In WebSphere® Application Server Version 7, there are many security enhancements for Web services. The enhancements include supporting sections of the Web Services Security (WS-Security) specifications and providing architectural support for plugging in and extending the capabilities of security tokens.
Since September 2002, the Organization for the Advancement of Structured Information Standards (OASIS) has been developing the Web Services Security (WS-Security) for SOAP message standard.
In April 2004, OASIS released the Web Services security Version 1.0 specification, which is a major milestone for securing Web services. In Feburary 2006, the specification was updated to Version 1.1. This specification is the foundation for other Web services security specifications and is also the basis for the Basic Security Profile (WS-I BSP) Version 1.0 specification, which was approved in March 2007.See the Basic Security Profile Web page for more information.
Web Services Security Version 1.1 is a strategic move towards Web services security inter-operability, and an important part of the Web services security roadmap. For more information on the Web services security roadmap, see Security in a Web Services World: A Proposed Architecture and Roadmap.
For details on what parts of the previous specifications are supported in WebSphere Application Server, see Supported functionality from OASIS specifications.
For more information on security token profile development at OASIS, see Organization for the Advancement of Structured Information Standards.
The Web Services Security for SOAP Message Version 1.1 updates the Web Services Security for SOAP Message core specification and the various security token profiles. For this release, WebSphere Application Server implements the Username Token Profile 1.1 and the X.509 Token Profile 1.1, which includes support for the Thumbprint type of security token reference. In addition, it supports the signature confirmation and encrypted header portions of the Web Services Security Version 1.1 standard.
For more information on some of these enhancements, see Web services security enhancements.
Security Assertion Markup Language (SAML) is an XML-based OASIS standard for exchanging user identity and security attributes information. When WebSphere Application Server Version 7.0.0.7 is installed, you can use the SAML function to apply policy sets to JAX-WS applications, and then use SAML assertions in Web services messages and in Web services usage scenarios. SAML assertions can represent user identity and user security attributes, and optionally, sign and to encrypt SOAP message elements. WebSphere Application Server supports SAML assertions using the bearer subject confirmation method and the holder-of-key subject confirmation method as defined in the OASIS Web Services Security SAML Token Profile Version 1.1 specification. Policy sets and general bindings that support SAML are included with the SAML function.
The SAML function also provides building blocks and APIs that enable you to create single sign-on and identity federation business solutions using SAML tokens. SAML policy sets are the building blocks for configuring Web services applications to request SAML tokens, propagate SAML tokens in SOAP messages, and validate and authenticate SAML tokens, all without a single line of programming. Using the SAML and WS-Trust client APIs, you can programmatically create SAML tokens, parse and validate SAML tokens, and authenticate SAML tokens received from protocols other than Web services SOAP messages. Specifically, use the SAML APIs to process custom SAML token attributes, create personalized application interfaces and perform claim-based authorization. Use the WS-Trust client API to request SAML tokens, or other types of tokens, from a Security Token Service (STS), and to validate and exchange security tokens with an STS.
WebSphere Application Server uses the policy set model for implementing the Web Services Security Version 1.1 specification, including the Username token Version 1.1 profile, support for the Kerberos and LTPA v2 tokens, and the X.509 token version 1.1 profile. Policy sets combine configuration settings, including those for transport and message level configuration, such as WS-Addressing, WS-ReliableMessaging, WS-SecureConversation, and WS-Security. For more information on policy sets, refer to the topic Managing policy sets using the administrative console.
You can use the administrative console to configure the Web services security binding of a deployed application with Web services security constraints that are defined in the policy set.
For the X.509 Certificate Token Profile, one new type of security token reference is the Thumbprint reference, which is specified in the binding. WebSphere Application Server now supports creating and authenticating a security token by using a security token reference (STR) with a key identifier and a Thumbprint in the <KeyInfo> element. The Thumbprint key information type requires that there be a keystore with the public and private key pair instead of a shared key. To use the Thumbprint of the specified certificate, specify the keyInfo type THUMBPRINT in the bindings.
For example, a decryption key is referenced by means of the thumbprint of an associated certificate. The certificate is not included in the message. Instead, the <ds:KeyInfo> element contains a <wsse:SecurityTokenReference> element that specified the thumbprint of the specified certificate by means of the http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 attribute of the <wsse:KeyIdentifier> element.
W3C Recommendation, November 2002
W3C Recommendation, December 2002
For more information on the IBM SDK for Java Version 6, see the security information documentation.
For information on what is supported for Web services security in WebSphere Application Server, see Supported functionality from OASIS specifications.