WebSphere Application Server Version 6.1 Feature Pack for Web Services
             Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

             Personalize the table of contents and search results
             New or updated topic for this feature pack

Configuration considerations for Web services security when using the WSS API

To secure Web services with WebSphere Application Server, you can specify several different configurations using the Web Services Security APIs (WSS API). The Web Service Security specification provides a flexible way to secure Web services messages using XML digital signature, XML encryption, and attaching security tokens. You can enable Web Service Security by using either by configuring a policy set or by using the Web Services Security APIs (WSS API). The implementation for WSS API has default values for which message parts are to be signed or encrypted. The default values for the WSS APIs help end users to enable Web Service Security quickly.

Different message parts can be specified in the message protection for request or response, and different standalone tokens can be sent in request or response. However, there is only one symmetric or one asymmetric binding assertion to describe the token type and the algorithm that is used for message protection.

Using the WSS API, you can override any default values. However, when you alter the protection parts, note that all the default protection parts are cleared. For example, if you specify that you want to encrypt the Username token instead of the default X.509 token, all the default values of the encrypting protection parts are cleared.

The following table shows an example of the relationships between each of the configurations:

Table 1. Request generator and response consumer configurations
Type of configuration Configuration name Configurations and default values
Request generator Signing information
  • Canonicalization method: WSSSignature.EXC_C14N
  • Signature method: WSSSignature.RSA_SHA1
  • Digest method: WSSSignPart.SHA1
  • Transform method: WSSSignPart.TRANSFORM_EXC_C14N
  • Signed part - Body: WSSSignature.BODY
  • Signed part - Addressing: WSSSignature.ADDRESSING_HEADERS
  • Signed part - Timestamp: WSSSignature.TIMESTAMP
  • Token reference: SecurityToken.REF_STR
  • Token - Value type: X509Token.ValueType
  • Token - JAAS login configuration name: system.wss.generate.x509
Response consumer Signature verification information
  • Canonicalization method: WSSVerification.EXC_C14N
  • Signature method: WSSVerification.RSA_SHA1
  • Transform method: WSSVerifyPart.TRANSFORM_EXC_C14N
  • Signed part - Body: WSSVerification.BODY
  • Signed part - Addressing: WSSVerification.ADDRESSING_HEADERS
  • Signed part - Timestamp: WSSVerification.TIMESTAMP
  • Token - Value type: X509Token.ValueType
  • Token - JAAS login configuration name: system.wss.consume.x509
Request generator Encryption information
  • Encrypted key: true
  • Key encryption method: WSSEncryption.KW_RSA_OAEP
  • Data encryption method: WSSEncryption.AES128
  • Encryption part: WSSEncryption.BODY_CONTENT
  • Token reference: SecurityToken.REF_KEYID
  • Token - Value type: X509Token.ValueType
  • Token - JAAS login configuration name: system.wss.generate.x509
Response consumer Decryption information
  • Encrypted key: true
  • Key decryption method: WSSDecryption.KW_RSA_OAEP
  • Data decryption method: WSSDecryption.AES128
  • Decryption part: WSSDecryption.BODY_CONTENT
  • Token - Value type: 509Token.ValueType
  • Token - JAAS login configuration name: system.wss.consume.x509



Related tasks
Configuring the signature information using the WSSSignature API
Verifying the signature using the WSSVerification API
Encrypting the SOAP message using the WSSEncryption API
Decrypting the SOAP message using the WSSDecryption API
Managing policy sets using the administrative console
Configuring Web services security using the WSS APIs
Reference topic    

Terms of Use | Feedback

Last updated: Nov 25, 2008 2:35:59 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/rwbs_wssconfigconsiderjaxws.html