locator for the generator or consumer binding on the application level, server level, or cell level
• Trust anchors for the generator or consumer binding on the application level, server level, or cell level

• The collection certificate store for the generator or consumer binding on the application level, server level or cell level
• Trusted ID evaluators on the server or cell level
• Hardware cryptographic devices for Web Services Security

• The rrdSecurity.props property file

Tasks

• To configure a nonce on the server or cell level, see the steps in Configure a nonce on the server or cell level

• To configure the key locator for the generator binding on the application level, see the steps in Configure the key locator using JAX-RPC for the generator binding on the application level

• To configure the key locator for the consumer binding on the application level, see the steps in Configure the key locator using JAX-RPC for the consumer binding on the application level

• To configure the key locator on the server or cell level, see the steps in Configure the key locator using JAX-RPC on the server or cell level

• To configure trust anchors for the generator binding on the application level, see the steps in Configure trust anchors for the generator binding on the application level

• To configure trust anchors for the consumer binding on the application level, see the steps in Configure trust anchors for the consumer binding on the application level

• To configure trust anchors on the server or cell level, see the steps in Configure trust anchors on the server or cell level

• To configure the collection certificate store for the generator binding on the application level, see the steps in Configure the collection certificate store for the generator binding on the application level

• To configure the collection certificate store for the consumer binding on the application level, see the steps in Configure the collection certificate store for the consumer binding on the application level

• To configure the collection certificate on the server or cell level, see the steps in Web Services - Configure the collection certificate on the server or cell level

• To configure trusted ID evaluators on the server or cell level, see the steps in Configure trusted ID evaluators on the server or cell level

• To enable hardware cryptographic devices for Web Services Security, see the steps in Enable hardware cryptographic devices for Web Services Security

• To work with the rrdSecurity.props file, see rrdSecurity.props file

By completing these steps, we have configured Web Services Security at the platform level.

Subtopics

• Configure a nonce on the server or cell level
  We can configure nonce for the server or cell using the WAS administrative console.
• Distributing nonce caching to servers in a cluster
  Distributed nonce caching enables us to distribute the cache for a nonce to different servers in a cluster.
• Configure the key locator using JAX-RPC for the generator binding on the application level
  The key locator information for the default generator specifies which key locator implementation is used to locate the key to be used for signature and encryption information. The key locator information for the generator specifies which key locator implementation is used to locate the key to be used for signature validation or encryption.
• Configure the key locator using JAX-RPC for the consumer binding on the application level
  The key locator information for the consumer at the application level specifies which key locator implementation is used. The key locator implementation locates the key to be used to validate the digital signature or the encryption information by the application.
• Configure the key locator using JAX-RPC on the server or cell level
  The key locator information for the default generator bindings specifies which key locator implementation is used to locate the key for signature and encryption information if these bindings are not defined at the application level.
• Configure trust anchors for the generator binding on the application level
  A trust anchor specifies keystores that contain trusted root certificates, which validate the signer certificate. These keystores are used by the request generator and the response generator (when web services are acting as client) to generate the signer certificate for the digital signature. We can configure trust anchors for the generator binding at the application level using the administrative console.
• Configure trust anchors for the consumer binding on the application level
  We can configure trust anchors for the consumer binding at the application level.
• Configure trust anchors on the server or cell level
  We can configure a list of keystore objects that contain trusted root certificates to be used for certificate path validation of incoming X.509-formatted security tokens.
• Configure the collection certificate store for the generator binding on the application level
  We can configure a collection certificate for the generator bindings on the application level.
• Configure the collection certificate store for the consumer binding on the application level
  A collection certificate store is a collection of non-root, certificate authority (CA) certificates and certificate revocation lists (CRLs). This collection of CA certificates and CRLs is used to check for a valid signature in a digitally signed SOAP message.
• Web Services - Configure the collection certificate on the server or cell level
  Collection certificate stores contain untrusted, intermediary certificate files awaiting validation. We can configure a collection certificate store on the server level.
• Configure trusted ID evaluators on the server or cell level
  We can configure trusted identity (ID) evaluators. The trusted ID evaluator determines whether or not to trust the identity-asserting authority.
• rrdSecurity.props file
  Remote request dispatcher (RRD) supports LTPA and security attribute propagation for Web Services Security (WS-Security). We can enable token propagation in the <was_install>/profiles/<profileName>/properties/rrdSecurity.props file.
• Configure a nonce on the server or cell level
  We can configure nonce for the server or cell using the WAS administrative console.
• Distributing nonce caching to servers in a cluster
  Distributed nonce caching enables us to distribute the cache for a nonce to different servers in a cluster.
• Configure the key locator using JAX-RPC for the generator binding on the application level
  The key locator information for the default generator specifies which key locator implementation is used to locate the key to be used for signature and encryption information. The key locator information for the generator specifies which key locator implementation is used to locate the key to be used for signature validation or encryption.
• Configure the key locator using JAX-RPC for the consumer binding on the application level
  The key locator information for the consumer at the application level specifies which key locator implementation is used. The key locator implementation locates the key to be used to validate the digital signature or the encryption information by the application.
• Configure the key locator using JAX-RPC on the server or cell level
  The key locator information for the default generator bindings specifies which key locator implementation is used to locate the key for signature and encryption information if these bindings are not defined at the application level.
• Configure trust anchors for the generator binding on the application level
  A trust anchor specifies keystores that contain trusted root certificates, which validate the signer certificate. These keystores are used by the request generator and the response generator (when web services are acting as client) to generate the signer certificate for the digital signature. We can configure trust anchors for the generator binding at the application level using the administrative console.
• Configure trust anchors for the consumer binding on the application level
  We can configure trust anchors for the consumer binding at the application level.
• Configure trust anchors on the server or cell level
  We can configure a list of keystore objects that contain trusted root certificates to be used for certificate path validation of incoming X.509-formatted security tokens.
• Configure the collection certificate store for the generator binding on the application level
  We can configure a collection certificate for the generator bindings on the application level.
• Configure the collection certificate store for the consumer binding on the application level
  A collection certificate store is a collection of non-root, certificate authority (CA) certificates and certificate revocation lists (CRLs). This collection of CA certificates and CRLs is used to check for a valid signature in a digitally signed SOAP message.
• Web Services - Configure the collection certificate on the server or cell level
  Collection certificate stores contain untrusted, intermediary certificate files awaiting validation. We can configure a collection certificate store on the server level.
• Configure trusted ID evaluators on the server or cell level
  We can configure trusted identity (ID) evaluators. The trusted ID evaluator determines whether or not to trust the identity-asserting authority.
• rrdSecurity.props file
  Remote request dispatcher (RRD) supports LTPA and security attribute propagation for Web Services Security (WS-Security). We can enable token propagation in the <was_install>/profiles/<profileName>/properties/rrdSecurity.props file.