WebSphere Message Broker, Version 8.0.0.7
Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS
See information about the latest product version
See information about the latest product version
How WebSphere Message Broker complies with Web Service Security specifications
WebSphere® Message Broker conditionally complies with Web Services Security: SOAP Message Security and related specifications by supporting the following aspects.
Compliance with Web Services Security: SOAP Message Security
- Security header
- The <wsse:Security> header provides a mechanism,
in the form of a SOAP actor or role, for attaching security-related
information that is targeted at a specific recipient. The recipient
can be the ultimate recipient of the message or an intermediary. The
following attributes are supported in WebSphere Message
Broker:
- S11:actor (for an intermediary)
- S11:mustUnderstand
- S12:role (for an intermediary)
- S12:mustUnderstand
- Security tokens
- The following security tokens are supported in the security header:
- Username and password
- Binary security tokens:
- X.509 certificate
- Kerberos ticket
- LTPA certificate
- SAML assertion
- Token references
- A security token conveys a set of claims. Sometimes these claims
are elsewhere and need to be accessed by the receiving application.
The <wsse:SecurityTokenReference> element provides
an extensible mechanism for referencing security tokens. The following
mechanisms are supported:
- Direct reference
- Key identifier
- Key name
- Embedded reference
- Signature algorithms
- This specification builds on XML Signature and therefore has the
same algorithm requirements as those specified in the XML Signature
specification. WebSphere Message
Broker supports
the signature algorithms as shown in the following table.
Algorithm type Algorithm URI Digest SHA1 http://www.w3.org/2000/09/xmldsig#sha1 Signature DSA with SHA1 (validation only) http://www.w3.org/2000/09/xmldsig#dsa-sha1 Signature RSA with SHA1 http://www.w3.org/2000/09/xmldsig#rsa-sha1 Canonicalization Exclusive XML canonicalization (without comments) http://www.w3.org/2001/10/xml-exc-c14n# - Signature signed parts
- WebSphere Message
Broker allows the following
SOAP elements to be signed:
- The SOAP message body
- The identity token (a type of security token) that is used as an asserted identity
- Encryption algorithms
- The data encryption algorithms that are supported are shown in
the following table.
Algorithm URI Triple Data Encryption Standard algorithm (Triple DES) http://www.w3.org/2001/04/xmlenc#tripledes-cbc Advanced Encryption Standard (AES) algorithm with a key length of 128 bits http://www.w3.org/2001/04/xmlenc#aes128-cbc Advanced Encryption Standard (AES) algorithm with a key length of 192 bits http://www.w3.org/2001/04/xmlenc#aes192-cbc Advanced Encryption Standard (AES) algorithm with a key length of 256 bits http://www.w3.org/2001/04/xmlenc#aes256-cbc The key encryption algorithm that is supported is shown in the following table.Algorithm URI Key transport (public key cryptography) RSA Version 1.5 http://www.w3.org/2001/04/xmlenc#rsa-1_5 - Encryption message parts
- WebSphere Message
Broker allows the following
SOAP elements to be encrypted:
- The SOAP body
- Timestamp
- The <wsu:Timestamp> element provides a mechanism for expressing the creation and expiration times of the security semantics in a message. WebSphere Message Broker tolerates the use of timestamps within the Web services security header on inbound SOAP messages.
- Error handling
- WebSphere Message Broker generates SOAP fault messages using the standard list of response codes listed in the specification.
Compliance with Web Services Security: Username Token Profile 1.1
The following aspects of this specification
are supported:
- Password types
- Text
- Token references
- Direct reference
Compliance with Web Services Security: X.509 Certificate Token Profile 1.1
The following aspects of this specification
are supported:
- Token types
- X.509 Version 3: Single certificate.
- X.509 Version 3: X509PKIPathv1 without certificate revocation lists (CRL).
- X.509 Version 3: PKCS7 with or without CRLs. The IBM® Software Development Kit (SDK) supports both. The Sun Java™ Development Kit (JDK) supports PKCS7 without CRL only.
- Token references
- Key identifier - subject key identifier
- Direct reference
- Custom reference - issuer name and serial number
Compliance with Web Services Security: SAML Token Profile
SAML passthru support is provided, which enables interoperability with WS-Security SAML profiles, without performing subject confirmation processing. This means that it does not provide validation of the trust relationship between the SAML subject and message content signatures.
The token is passed through for processing by the message flow security manager, which passes the token to a WS-Trust STS for processing.
Compliance with Web Services Security: Kerberos Token Profile
The following aspects of this specification
are supported:
- Token types
- Kerberos GSS v5 AP_REQ
- Kerberos v5 AP_REQ
Aspects that are not supported
The following
items are not supported in WebSphere Message
Broker:
- Validation of Timestamps for freshness.
- Nonces.
- Web services security for SOAP attachments.
- XrML token profile.
- Web Services Interoperability (WS-I) Basic Security Profile.
- XML enveloping digital signature.
- XML enveloping digital encryption.
- The following transport algorithms for digital signatures:
- XSLT: http://www.w3.org/TR/1999/REC-xslt-19991116.
- SOAP Message Normalization. For more information, refer to http://www.w3.org/TR/2003/NOTE-soap12-n11n-20031008.
- The Diffie-Hellman key agreement algorithm for encryption. For more information, refer to Diffie-Hellman Key Values.
- The following canonicalization algorithm for encryption, which
is optional in the XML encryption specification:
- Canonical XML with or without comments
- Exclusive XML canonicalization with or without comments
- The digest password type in the Username Token Version 1.0 Profile specification.