Problem determination documents provide review of the
information gathered by MustGather.
Background
WebSphere Application Server uses a
declarative model for using WS-Security. It can be created and modified
using Rational Application Developer the Application Server Toolkit (ASTK)
available in WebSphere Application Server or the WebSphere administrative
console.
The security tokens that can be propagated are Username token, X.509-based
certificates, and Lightweight Third Party Authentication (LTPA); there is
also an API provided for plugging in user-defined tokens. Message
integrity is provided by digital signatures based on PKI and XML
Encryption provides confidentiality.
The WebSphere security handlers read the declared deployment extensions to
obtain the configuration and enforce the WS-Security infrastructure. These
are implemented as WebSphere runtime-based JAX-RPC handlers, and are
transparent to the application developer.
Program flow
The request sender applies the appropriate security constaints to the SOAP
message before the message is sent
The request receiver verifies
that the Web services security constraints are met,
the freshness of the message based on timestamp
the required signature
that the message is encrypted and decrypts the message if needed
the security tokens and sets up the security context for a downstream
call
The response sender applied the appropriate security constraints to the
SOAP message response
The response reciever verifieshat the Web services security constraints
are met,
the freshness of the message based on timestamp
the required signature
that the message is encrypted and decrypts the message if needed |
 |
|
Files
The security constraints for Web services security are specified in IBM
deployment descriptor extensions for Web services. The Web services
security run time acts on the constraints to enforce Web services security
for the Simple Object Access Protocol (SOAP) message. The scope of the IBM
deployment descriptor extension is at the enterprise Java™bean (EJB) or
Web module level. Bindings are associated with each of the following IBM
deployment descriptor extensions:
Client (Might be either a J2EE Client (Application Client Container)
or Web services acting as a client)
ibm-webservicesclient-ext.xmi
ibm-webservicesclient-bnd.xmi
Server
ibm-webservices-ext.xmi
ibm-webservices-bnd.xmi
security.xml located in <install_root>/config/cells/<cell
name> contains Websphere global security settings.
The binding information is collected after application deployment rather
than during application deployment. The alternative is to specify the
required binding information before deploying your application.
Traces
To trace Web services security, use the trace strings listed here.
|