+

Search Tips   |   Advanced Search

Secure JAX-RPC web services using message-level security

Standards and profiles address how to provide protection for messages that are exchanged in a web service environment.

IBM WebSphere Application Server supports JAX-WS and JAX-RPC. Using the strategic JAX-WS programming model, development of web services and clients is simplified through support of a standards-based annotations model. Although JAX-RPC and applications are still supported, take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients.best-practices

To secure web services with WAS, specify several different configurations. Although there is not a specific sequence in which specify these different configurations, some configurations reference other configurations. See Web Services Security configuration considerations.

Web service security is supported in the managed web service container. To establish a managed environment and to enforce constraints for Web Services Security, we must perform a JNDI lookup on the client to resolve the service reference.

Because of the relationship between the different Web Services Security configurations, IBM recommends specified the configurations on each level of the configuration in the following order. We can choose to configure Web Services Security for the application level, the server level or the cell level as it depends upon the environment and security needs.


Tasks

  1. Learn about Web Services Security.

    1. See Web Services Security concepts.

  2. Decide which programming model, JAX-WS or JAX-RPC, works best for securing the web services applications.

    1. This procedure uses JAX-RPC.

  3. Configure Web Services Security.

    1. We can choose to configure Web Services Security for the application level, the server level, the cell level, or the platform level, depending on the environment and security needs. Cell-level configuration is supported only in a network deployment environment.

  4. Specify the application-level configuration.

    1. See Configure message-level security for JAX-RPC at the application level.

  5. Specify the server-level configuration.

    1. See Configure message-level security for JAX-RPC at the server or cell level.

  6. Specify the cell-level configuration.

    1. Cell-level configuration is supported only in a network deployment environment.

  7. Platform-level configuration.

    1. See Configure Web Services Security using JAX-RPC at the platform level.

  8. Develop and assemble a JAX-RPC application, or migrate an existing application.

    1. Assemble your Web Services Security-enabled application using an assembly tool. See assembly tools. Prior to modifying a Web Services Security-enabled application in the WAS administrative console, assemble the application using an assembly tool. Although we can modify some of the application settings using the administrative console, configure the generator and the consumer security constraints using an assembly tool.

  9. Deploy the JAX-RPC application.

After completing these steps for WAS, we have secured web services.


Related:

  • Development and assembly tools
  • Developing web services clients that retrieve tokens from the JAAS Subject in an application
  • Developing web services applications that retrieve tokens from the JAAS Subject in a server application
  • Troubleshoot web services
  • Tune Web Services Security for v9.0 applications
  • Secure web services applications at the transport level
  • Authenticating web services clients using HTTP basic authentication
  • Configure trust anchors for the generator binding on the application level
  • Configure the collection certificate store for the generator binding on the application level
  • Configure token generators using JAX-RPC to protect message authenticity at the application level
  • Configure the key locator using JAX-RPC for the generator binding on the application level
  • Configure the key information using JAX-RPC for the generator binding on the application level
  • Configure signing information using JAX-RPC for the generator binding on the application level
  • Configure encryption using JAX-RPC to protect message confidentiality at the application level
  • Configure trust anchors for the consumer binding on the application level
  • Configure the collection certificate store for the consumer binding on the application level
  • Configure token consumers using JAX-RPC to protect message authenticity at the application level
  • Configure the key locator using JAX-RPC for the consumer binding on the application level
  • Configure the key information using JAX-RPC for the consumer binding on the application level
  • Configure signing information using JAX-RPC for the consumer binding on the application level
  • Configure encryption to protect message confidentiality at the application level
  • Configure trust anchors on the server or cell level
  • Web Services - Configure the collection certificate on the server or cell level
  • Configure a nonce on the server or cell level
  • Configure token generators using JAX-RPC to protect message authenticity at the server or cell level
  • Configure the key locator using JAX-RPC on the server or cell level
  • Configure the key information for the generator binding using JAX-RPC on the server or cell level
  • Configure signing information using JAX-RPC for the generator binding on the server or cell level
  • Configure encryption using JAX-RPC to protect message confidentiality at the server or cell level
  • Configure trusted ID evaluators on the server or cell level
  • Configure token consumers using JAX-RPC to protect message authenticity at the server or cell level
  • Configure the key information for the consumer binding using JAX-RPC on the server or cell level
  • Configure signing information using JAX-RPC for the consumer binding on the server or cell level
  • Configure encryption to protect message confidentiality at the server or cell level
  • Security considerations for web services
  • rrdSecurity.props file