Problem Determination: Web services security in WebSphere V5.0
 Technote (troubleshooting)
 
Problem(Abstract)
ProblemDetermination to assist in the analysis of Web services security problems in IBM® WebSphere® Application Server V5.0,
 
Resolving the problem
Problem determination documents provide review of the information gathered by MustGather.


Background
WebSphere Application Server uses a declarative model for using WS-Security. It can be created and modified using Rational Application Developer the Application Server Toolkit (ASTK) available in WebSphere Application Server or the WebSphere administrative console.

The security tokens that can be propagated are Username token, X.509-based certificates, and Lightweight Third Party Authentication (LTPA); there is also an API provided for plugging in user-defined tokens. Message integrity is provided by digital signatures based on PKI and XML Encryption provides confidentiality.

The WebSphere security handlers read the declared deployment extensions to obtain the configuration and enforce the WS-Security infrastructure. These are implemented as WebSphere runtime-based JAX-RPC handlers, and are transparent to the application developer.

Program flow
The request sender applies the appropriate security constaints to the SOAP message before the message is sent

The request receiver verifies
that the Web services security constraints are met,
the freshness of the message based on timestamp
the required signature
that the message is encrypted and decrypts the message if needed
the security tokens and sets up the security context for a downstream call

The response sender applied the appropriate security constraints to the SOAP message response

The response reciever verifieshat the Web services security constraints are met,
the freshness of the message based on timestamp
the required signature
that the message is encrypted and decrypts the message if needed

Files
The security constraints for Web services security are specified in IBM deployment descriptor extensions for Web services. The Web services security run time acts on the constraints to enforce Web services security for the Simple Object Access Protocol (SOAP) message. The scope of the IBM deployment descriptor extension is at the enterprise Java™bean (EJB) or Web module level. Bindings are associated with each of the following IBM deployment descriptor extensions:

Client (Might be either a J2EE Client (Application Client Container) or Web services acting as a client)
ibm-webservicesclient-ext.xmi
ibm-webservicesclient-bnd.xmi

Server
ibm-webservices-ext.xmi
ibm-webservices-bnd.xmi

security.xml located in <install_root>/config/cells/<cell name> contains Websphere global security settings.

The binding information is collected after application deployment rather than during application deployment. The alternative is to specify the required binding information before deploying your application.

Traces

To trace Web services security, use the trace strings listed here.

 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server
Operating system(s): Windows
Software version: 5.1
Software edition:
Reference #: 1232804
IBM Group: Software Group
Modified date: Oct 21, 2008