Web Services Security default configuration
A Web Services Security (WS-Security) configuration is complementary to the WS-Security policy at run time. The WS-Security configuration follows the CXF name and value pair style, and preserves the CXF property name. Some of the properties have default values and some do not.
In the server.xml file, the WebSphere® Application Server Liberty provides a server-level configuration that is applied to all services. This configuration is known as the default WS-Security configuration.
The server.xml file has two default WS-Security configurations: one for client applications and one for provider applications. No other WS-Security configurations can exist in the server.xml file. If you need a custom WS-Security configuration for your application that deviates from the default, the configuration must be done programmatically.
<wsSecurityClient id="default"
ws-security.username="user2"
ws-security.password="security">
<signatureProperties org.apache.ws.security.crypto.merlin.keystore.type="jks"
org.apache.ws.security.crypto.merlin.keystore.password="LibertyX509Client"
org.apache.ws.security.crypto.merlin.keystore.alias="x509ClientCert"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/x509ClientDefault.jks"/>
</wsSecurityClient>
<wsSecurityProvider id="default"
ws-security.username="user2">
<encryptionProperties org.apache.ws.security.crypto.merlin.keystore.type="jks"
org.apache.ws.security.crypto.merlin.keystore.password="LibertyX509Server"
org.apache.ws.security.crypto.merlin.keystore.alias="x509ServerCert"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/x509ServerDefault.jks"/>
</wsSecurityProvider>
Liberty/CXF property | Default value |
---|---|
ws-security.username | none |
ws-security.password | none |
ws-security.signature.username | none |
ws-security.encryption.username | none |
Liberty property | CXF property | Default value |
---|---|---|
ws-security.callback-handler | none | |
<signatureProperties> | ws-security.signature.properties | none |
<encryptionProperties> | ws-security.encryption.properties | none |
<signatureProperties org.apache.ws.security.crypto.merlin.keystore.type="jks"
org.apache.ws.security.crypto.merlin.keystore.password="LibertyX509Client"
org.apache.ws.security.crypto.merlin.keystore.alias="x509ClientDefault"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/x509ClientDefault.jks">
</signatureProperties>
Liberty/CXF property | Default value |
---|---|
org.apache.ws.security.crypto.provider | org.apache.ws.security.components. |
org.apache.ws.security.crypto. |
defaults to the installed provider |
org.apache.ws.security.crypto. |
defaults to the keystore provider |
org.apache.ws.security.crypto. |
none |
Liberty/CXF property | Default value |
---|---|
org.apache.ws.security.crypto. |
none |
org.apache.ws.security.crypto. |
none |
org.apache.ws.security.crypto. |
none |
org.apache.ws.security.crypto. |
none |
org.apache.ws.security.crypto. |
none |
Liberty property | Default value |
---|---|
org.apache.ws.security.crypto. |
none |
org.apache.ws.security.crypto. |
none |
org.apache.ws.security.crypto. |
none |
Liberty/CXF property | Default value |
---|---|
ws-security.enable.nonce.cache | true |
ws-security.cache.config.file | none |
Liberty property | CXF property | Default value |
---|---|---|
callerToken | none | none |
Configuring additional properties
Any of the additional properties can be specified in the default WS-Security configuration in the server.xml file.
<wsSecurityProvider id="default"
<signatureProperties ... />
<encryptionProperties ... />
ws-security.cache.config.file = "${server.config.dir}/resources/ws-security/new_cxf-ehcache.xml"
</wsSecurityProvider>
<wsSecurityClient id="default"
<signatureProperties ... />
<encryptionProperties ... />
ws-security.username-token.always.encrypted="false"
</wsSecurityClient>
Configuring cache
maxEntriesLocalHeap="5000"
timeToIdleSeconds="3600"
timeToLiveSeconds="3600"
overflowToDisk="true"
maxElementsOnDisk="10000000"
diskPersistent="false"
diskExpiryThreadIntervalSeconds="120"
memoryStoreEvictionPolicy="LRU"
To modify the default cache settings, you can provide an ehCache configuration XML file. Use the ws-security.cache.config.file custom property to specify a file name with customized properties to deviate from the default settings. You must put this file somewhere in the server profile. You can find an additional sample cache setting configuration file from http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/resources/cxf-ehcache.xml?view=markup.
Configuring a stronger signature algorithm
Because of the weakness of the SHA1 signature algorithm, the US National Institute of Standards and Technology (NIST) recommends that you use stronger signature algorithms.
- RSA-SHA-256
- RSA-SHA-384
- RSA-SHA-512
- HMAC-SHA-256
- HMAC-SHA-384
- HMAC-SHA-512
To configure WS-Security in Liberty to support the stronger signature algorithm, you use the signatureAlgorithm attribute to define the required algorithm within the <signatureProperties> element in the server.xml file. The valid values for the signatureAlgorithm attribute are sha256, sha384, and sha512. For example, if you specify sha512 as the value of the signatureAlgorithm attribute, the signature algorithm that is used in the signature with an asymmetric key is RSA-SHA-512, and the signature algorithm that is used in the signature with a symmetric key is HMAC-SHA-512.
<wsSecurityClient id="default"
ws-security.password="security"
ws-security.username="user1"
ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.CommonPasswordCallback"
ws-security.signature.username="soaprequester">
<signatureProperties
signatureAlgorithm="sha256"
org.apache.ws.security.crypto.merlin.keystore.type="jks"
org.apache.ws.security.crypto.merlin.keystore.password="client"
org.apache.ws.security.crypto.merlin.keystore.alias="soaprequester"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/dsig-sender.ks" />
</wsSecurityClient>
<wsSecurityProvider id="default"
ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.CommonPasswordCallback"
ws-security.signature.username="soapprovider">
<signatureProperties
signatureAlgorithm="sha256"
org.apache.ws.security.crypto.merlin.keystore.type="jks"
org.apache.ws.security.crypto.merlin.keystore.password="server"
org.apache.ws.security.crypto.merlin.keystore.alias="soapprovider"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/dsig-receiver.ks" />
</wsSecurityProvider>