What is new for security specialists

This version contains many new and changed features for those who are responsible for securing applications and the application serving environment.

Deprecated and removed features describes features that are being replaced or removed in this or future releases.

Standards support and interoperability

Common Criteria Assurance Level 4 security

The product has been enhanced to provide Common Criteria Assurance Level 4 security functionality, with full certification available in 2007. Common Criteria is a scheme for independent assessment, analysis, and testing of IT products to a set of security requirements. Certification gives customers the confidence that products will be effective in delivering security functions such as identification and authentication, user data protection, audit, and cryptographic support. Customers gain assurance that the security functions are correctly implemented and will be effective in satisfying their security objectives.

For more information, see Common Criteria (EAL4) support.

Full FIPS compliance

The product has been enhanced to support an implementation of the Federal Information Processing Standards (FIPS) 140-2 government standard. The IBM Java Secure Sockets Extension (JSSE) FIPS 140-2 Cryptographic Module for multi-platforms is a scalable, multipurpose Secure Sockets provider that supports cipher suites via the Java 2 application programming interfaces (APIs) for enhanced protection of sensitive data. It enables the product and other IBM products to run in FIPS mode and help fulfill end-to-end requirements for use of FIPS-certified cryptographic module.

For more information, see Federal Information Processing Standard support.

JCA 1.5 support

WebSphere Application Server Version 6.0.x supports the J2EE Connector architecture (JCA) Version 1.5 specification, which provides new features such as the inbound resource adapter. For more information, see Resource adapters.

From a security perspective, WebSphere Application Server Version 6.0.x provides an enhanced custom principal and credential mapping programming interface and custom mapping properties at the resource reference level. The custom Java Authentication and Authorization Service (JAAS) login module, which was developed for JCA principal and credential mapping for WebSphere Application Server Version 5.x, is still supported.

Web services security

A pluggable architecture increases the extensibility of Web services security. The implementation includes many of the features that are described in the Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security Version 1 standard. As part of this standard, WebSphere Application Server supports custom, pluggable tokens that are used for signing and encryption, pluggable signing and encryption algorithms, pluggable key locators for locating a key that is used for digital signature or encryption, signing or encrypting elements in a SOAP message, and specifying the order of the signing or encryption processes.

See What is new for securing Web services.

Web authentication improvements

Web authentication using the Java Authentication and Authorization Service programming model

WebSphere Application Server Version 6.0.x enables you to use the Java Authentication and Authorization Service (JAAS) programming model to perform Web authentication in your application code. To use this function, you must create your own JAAS login configuration by cloning the WEB_INBOUND login configuration and define a cookie=true login option. After a successful login using your login configuration, the Web login session is tracked by single sign-on (SSO) token cookies. This option replaces the SSOAuthenticator interface, which was deprecated in WebSphere Application Server Version 4.

For more information, see Java Authentication and Authorization Service authorization.

Expanded capabilities

Custom password encryption

A plug point for custom password encryption must be created to encrypt and decrypt all passwords in WebSphere Application Server that are currently encoded or decoded using Base64-encoding. The implementation class of this plug point has the responsibility for managing keys, determining the encryption algorithm to use, and for protecting the master secret.

For more information, see the Technote http://www.ibm.com/support/docview.wss?rs=180&uid=swg21210244.

Enhanced LDAP support

In addition to support for multiple Lightweight Directory Access Protocol (LDAP) directory services binding and failover, you can dynamically update LDAP binding information without first stopping and restarting application servers.

For more information, see http://www.ibm.com/support/docview.wss?rs=180&uid=swg21210243.

Programming interfaces for implementing identity assertion with trust validation

If you want an application or system provider to perform an identity assertion with trust validation, it can be accomplished by use of the Java Authentication and Authorization Service (JAAS) login framework, where trust validation is performed in one login module and credential creation in another. These two custom login modules are used to create a JAAS login configuration that performs a login to an identity assertion.

For more information, see Identity assertions with trust validation.

Java 2 security manager

WebSphere Application Server Version 6.0.x provides you with greater control over the permissions granted to applications for manipulating non-system threads. You can permit applications to manipulate non-system threads using the was.policy file. However, these thread control permissions are disabled by default.

For more information, see Configuring the was.policy file.

SSL channel framework

The Secure Sockets Layer channel framework incorporates the new IBMJSSE2 implementation and separates the security function of Java Secure Sockets Extension (JSSE) from the network communication function.

See Transport chains.

   



Subtopics
Common Criteria (EAL4) support
Federal Information Processing Standard support
Identity management capabilities
Related concepts
Overview and new features for securing applications and their environment
Concept topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 6:22:59 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-express-dist&topic=welc_newsecurity
File name: welc_newsecurity.html