In WebSphere Application Server Version 6.0.x, there are many security
enhancements for Web services. The enhancements include supporting sections
of the Web services security specifications and providing architectural support
for plugging in and extending the capabilities of security tokens.
Enhancements from the supported Web services security specifications
Since
September 2002, the Organization for the Advancement of Structured Information
Standards (OASIS) has been developing the Web Services Security (WSS) for
SOAP message standard. In April 2004, OASIS released the Web Services security
Version 1.0 specification, which is a major milestone for securing Web services.
This specification is the foundation for other Web services security specifications
and is also the basis for the Basic Security Profile (WS-I BSP) Version 1.0
work. Web services security Version 1.0 is a strategic move towards Web services
security interoperability and it is the first step in the Web services security
roadmap. For more information on the Web services security roadmap, see Security in a Web Services World: A Proposed Architecture
and Roadmap.
WebSphere Application Server Version 6.0.x supports
the following specifications and profiles:
For details on what parts of the previous specifications are supported
in WebSphere Application Server version 6.0.x, see Supported functionality from OASIS specifications.
High level features overview in WebSphere Application Server
Version 6.0.x
The Web Services Security for SOAP message Version
1.0 specification is designed to be flexible and accommodate the requirements
of Web services. For example, the specification does not have a mandatory
security token definition in the Web services security Version 1.0 specification.
Rather the specification defines a generic mechanism to associate the security
token with a Simple Object Access Protocol (SOAP) message. The use of security
tokens is defined in the various security token profiles such as:
For more information on security token profile development at
OASIS, see Organization for the Advancement of Structured Information
Standards.
Important: The wire format in the Web services
security Version 1.0 specification changed and is not compatible with the
previous drafts of the Web services security specification. It is not possible
to make an implementation of the wire format using a previous draft of the
Web services security specification to interoperate with the Web Services
Security Version 1.0 specification.
Support for pluggable security
tokens has been available since WebSphere Application Server Version 5.0.2.
However, in WebSphere Application Server Version 6.0.x, the pluggable architecture
is enhanced to support the Web services security Version 1.0 specification,
other profiles, and other Web services security specifications. WebSphere
Application Server Version 6.0.x includes the following key enhancements:
- Support for the client (sender or generator) to send multiple security
tokens in a SOAP message.
- Ability to derive keys from a security token for digital signature (verification)
and encryption (decryption).
- Support to sign or encrypt any element in a SOAP message. However, some
limitations exist. For example, encrypting some parts of a message might break
the SOAP message format. If you encrypt the SOAP body element, the SOAP message
format breaks.
- Support for signing the SOAP Envelope, the SOAP Header, and the Web services
security header.
- Ability to configure the order of the digital signature and encryption.
- Support for various mechanisms to reference the security tokens such as
direct references, key identifiers, key names, and embedded references.
- Support for the PKCS#7 format certificate revocation list (CRL) encoding
for an X.509 security token.
- Support for CRL verification.
- Ability to insert nonce and time stamps into elements within the Web services
security header, into signed elements, or into encrypted elements.
- Support for identity assertion using the Run As (invocation) identity
in the current security context for WebSphere Application Server.
- Support for a default binding, which is a set of default Web services
security bindings for applications.
- Ability to use pluggable digital signature (verification) and encryption
(decryption) algorithms.
For more information on some of these enhancements, see Web services security enhancements.
Configuration
WebSphere Application Server Version
6 uses the deployment model for implementing the Web services security Version
1.0 specification, the Username token Version 1.0 profile, and the X.509 token
Version 1.0 profile. The deployment model is an extension of the Web services
deployment model for Java 2 Platform, Enterprise Edition (J2EE). The Web services
security constraints are defined in the IBM extension deployment descriptor
and the binding file based on the Web service port.
The format of the
deployment descriptor and the binding file is IBM proprietary material and
is not available. However, WebSphere Application Server provides the following
tools that you can use to edit the deployment descriptor and the binding file:
- Rational Application Developer Version 6.0.x
- You can use Rational Application Developer Version 6.0.x to develop Web
services and configure the deployment descriptor and the binding file for
Web services security. The Rational Application Developer enables you to assemble
both Web and EJB modules.
- Rational Web Developer Version 6.0.x
- You can use Rational Web Developer Version 6.0.x to develop Web services
and configure the deployment descriptor and the binding file for Web services
security. However, you cannot assemble EJB modules using this tool. Instead,
use the Application Server Toolkit or the Rational Application Developer.
- Application Server Toolkit
- You can use the Application Server Toolkit (AST), which is an assembly
tool designer for WebSphere Application Server Version 6.0.x, to specify the
deployment descriptor and the binding file for Web services security.
- WebSphere Application Server Administrative Console
- You can use the administrative console to configure the Web services security
binding of a deployed application with Web services security constraints defined
in the deployment descriptor.
Important: The format of the deployment descriptor
and the binding file for Web services security in WebSphere Application Server
Version 6.0.x is different from WebSphere Application Server Versions 5.0.2,
5.1, and 5.1.1. Web services security support in WebSphere Application Server
Versions 5.0.2, 5.1, and 5.1.1 is based on the Web services security draft
13 specification and the username token draft 2 profile. Thus, this support
is deprecated. However, applications that you configured using the Web service
security Versions 5.0.2, 5.1, and 5.1.1 deployment descriptor and binding
file can work with WebSphere Application Server 6. These applications use
a deployment descriptor and binding file that emit SOAP message security using
the draft 13 specification format. The Web services security deployment descriptor
and binding file for WebSphere Application Server Version 6.0.x is available
for a J2EE Version 1.4 application only. Therefore, the Web services security
Version 1.0 specification is supported for a J2EE Version 1.4 application
only.
To take advantage of implementations associated with the
Web services security Version 1.0 specification, you must:
- Migrate existing applications to J2EE Version 1.4
- Reconfigure the Web services security constraints in the new deployment
descriptor and binding format
Important: An automatic process does not exist for migrating
the deployment descriptor and the binding file for Web services security from
the version 5.0.2, 5.1, and 5.1.1 format to the new version 6.0.x format using
the Rational Web Developer and Application Server Toolkit. You must migrate
the configuration manually.
Important: The Web services
security support in WebSphere Application Server Version 6.0 is based in part
on the OASIS specification titled
Web Services Security: X.509 Token Profile
1.0 plus the first errata (
Errata 1.0).
In the first errata,
the URIs for the X.509 token type and the X.509 Subject Key Identifier value
type were modified. WebSphere Application Server Version 6.0 was based on
these modified URIs. After WebSphere Application Server Version 6.0 shipped,
the OASIS Technical Committee reversed those changes, reverting back to the
original 1.0 profile URIs.
There could be interoperability problems
between WebSphere Application Server Version 6.0 and other vendor's Web services
products that are based on the current version of the profile. WebSphere Application
Server was fixed in versions 6.0.2 and 6.0.1.2 to comply with the latest version
of the profile. If WebSphere Application Server Version 6.0 is used in a heterogeneous
environment with other vendor's Web services products, it is recommended that
the server be upgraded to versions 6.0.1.2 or 6.0.2, or to install a service
fix that includes APAR PK03507.
FIPS support in WebSphere Application Server 6.0.2
In
WebSphere Application Server 6.0.2, Federal Information Processing Standard
(FIPS) compliant algorithms for key encryption, data encryption, signature
and digest are supported. To enable this mode, select Use the Federal Information
Processing Standard (FIPS) in the Global security panel of the WebSphere
Administrative Console.
Once this option has been selected, and the WebSphere
Application Server has been restarted, the lists of available algorithms that are displayed
in the Web services security binding configuration panels of the Administrative
Console are then FIPS compliant algorithms.
If a previously deployed
application was configured to use a non-compliant algorithm, that application
no longer starts after the FIPS mode has been enabled in WebSphere Application
Server. The error message Unauthorized data encryption method appears
in the case of a non-compliant data encryption algorithm . Similar errors
are displayed for unauthorized key encryption, digest and signature methods.
What is not supported
Web service security is still
fairly new and some of the standards are still being defined or standardized.
The following functionality is not supported in WebSphere Application Server
Version 6.0.x:
- Application programming interfaces (API) do not exist for Web services
security in WebSphere Application Server version 6.0.x. The following standards
exist for the Java application programming interface for XML security and
Web services security:
- SAML token profile is not supported out of the box.
- WS-SecuredConversation is not supported out of the box.
- WS-Trust is not supported out of the box.
- WS-SecurityKerberos token profile is not supported out of the box.
- REL token profile is not supported.
- Web services security SOAP messages with an attachments profile (SwA)
is not supported.
- WS-I Basic Security Profile Version 1.0 is not supported.
- Non-Web services container managed client is not supported out of the
box.
For information on what is supported for Web services security
in WebSphere Application Server Version 6.0.x, see Supported functionality from OASIS specifications.