Web services security review roap map

Web services security

Contents

Overview
High-level architecture
Web Services security review tasks
Web services security with WebSphere appserver V6

Overview

WS-Security...

Secures SOAP messages through XML digital signature
Enhances confidentiality through XML encryption
Propagates credentials using security tokens

For WAS V6 and later, WS-Security can be applied as transport-level security and as message-level security.
HTTPS and SSL transport-level technology may be used for securing Web services. Web services security includes transport-level SSL.
Applications that require that the document data be secured beyond the HTTPS connection or beyond the transport layer should use message-level security.
Message-level security requirements include:

identity
authentication
authorization
integrity
confidentiality
nonrepudiation
basic message exchange
etc...

Traditional Web and message-level security share many of the same mechanisms for handling security, including...

digital certificates
encryption
digital signatures

Message-level security applies to XML documents that are sent as SOAP messages, embedding required security information in the SOAP header of a message. Encryption and digital signature apply to the data in the message itself.
With message-level security, the SOAP message itself either...

contains the information needed to secure the message
contains information about where to get that information to handle security needs

Message-level security is not tied to any particular transport mechanism. Because the security information is part of the message, it is independent of a transport protocol, such as HTTPS.
Web service clients add to the SOAP message header security information. When the message is received the Web service endpoint uses the security information in the header to...

verify the secured message
validate it against the policy

For example, the service endpoint might verify the message signature and check that the message has not been tampered with. It is possible to add signature and encryption information to the SOAP message headers, as well as other information such as security tokens for identity (for example, an X.509 certificate) that are bound to the SOAP message content.
The authentication mechanism, integrity, and confidentiality can be applied at the message level and at the transport level. When message-level security is applied, we can protect the SOAP message with a security token, digital signature, and encryption.
Without WS-Security, the SOAP message is sent in clear text, and personal information such as a user ID or an account number is not protected. Without applying WS-Security, there is only a SOAP body under the SOAP envelope in the SOAP message. By applying features from the WS-Security specification, the SOAP security header is inserted under the SOAP envelope in the SOAP message when the SOAP body is signed and encrypted.
To maintain the integrity or confidentiality of the message, digital signatures and encryption are typically applied.
Confidentiality specifies the confidentiality constraints that are applied to generated messages. This includes specifying...

message parts within the generated message must be encrypted
message parts to attach encrypted Nonce and time stamp elements

Integrity is provided by applying a digital signature to a SOAP message. Confidentiality is applied by SOAP message encryption. Multiple signatures and encryptions are supported. In addition, both signing and encryption can be applied to the same parts, such as the SOAP body.
We can add an authentication mechanism by inserting various types of security tokens, such as the Username token (<UsernameToken>). When the Username token is received by the Web service server, the user name and password are extracted and verified. Only when the user name and password combination is valid, will the message be accepted and processed at the server. Using the Username token is just one of the ways of implementing authentication. This mechanism is also known as basic authentication.
Other forms of authentication include...

identity assertion
LTPA tokens
Kerberos tokens
custom tokens

With updates to WS-Security v1.1, we can layer additional functionality on top of these basic mechanisms, including signature confirmation and encrypted headers.
The security token profiles supported by WAS include...

Username token profile
X.509 token profile
Kerberos profile

When messages are received, the Web service endpoint uses the security information in the header to apply the appropriate security mechanism.
The service endpoint can add signature and encryption information to the SOAP message headers, as well as other information, such as security tokens bound to the SOAP message content.
We can implement these new mechanisms by using a policy set.
WS-SecureConversation was introduced in WAS V6.1 with the Feature Pack for Web Services. Secure Conversation uses a session key to protect SOAP messages more efficiently, particularly when multiple SOAP messages are transmitted in a session.
Other enhancements, added in WAS V 7.0, include:

The Kerberos token, which is used for both authentication and for subsequent message protection.
Dynamic policy, which allows the client to retrieve the provider policy through a WSDL request, or using Web Services MetadataExhange (WS-MEX), to simplify Web services client deployment.

The WS-Security policy is specified...

In the IBM extension of the Web services deployment descriptors when using the JAX-RPC model
In policy sets when using the JAX-WS model

High-level architecture

Here is the standard high-level Web services security architecture ...

Web Services security feview tasks

Task Status
Inventory existing JAX-RPC Web services applications

Review to-be JAX-RPC Web services applications

Inventory existing JAX-WS Web services applications

Review to-be JAX-WS Web services applications

Review WS-Security default bindings and runtime properties

Review WAS v7 new Web service security features

Review Web services security enhancements

Review supported functionality from OASIS specifications

Review Web services security configuration considerations

Web services security provides message integrity, confidentiality, and authentication

Review high-level Web services security architecture

Review security model mixture

Review TLS Web services security

Review outbound HTTP outbound TLS security for apps.

Review HTTP transport custom properties

Connection pool for HTTP outbound connections
Content encoding of the HTTP message
HTTP persistent connections
Resend the HTTP request when a timeout occurs

Review HTTP SSL configurations

Review any additional HTTP transport properties

Review all Web services clients that use HTTP basic authentication

Review HTTP basic authentication configurion for JAX-RPC Web services

Review HTTP basic authentication settings for JAX-RPC

Review message level security settings

Review Web services custom properties

Web services security custom properties

Review WS-Security policy bindings

Review keys

Review key locators

Review trust anchors

Review trusted ID evaluator

Review hardware cryptographic device options

Review collection certificate store bindings

Default configuration

General sample bindings for JAX-WS applications

Default sample configurations for JAX-RPC

XML digital signature

Certificate revocation list

XML encryption

Security token

LTPA and LTPA V2 tokens

Username token

XML token

Binary security token

Kerberos token

Review Web services Kerberos message protection

Review Web services Kerberos usage overview

Review Web services Kerberos configuration models

Review Web services Kerberos clustering

Kerberos authentication in a single or cross realm environment [Fix Pack 3 or later]

Review Web service security considerations

Nonce, a randomly generated token

Basic Security Profile compliance tips

Distributed nonce cache

Web services security token propagation

Review security for JAX-WS Web services using message-level security

Migration of JAX-WS Web services security bindings from V6.1 to V7.0

Audit the Web services security runtime [Fix Pack 3 or later]

Review security for Web services using policy sets

Example: Set the message-level WS-Security policy set and bindings

Review username and password for WS-Security Username or LTPA token authentication

Review default Web services security bindings

Review general JAX-WS default bindings

Web services security API model

Service Programming Interfaces (SPI)

Review security for Web services applications using the WSS APIs at the message level

Review security for messages at the request generator using WSS APIs

Review encryption to protect message confidentiality using the WSS APIs

Encrypting the SOAP message using the WSSEncryption API

Choose the encryption methods for the generator binding

Encryption methods

Add encrypted parts using the WSSEncryptPart API

Review generator signing information to protect message integrity using the WSS APIs

Review signing information using the WSS APIs

Review signature information using the WSSSignature API

Add signed parts using the WSSSignPart API

Review client for request signing methods

Digital signing methods using the WSSSignature API

Signed parts methods using the WSSSignPart API

Attach the generator token using WSS APIs to protect message authenticity

Review generator security tokens using the WSS API

Review security for messages at the response consumer using WSS APIs

Review decryption to protect message confidentiality using the WSS APIs

Decrypting the SOAP message using the WSSDecryption API

Choose the decryption methods for the consumer binding

Add decrypted parts using the WSSDecryptPart API

Decryption methods

Verifying consumer signing information to protect message integrity using WSS APIs

Verifying the signature information for the consumer binding using the WSS APIs

Verifying the signature using the WSSVerification API

Verifying the signed parts using the WSSVerifyPart API

Review client for response signature verification methods

Signature verification methods using the WSSVerification API

Choose the verify parts methods using the WSSVerifyPart API

Validating the consumer token to protect message authenticity

Review consumer security tokens using the WSS API

Review Web services security using the WSS APIs

Web services security APIs

Web services security configuration considerations when using the WSS API

Encrypted SOAP headers

Signature confirmation

Review security for requests to the trust service using system policy sets

Enable secure conversation

Web Services Secure Conversation

Scoping of Web Services Secure Conversation

Review security for conversation client cache and trust service configuration

Derived key token

Enable secure conversation in a mixed cluster environment

Enable distributed cache and session affinity when using Secure Conversation

Example: Establishing a security context token to secure a secure conversation

Example: Establishing a security context token to secure reliable messaging

Enable the distributed cache using synchronous update and token recovery

Web Services Secure Conversation standard

Review token generator and token consumer to use a specific level of WS-SecureConversation

Trust service

Security context token

System policy sets

Web Services Trust standard

Review system policy sets

Define a new system policy set

System policy set

System policy set settings

Review attachments for the trust service

Create a service endpoint attachment

Trust service attachments

Trust service attachments settings

New general binding settings

Review security context token provider for the trust service

Modify the security context token provider configuration for the trust service

Trust service token custom properties

Disable the submission draft level for the security context token provider

Trust service token provider settings

Trust service token providers

Review trust service endpoint targets

Assigning a new target for the trust service

Trust service targets

Trust service targets settings

Update the Web services security runtime configuration

Web services update runtime settings

Review Web services security distributed cache

Security cache settings

Review Kerberos token for Web services security

Review Kerberos token policy set for JAX-WS applications

Review bindings for message protection for Kerberos

Update the system JAAS login with the Kerberos login module [Fix Pack 1 or later]

Review Kerberos policy sets and V2 general sample bindings [Fix Pack 1 or later]

Develop JAX-WS based Web services server applications that retrieve security tokens

Develop JAX-WS based Web services client applications that retrieve security tokens

Review security for JAX-RPC Web services using message level security

Migrate JAX-RPC Web services security applications to V7.0 applications

Migrate the JAX-RPC server-side extensions configuration

Migrate the client-side extensions configuration

Migrate the server-side bindings file

Migrate the client-side bindings file

View Web services client deployment descriptor

View Web services server deployment descriptor

Review security for messages using JAX-RPC at the request and response generators

Review generator signing using JAX-RPC to protect message integrity

Review signing information using JAX-RPC for the generator binding on the server or cell level

Review signing information using JAX-RPC for the generator binding on the application level

Signing information

Signing information settings

Part reference

Part reference settings

Transformscollection

Transforms settings

Review key information for the generator binding using JAX-RPC on the server or cell level

Review key information using JAX-RPC for the generator binding on the application level

Key informationcollection

Key information settings

Review encryption using JAX-RPC to protect message confidentiality at the application level

Encryption informationcollection

Encryption information settings: Message parts

Encryption information settings: Methods

Review encryption using JAX-RPC to protect message confidentiality at the server or cell level

Review token generators using JAX-RPC to protect message authenticity at the application level

Request generator (sender) binding settings

Response generator (sender) binding settings

Callback handler settings

Keycollection

Key settings

Web services: Client security bindingscollection

Web services: WAS security bindingscollection

Review token generators using JAX-RPC to protect message authenticity at the server or cell level

Token generatorcollection

Token generator settings

Algorithm URIcollection

Algorithm URI settings

Algorithm mappingcollection

Algorithm mapping settings

Default bindings and security runtime properties

Enable or disable single sign-on interoperability mode for the LTPA token

Review security for messages using JAX-RPC at the request and response consumers

Review consumer signing using JAX-RPC to protect message integrity

Review signing information using JAX-RPC for the consumer binding on the application level

Key information referencescollection

Key information reference settings

Review signing information using JAX-RPC for the consumer binding on the server or cell level

Review key information for the consumer binding on the application level

Review key information for the consumer binding using JAX-RPC on the server or cell level

Review encryption to protect message confidentiality at the application level

Review encryption to protect message confidentiality at the server or cell level

Review token consumers using JAX-RPC to protect message authenticity at the application level

Request consumer (receiver) binding settings

Response consumer (receiver) binding settings

JAAS settings

Review token consumers using JAX-RPC to protect message authenticity at the server or cell level

Token consumercollection

Token consumer settings

Review Web services security using JAX-RPC at the platform level

Review a nonce on the server or cell level

Distributing nonce caching to servers in a cluster

Review key locator using JAX-RPC for the generator binding on the application level

Key locatorcollection

Key locator settings

Web services security propertycollection

Web services security property settings

Review key locator using JAX-RPC for the consumer binding on the application level

Review key locator using JAX-RPC on the server or cell level

Review trust anchors for the generator binding on the application level

Trust anchorcollection

Trust anchor settings

Review trust anchors for the consumer binding on the application level

Review trust anchors on the server or cell level

Review collection certificate store for the generator binding on the application level

Collection certificate storecollection

Collection certificate store settings

X.509 certificatescollection

X.509 certificate settings

Certificate revocation listcollection

Certificate revocation list settings

Review collection certificate store for the consumer binding on the application level

Review collection certificate on the server or cell level

Review trusted ID evaluators on the server or cell level

Trusted ID evaluatorcollection

Trusted ID evaluator settings

rrdSecurity.props file

Develop Web services clients that retrieve tokens from the JAAS Subject in an application

Develop Web services applications that retrieve tokens from the JAAS Subject in a server application

Enable hardware cryptographic devices for Web Services Security

Review hardware cryptographic devices for Web Services Security

Enable cryptographic keys stored in hardware devices in Web Services Security

Review security for Web services for V5.x applications based on WS-Security

Web services security specification.a chronology

Web services security support

Web services security and Java EE security relationship

Web services security model in WAS

Propagating security tokens

Web services security constraints

Example: Sample configuration for Web services security for a version 5.x application

Overview of authentication methods

Overview of token types

Username token

Nonce, a randomly generated token

Binary security token

XML token

XML digital signature

Signing parameter settings

Review security for Web services for V5.x applications using XML digital signature

Review nonce using Web services security tokens

Review nonce for the server level

Review nonce for the application level

Review nonce for the cell level

Default binding

ws-security.xml file - Default configuration for WAS ND

Trust anchors

Review trust anchors

Collection certificate store

Review client-side collection certificate store

Review server-side collection certificate store

Review default collection certificate stores at the server level in the WAS admin console

Review default collection certificate stores at the cell level in the WAS admin console

Key locator

Keys

Review key locators

Review server and cell level key locators

Trusted ID evaluator

Review client for request signing: digitally signing message parts

Review client for request signing: choosing the digital signature method

Review servers for request digital signature verification: Verifying the message parts

Review servers for request digital signature verification: choosing the verification method

Review servers for response signing: digitally signing message parts

Review servers for response signing: choosing the digital signature method

Review client for response digital signature verification: verifying the message parts

Review client for response digital signature verification: choosing the verification method

Review security bindings on a server acting as a client

Review servers security bindings

XML encryption

Review security for Web services for V5.x applications using XML encryption

Login bindings settings

Request sender

Request sender bindingcollection

Review client for request encryption: Encrypting the message parts

Review client for request encryption: choosing the encryption method

Request receiver

Request receiver bindingcollection

Review servers for request decryption: decrypting the message parts

Review servers for request decryption: choosing the decryption method

Response sender

Response sender bindingcollection

Review servers for response encryption: encrypting the message parts

Review servers for response encryption: choosing the encryption method

Response receiver

Response receiver bindingcollection

Review client for response decryption: decrypting the message parts

Review client for response decryption: choosing a decryption method

Review security for Web services for V5.x applications using basic authentication

Review client for basic authentication: specifying the method

BasicAuth authentication method

Review client for basic authentication: collecting the authentication information

Identity assertion authentication method

Review servers to handle basic authentication information

Review servers to validate basic authentication information

Identity assertion in a SOAP message

Review security for Web services for V5.x applications using identity assertion authentication

Review client for identity assertion: specifying the method

Review client for identity assertion: collecting the authentication method

Review servers to handle identity assertion authentication

Review servers to validate identity assertion authentication information

Review security for Web services for version 5.x applications using signature authentication

Review client for signature authentication: specifying the method

Signature authentication method

Review client for signature authentication: collecting the authentication information

Review servers to support signature authentication

Review servers to validate signature authentication information

Security token

Review security for Web services for version 5.x applications using a pluggable token

Review pluggable tokens

Pluggable token support

Review client for LTPA token authentication: specifying LTPA token authentication

Review client for LTPA token authentication: collecting the authentication method information

Review servers to handle LTPA token authentication information

Review servers to validate LTPA token authentication information

Lightweight Third Party Authentication

Tune Web services security for V7.0 applications

Tune Web services security for V5.x applications

Task	Status
Inventory existing JAX-RPC Web services applications
Review to-be JAX-RPC Web services applications
Inventory existing JAX-WS Web services applications
Review to-be JAX-WS Web services applications
Review WS-Security default bindings and runtime properties
Review WAS v7 new Web service security features
Review Web services security enhancements
Review supported functionality from OASIS specifications
Review Web services security configuration considerations
Web services security provides message integrity, confidentiality, and authentication
Review high-level Web services security architecture
Review security model mixture

Review TLS Web services security
Review outbound HTTP outbound TLS security for apps.
Review HTTP transport custom properties Connection pool for HTTP outbound connections Content encoding of the HTTP message HTTP persistent connections Resend the HTTP request when a timeout occurs
Review HTTP SSL configurations
Review any additional HTTP transport properties
Review all Web services clients that use HTTP basic authentication
Review HTTP basic authentication configurion for JAX-RPC Web services
Review HTTP basic authentication settings for JAX-RPC
Review message level security settings
Review Web services custom properties
Web services security custom properties
Review WS-Security policy bindings
Review keys
Review key locators
Review trust anchors
Review trusted ID evaluator
Review hardware cryptographic device options
Review collection certificate store bindings
Default configuration
General sample bindings for JAX-WS applications
Default sample configurations for JAX-RPC
XML digital signature
Certificate revocation list
XML encryption
Security token
LTPA and LTPA V2 tokens
Username token
XML token
Binary security token
Kerberos token
Review Web services Kerberos message protection
Review Web services Kerberos usage overview
Review Web services Kerberos configuration models
Review Web services Kerberos clustering
Kerberos authentication in a single or cross realm environment [Fix Pack 3 or later]
Review Web service security considerations
Nonce, a randomly generated token
Basic Security Profile compliance tips
Distributed nonce cache
Web services security token propagation
Review security for JAX-WS Web services using message-level security
Migration of JAX-WS Web services security bindings from V6.1 to V7.0
Audit the Web services security runtime [Fix Pack 3 or later]
Review security for Web services using policy sets
Example: Set the message-level WS-Security policy set and bindings
Review username and password for WS-Security Username or LTPA token authentication
Review default Web services security bindings
Review general JAX-WS default bindings
Web services security API model
Service Programming Interfaces (SPI)
Review security for Web services applications using the WSS APIs at the message level
Review security for messages at the request generator using WSS APIs
Review encryption to protect message confidentiality using the WSS APIs
Encrypting the SOAP message using the WSSEncryption API
Choose the encryption methods for the generator binding
Encryption methods
Add encrypted parts using the WSSEncryptPart API
Review generator signing information to protect message integrity using the WSS APIs
Review signing information using the WSS APIs
Review signature information using the WSSSignature API
Add signed parts using the WSSSignPart API
Review client for request signing methods
Digital signing methods using the WSSSignature API
Signed parts methods using the WSSSignPart API
Attach the generator token using WSS APIs to protect message authenticity
Review generator security tokens using the WSS API
Review security for messages at the response consumer using WSS APIs
Review decryption to protect message confidentiality using the WSS APIs
Decrypting the SOAP message using the WSSDecryption API
Choose the decryption methods for the consumer binding
Add decrypted parts using the WSSDecryptPart API
Decryption methods
Verifying consumer signing information to protect message integrity using WSS APIs
Verifying the signature information for the consumer binding using the WSS APIs
Verifying the signature using the WSSVerification API
Verifying the signed parts using the WSSVerifyPart API
Review client for response signature verification methods
Signature verification methods using the WSSVerification API
Choose the verify parts methods using the WSSVerifyPart API
Validating the consumer token to protect message authenticity
Review consumer security tokens using the WSS API
Review Web services security using the WSS APIs
Web services security APIs
Web services security configuration considerations when using the WSS API
Encrypted SOAP headers
Signature confirmation
Review security for requests to the trust service using system policy sets
Enable secure conversation
Web Services Secure Conversation
Scoping of Web Services Secure Conversation
Review security for conversation client cache and trust service configuration
Derived key token
Enable secure conversation in a mixed cluster environment
Enable distributed cache and session affinity when using Secure Conversation
Example: Establishing a security context token to secure a secure conversation
Example: Establishing a security context token to secure reliable messaging
Enable the distributed cache using synchronous update and token recovery
Web Services Secure Conversation standard
Review token generator and token consumer to use a specific level of WS-SecureConversation
Trust service
Security context token
System policy sets
Web Services Trust standard
Review system policy sets
Define a new system policy set
System policy set
System policy set settings
Review attachments for the trust service
Create a service endpoint attachment
Trust service attachments
Trust service attachments settings
New general binding settings
Review security context token provider for the trust service
Modify the security context token provider configuration for the trust service
Trust service token custom properties
Disable the submission draft level for the security context token provider
Trust service token provider settings
Trust service token providers
Review trust service endpoint targets
Assigning a new target for the trust service
Trust service targets
Trust service targets settings
Update the Web services security runtime configuration
Web services update runtime settings
Review Web services security distributed cache
Security cache settings
Review Kerberos token for Web services security
Review Kerberos token policy set for JAX-WS applications
Review bindings for message protection for Kerberos
Update the system JAAS login with the Kerberos login module [Fix Pack 1 or later]
Review Kerberos policy sets and V2 general sample bindings [Fix Pack 1 or later]
Develop JAX-WS based Web services server applications that retrieve security tokens
Develop JAX-WS based Web services client applications that retrieve security tokens
Review security for JAX-RPC Web services using message level security
Migrate JAX-RPC Web services security applications to V7.0 applications
Migrate the JAX-RPC server-side extensions configuration
Migrate the client-side extensions configuration
Migrate the server-side bindings file
Migrate the client-side bindings file
View Web services client deployment descriptor
View Web services server deployment descriptor
Review security for messages using JAX-RPC at the request and response generators
Review generator signing using JAX-RPC to protect message integrity
Review signing information using JAX-RPC for the generator binding on the server or cell level
Review signing information using JAX-RPC for the generator binding on the application level
Signing information
Signing information settings
Part reference
Part reference settings
Transformscollection
Transforms settings
Review key information for the generator binding using JAX-RPC on the server or cell level
Review key information using JAX-RPC for the generator binding on the application level
Key informationcollection
Key information settings
Review encryption using JAX-RPC to protect message confidentiality at the application level
Encryption informationcollection
Encryption information settings: Message parts
Encryption information settings: Methods
Review encryption using JAX-RPC to protect message confidentiality at the server or cell level
Review token generators using JAX-RPC to protect message authenticity at the application level
Request generator (sender) binding settings
Response generator (sender) binding settings
Callback handler settings
Keycollection
Key settings
Web services: Client security bindingscollection
Web services: WAS security bindingscollection
Review token generators using JAX-RPC to protect message authenticity at the server or cell level
Token generatorcollection
Token generator settings
Algorithm URIcollection
Algorithm URI settings
Algorithm mappingcollection
Algorithm mapping settings
Default bindings and security runtime properties
Enable or disable single sign-on interoperability mode for the LTPA token
Review security for messages using JAX-RPC at the request and response consumers
Review consumer signing using JAX-RPC to protect message integrity
Review signing information using JAX-RPC for the consumer binding on the application level
Key information referencescollection
Key information reference settings
Review signing information using JAX-RPC for the consumer binding on the server or cell level
Review key information for the consumer binding on the application level
Review key information for the consumer binding using JAX-RPC on the server or cell level
Review encryption to protect message confidentiality at the application level
Review encryption to protect message confidentiality at the server or cell level
Review token consumers using JAX-RPC to protect message authenticity at the application level
Request consumer (receiver) binding settings
Response consumer (receiver) binding settings
JAAS settings
Review token consumers using JAX-RPC to protect message authenticity at the server or cell level
Token consumercollection
Token consumer settings
Review Web services security using JAX-RPC at the platform level
Review a nonce on the server or cell level
Distributing nonce caching to servers in a cluster
Review key locator using JAX-RPC for the generator binding on the application level
Key locatorcollection
Key locator settings
Web services security propertycollection
Web services security property settings
Review key locator using JAX-RPC for the consumer binding on the application level
Review key locator using JAX-RPC on the server or cell level
Review trust anchors for the generator binding on the application level
Trust anchorcollection
Trust anchor settings
Review trust anchors for the consumer binding on the application level
Review trust anchors on the server or cell level
Review collection certificate store for the generator binding on the application level
Collection certificate storecollection
Collection certificate store settings
X.509 certificatescollection
X.509 certificate settings
Certificate revocation listcollection
Certificate revocation list settings
Review collection certificate store for the consumer binding on the application level
Review collection certificate on the server or cell level
Review trusted ID evaluators on the server or cell level
Trusted ID evaluatorcollection
Trusted ID evaluator settings
rrdSecurity.props file
Develop Web services clients that retrieve tokens from the JAAS Subject in an application
Develop Web services applications that retrieve tokens from the JAAS Subject in a server application
Enable hardware cryptographic devices for Web Services Security
Review hardware cryptographic devices for Web Services Security
Enable cryptographic keys stored in hardware devices in Web Services Security
Review security for Web services for V5.x applications based on WS-Security
Web services security specification.a chronology
Web services security support
Web services security and Java EE security relationship
Web services security model in WAS
Propagating security tokens
Web services security constraints
Example: Sample configuration for Web services security for a version 5.x application
Overview of authentication methods
Overview of token types
Username token
Nonce, a randomly generated token
Binary security token
XML token
XML digital signature
Signing parameter settings
Review security for Web services for V5.x applications using XML digital signature
Review nonce using Web services security tokens
Review nonce for the server level
Review nonce for the application level
Review nonce for the cell level
Default binding
ws-security.xml file - Default configuration for WAS ND
Trust anchors
Review trust anchors
Collection certificate store
Review client-side collection certificate store
Review server-side collection certificate store
Review default collection certificate stores at the server level in the WAS admin console
Review default collection certificate stores at the cell level in the WAS admin console
Key locator
Keys
Review key locators
Review server and cell level key locators
Trusted ID evaluator
Review client for request signing: digitally signing message parts
Review client for request signing: choosing the digital signature method
Review servers for request digital signature verification: Verifying the message parts
Review servers for request digital signature verification: choosing the verification method
Review servers for response signing: digitally signing message parts
Review servers for response signing: choosing the digital signature method
Review client for response digital signature verification: verifying the message parts
Review client for response digital signature verification: choosing the verification method
Review security bindings on a server acting as a client
Review servers security bindings
XML encryption
Review security for Web services for V5.x applications using XML encryption
Login bindings settings
Request sender
Request sender bindingcollection
Review client for request encryption: Encrypting the message parts
Review client for request encryption: choosing the encryption method
Request receiver
Request receiver bindingcollection
Review servers for request decryption: decrypting the message parts
Review servers for request decryption: choosing the decryption method
Response sender
Response sender bindingcollection
Review servers for response encryption: encrypting the message parts
Review servers for response encryption: choosing the encryption method
Response receiver
Response receiver bindingcollection
Review client for response decryption: decrypting the message parts
Review client for response decryption: choosing a decryption method
Review security for Web services for V5.x applications using basic authentication
Review client for basic authentication: specifying the method
BasicAuth authentication method
Review client for basic authentication: collecting the authentication information
Identity assertion authentication method
Review servers to handle basic authentication information
Review servers to validate basic authentication information
Identity assertion in a SOAP message
Review security for Web services for V5.x applications using identity assertion authentication
Review client for identity assertion: specifying the method
Review client for identity assertion: collecting the authentication method
Review servers to handle identity assertion authentication
Review servers to validate identity assertion authentication information
Review security for Web services for version 5.x applications using signature authentication
Review client for signature authentication: specifying the method
Signature authentication method
Review client for signature authentication: collecting the authentication information
Review servers to support signature authentication
Review servers to validate signature authentication information
Security token
Review security for Web services for version 5.x applications using a pluggable token
Review pluggable tokens
Pluggable token support
Review client for LTPA token authentication: specifying LTPA token authentication
Review client for LTPA token authentication: collecting the authentication method information
Review servers to handle LTPA token authentication information
Review servers to validate LTPA token authentication information
Lightweight Third Party Authentication
Tune Web services security for V7.0 applications
Tune Web services security for V5.x applications