In WebSphere Application Server, there are many security enhancements
for Web services. The enhancements include supporting sections of the Web
Services Security (WS-Security) specifications and providing architectural
support for plugging in and extending the capabilities of security tokens.
Enhancements from the supported Web Services Security specifications
Since
September 2002, the Organization for the Advancement of Structured Information
Standards (OASIS) has been developing the Web Services Security (WS-Security)
for SOAP message standard.
In April 2004, OASIS released the Web Services
security Version 1.0 specification, which is a major milestone for securing
Web services. This specification is the foundation for other Web services
security specifications and is also the basis for the Basic Security Profile
(WS-I BSP) Version 1.0 work, which is a working draft.
Web
Services Security Version 1.0 is a strategic move towards Web services security
interoperability, and it is the first step in the Web services security roadmap.
For more information on the Web services security roadmap, see Security
in a Web Services World: A Proposed Architecture and Roadmap.
WebSphere
Application Server supports the following OASIS specifications and
WS-I profiles:
For details on what parts of the previous specifications are supported
in WebSphere Application Server, see Supported functionality from OASIS specifications.
High level features overview in WebSphere Application Server Version
6.0.x and later
In WebSphere Application Server
Version
6.0.x and later, the Web Services Security for SOAP Message Version
1.0 specification is designed to be flexible and accommodate the requirements
of Web services. For example, the specification does not have a mandatory
security token definition in the Web services security Version 1.0 specification.
Rather the specification defines a generic mechanism to associate the security
token with a SOAP message. The use of security tokens is defined in the various
Version 1.0 security token profiles, such as:
For more information on security token profile development at
OASIS, see Organization for the Advancement of Structured Information
Standards.
For this release, WebSphere Application
Server implements the Username Token Profile 1.1 and the X.509 Token Profile
1.1, which includes support for the Thumbprint type of security token reference.
In addition, it supports the signature confirmation and encrypted header portions
of the Web Services Security Version 1.1 standard.
Important: The
wire format in the Web services security Version 1.0 specification changed
and is not compatible with the previous drafts of the Web services security
specification. It is not possible to make an implementation of the wire format
using a previous draft of the Web services security specification to interoperate
with the Web Services Security Version 1.0 specification.
Support
for pluggable security tokens has been available since WebSphere Application
Server Version 5.0.2. However,
in
WebSphere Application Server Version 6.0.x and later, the pluggable
architecture is enhanced to support the Web services security specifications,
other profiles, and other Web services security specifications. WebSphere
Application Server
Version
6 and later include the following key enhancements:
- Support for the client (sender or generator) to send multiple security
tokens in a SOAP message.
- Ability to derive keys from a security token for digital signature (verification)
and encryption (decryption).
- Support to sign or encrypt any element in a SOAP message. However, some
limitations exist. For example, encrypting some parts of a message might break
the SOAP message format. If you encrypt the SOAP body element, the SOAP message
format breaks.
- Support for signing the SOAP envelope, the SOAP header, and the Web services
security header.
- Ability to configure the order of the digital signature and encryption.
- Support for various mechanisms to reference the security tokens such as
direct references, key identifiers, key names, and embedded references.
- Support for the PKCS#7 format certificate revocation list (CRL) encoding
for an X.509 security token.
- Support for CRL verification.
- Ability to insert nonce and time stamps into elements within the Web services
security header, into signed elements, or into encrypted elements.
- Support for identity assertion using the Run As (invocation) identity
in the current security context for WebSphere Application Server.
- Support for a default binding, which is a set of default Web services
security bindings for applications.
- Ability to use pluggable digital signature (verification) and encryption
(decryption) algorithms
For more information on some of these enhancements, see Web services security enhancements.
Configuration
WebSphere Application
Server uses the deployment model for implementing the Web services security
Version 1.0 specification, the Username token Version 1.0 profile, and the
X.509 token Version 1.0 profile. The deployment model is an extension of the
Web services deployment model for Java 2 Platform, Enterprise Edition (J2EE).
The Web services security constraints are defined in the IBM extension deployment
descriptor and the binding file that is based on the Web service port.
The
format of the deployment descriptor and the binding file is IBM proprietary
material and is not available. However, WebSphere Application Server provides
the following tools that you can use to edit the deployment descriptor and
the binding file:
- Rational Web Developer
- You can use Rational Web Developer to develop Web services and configure
the deployment descriptor and the binding file for Web services security.
However, you cannot assemble Enterprise JavaBeans modules by using this tool.
Instead, use an assembly
tool.
- WebSphere Application Server administrative console
- You can use the administrative console to configure the Web services security
binding of a deployed application with Web services security constraints that
are defined in the deployment descriptor.
Important: The format of the deployment descriptor
and the binding file for Web services security in WebSphere Application Server
Version 6.0.x and later is different from WebSphere Application Server
Versions 5.0.2, 5.1, and 5.1.1. Web services security support in WebSphere
Application Server Versions 5.0.2, 5.1, and 5.1.1 is based on the Web services
security draft 13 specification and the Username token draft 2 profile. Thus,
this support is deprecated. However, applications that you configured using
the Web service security Versions 5.0.2, 5.1, and 5.1.1 deployment descriptor
and binding file can work with WebSphere Application Server Version 6 and
later. These applications use a deployment descriptor and binding file that
emit SOAP message security using the draft 13 specification format. The Web
services security deployment descriptor and binding file for WebSphere Application
Server Version 6.0.x and later is available for a J2EE Version 1.4
application only. Therefore, the Web services security Version 1.0 specification
is supported for a J2EE Version 1.4 application only.
To take
advantage of implementations associated with the Web services security Version
1.0 specification, you must:
- Migrate existing applications to J2EE Version 1.4
- Re-configure the Web services security constraints in the new deployment
descriptor and binding format
Important: An automatic process
does not exist for migrating the deployment descriptor and the binding file
for Web services security from the Version 5.0.2, 5.1, and 5.1.1 format to
the new Version 6.0.x and later format using the Rational Web Developer.
You must migrate the configuration manually.
Important: An automatic process does not exist for migrating the deployment
descriptor and the binding file for Web services security from the Version
5.0.2, 5.1, and 5.1.1 format to the new Version 6.0.x and later format
using the Rational Application Developer. You
must migrate the configuration manually.
The Web services security
support in WebSphere Application Server Version 6.0 is based in part on the
OASIS specification titled Web Services Security: X.509 Token Profile 1.0 plus
the first errata (Errata 1.0).
In the first errata, the URIs
for the X.509 token type and the X.509 Subject Key Identifier value type were
modified. WebSphere Application Server Version 6.0 was based on these modified
URIs. After WebSphere Application Server Version 6.0 shipped, the OASIS Technical
Committee reversed those changes, reverting back to the original 1.0 profile
URIs.
There could be interoperability problems between WebSphere Application
Server Version 6.0 and other vendor’s Web services products that are based
on the current version of the profile. WebSphere Application Server was fixed
in Versions 6.0.2 and 6.0.1.2 to comply with the latest version of the profile.
If WebSphere Application Server Version 6.0 is used in a heterogeneous environment
with other vendor's Web services products, it is recommended that the server
be upgraded to Version 6.0.1.2, 6.0.2, or later, or to install a service fix
that includes APAR PK03507.
FIPS
support in WebSphere Application Server
In WebSphere Application
Server, Federal Information Processing Standard (FIPS) compliant algorithms
for key encryption, data encryption, signature and digest are supported. To
enable this mode, select Use the Federal Information Processing Standard
(FIPS) on the Global security panel of the WebSphere administrative console.
After
this option has been selected, and the WebSphere Application Server has been
restarted, the lists of available algorithms that are displayed in the Web
services security binding configuration panels of the administrative console
are then FIPS compliant algorithms.
If a previously deployed application
was configured to use a noncompliant algorithm, that application no longer
starts after the FIPS mode has been enabled in WebSphere Application Server.
The error message Unauthorized data encryption method appears in
the case of a noncompliant data encryption algorithm. Similar errors are displayed
for unauthorized key encryption, digest and signature methods.
What is not supported
Web service security is still
fairly new and some of the standards are still being defined or standardized.
The following functionality is not supported in WebSphere Application Server:
- Application
programming interfaces (API) do not exist for Web services security in WebSphere
Application Server Versions 6.0.x and later.
- The following standards exist for the Java application programming interface
for XML security and Web services security:
- WS-SecureConversation
is not supported out of the box.
- WS-Trust
is not supported out of the box.
- Web
services security SOAP messages with an attachments profile (SwA) is not supported.
- WS-I
Basic Security Profile Version 1.0 is not supported.
- SAML token profile is not supported out of the box.
- WS-SecurityKerberos token profile is not supported out of the box.
- REL token profile is not supported.
- Non-Web
services container managed client is not supported out of the box.
For information on what is supported for Web services security
in WebSphere Application Server Version 6.0.x and
later, see Supported functionality from OASIS specifications.