WebSphere Application Server Network Deployment, Version 6.0.x   Operating Systems: AIX, HP-UX, Linux, Solaris, Windows
             [TIP: Focusing the table of contents and search results]

Supported functionality from OASIS specifications

WebSphere Application Server Version 6 and later support Organization for the Advancement of Structured Information (OASIS) Web Services Security (WS-Security) specifications.

WebSphere Application Server supports these OASIS Web Services Security Version 1.0 specifications.

These OASIS standards have been updated to support the latest versions of Web Service Security (WS-Security) specifications and tokens. Version 1.1 provides better security verification for signature, a standard way of encrypting SOAP headers, and meets the requirement from some of the interoperability scenarios that use features from Web Service Security Version 1.1.

OASIS: Web Services Security SOAP Message Security 1.0

The following list shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 specification that are supported in WebSphere Application Server Versions 6 and later.

Supported topic Specific aspect that is supported
Security header
  • @S11:actor (for an intermediary)
  • @S11:mustUnderstand
Security tokens
  • Username token (user name and password)
  • Binary security token (X.509 and Lightweight Third Party Authentication (LTPA))
  • Custom token
    • Other binary security token
    • XML token
      Note: WebSphere Application Server does not provide an implementation, but you can use an XML token with plug-in point.
Token references
  • Direct reference
  • Key identifier
  • Key name
  • Embedded reference
Signature algorithms
  • Digest
    SHA1
    http://www.w3.org/2000/09/xmldsig#sha1
  • MAC
    HMAC-SHA1
    http://www.w3.org/2000/09/xmldsig#hmac-sha1
  • Signature
    DSA with SHA1
    http://www.w3.org/2000/09/xmldsig#dsa-sha1
    RSA with SHA1
    http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • Canonicalization
    Canonical XML (with comments)
    http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
    Canonical XML (without comments)
    http://www.w3.org/TR/2001/REC-xml-c14n-20010315
    Exclusive XML canonicalization (with comments)
    http://www.w3.org/2001/10/xml-exc-c14n#WithComments
    Exclusive XML canonicalization (without comments)
    http://www.w3.org/2001/10/xml-exc-c14n#
  • Transform
    STR transform
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform
    XPath
    http://www.w3.org/TR/1999/REC-xpath-19991116
    Enveloped signature
    http://www.w3.org/2000/09/xmldsig#enveloped-signature
    XPath Filter2
    http://www.w3.org/2002/06/xmldsig-filter2
    Decryption transform
    http://www.w3.org/2002/07/decrypt#XML
Signature signed parts
  • WebSphere Application Server key words:
    • body, which signs the SOAP message body
    • timestamp, which signs all of the time stamps
    • securitytoken, which signs all of the security tokens
    • dsigkey, which signs the signing key
    • enckey, which signs the encryption key
    • messageid, which signs the wsa :MessageID element in WS-Addressing.
    • to, which signs the wsa:To element in WS-Addressing
    • action, which signs the wsa:Action element in WS-Addressing
    • relatesto, which signs the wsa:RelatesTo element in WS-Addressing

      wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing

  • XPath expression to select an XML element in a SOAP message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.
Encryption algorithms
  • Data encryption
    • Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
    • AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts .

    • AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts .

  • Key encryption
    • Key transport (public key cryptography)
      • RSA Version 1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5
    • Symmetric key wrap (private key cryptography)
      • Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes
      • AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128
      • AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192

        This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts .

      • AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256

        This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings: Message parts .

  • Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core
    • xenc:ReferenceList
    • xenc:EncryptedKey

Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES (data encryption standard). Therefore, it is recommended that you use AES, if possible, for symmetric key encryption.

Encryption message parts
  • WebSphere Application Server keywords
    • bodycontent, which is used to encrypt the SOAP body content
    • usernametoken, which is used to encrypt the username token
    • digestvalue, which is used to encrypt the digest value of the digital signature
    • signature, which is used to encrypt the entire digital signature
  • XPath expression to select the XML element in the SOAP message
    • XML elements
    • XML element contents
Time stamp
  • Within Web services security header
  • WebSphere Application Server is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.
Error handling SOAP faults

OASIS: Web Services Security UsernameToken Profile 1.0

The following list shows the aspects of the OASIS: Web Services Security Username Token Profile 1.0 specification that is supported in WebSphere Application Server.

Supported topic Specific aspect that is supported
Password types Text
Token references Direct reference

OASIS: Web Services Security X.509 Certificate Token Profile 1.0

The following list shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that is supported in WebSphere Application Server Versions 6 and later.

Supported topic Specific aspect that is supported
Token types
  • X.509 Version 3: Single certificate

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3

  • X.509 Version 3: X509PKIPathv1 without certificate revocation lists (CRL)

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1

  • X.509 Version 3: PKCS7 with or without CRLs. The IBM software development kit (SDK) supports both. The Sun Java Development Kit (JDK) supports PKCS7 without CRL only.
Token references
  • Key identifier – subject key identifier
  • Direct reference
  • Custom reference – issuer name and serial number

Functionality that is not supported by WebSphere Application Server Versions 6 and later

The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations but is not supported by WebSphere Application Server Version 6 and later:
  • Web Services Interoperability Organization (WS-I) basic security profile
  • The Web services security binding is not collected during the application installation process. It can be configured after the application is deployed.
  • Security header
    • @S12:role

      S12 is the namespace prefix of http://www.w3.org/2003/05/soap-envelope

  • Nonmanaged client with Web services security. For example, a Java 2 Platform, Standard Edition (J2SE) client or a Dynamic Invocation Interface (DII) client
  • Web services security for SOAP attachment
  • Security Assertion Markup Language (SAML) token profile, WS-SecurityKerberos token profile, and XrML token profile
  • XML enveloping digital signature
  • XML enveloping digital encryption
  • The following transform algorithms for digital signatures are not supported:
    • XSLT: http://www.w3.org/TR/1999/REC-xslt-19991116
    • SOAP Message Normalization

      See SOAP Version 1.2 Message Normalization for information, such as an empty header or header entry with mustUnderstand=false is removed, and so forth.

  • The following key agreement algorithm for encryption is not supported:
  • The following canonicalization algorithm for encryption, which is optional in the XML encryption specification, is not supported:
    • Canonical XML with or without comments
    • Exclusive XML Canonicalization with or without comments
  • DSA digital signature is not supported.
  • Pre-agreed symmetric key data encryption is not supported.
  • Auditing for nonrepudiation for digital signatures is not supported.
  • In both versions of the Username Token Profile specification, the digest password type is not supported.



Related concepts
What is new for securing Web services
Related reference
Encryption information configuration settings: Message parts
Concept topic    

Terms of Use | Feedback

Last updated: Mar 8, 2007 8:14:28 PM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/cwbs_supportfunction.html

© Copyright IBM Corporation 2004, 2006. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)