Enabling secure conversation

Use secure conversation to secure web services application messages.

Before you begin

Applications that contain web services must have been deployed.

About this task

The Organization for the Advancement of Structured Information Standards (OASIS) Web Services Secure Conversation (WS-SecureConversation) draft specification describes ways to establish a secure session between the initiator and recipient of SOAP messages. The WS-SecureConversation draft specification also defines how to use the OASIS Web Services Trust (WS-Trust) protocol to establish a security context token (SCT). For complete information, see the OASIS Web Services Secure Conversation specification.

WebSphere® Application Server supports the ability of an endpoint to issue a security context token for WS-SecureConversation, and thereby provides a secure session between the initiator and recipient of SOAP messages.

The following figure describes the flow that is required to establish a secured context and to use session-based security.

Figure 1. Displaying the flow between the client and the web service and security token service Shows the flow between the client, the security token service, and the web service

In the WS-SecureConversation specification, a security context is represented by the <wsc:SecurityContextToken> security token. The following example represents the assertion syntax for a <wsc:SecurityContextToken> element.

<wsc:SecurityContextToken wsu:Id="..." ...>
    <wsc:Identifier>...</wsc:Identifier>
    <wsc:Instance>...</wsc:Instance>
    ...
</wsc:SecurityContextToken>

The security context token does not support references to it by using key identifiers or key names. All references must either use an ID (to a wsu:Id attribute) or a <wsse:Reference> to the <wsc:Identifier> element.

WebSphere Application Server provides these pre-configured secure conversation-related polices:

In this example, the default SecureConversation policy set, and the default WS-Security binding and TrustServiceSecurityDefault binding are used to achieve the task of enabling secure conversation. The default SecureConversation policy set has both the application policy (symmetricBinding) and the bootstrap policy (asymmetricBinding). The application policy is used to secure application messages and the bootstrap policy is used to secure the RequestSecurityToken (RST) messages.

A trust service that issues a security context token is configured with the TrustServiceSecurityDefault system policy and the TrustServiceSecurityDefault binding. The trust policy is responsible for securing RequestSecurityTokenResponse (RSTR) messages. If the bootstrap policy is modified, the trust policy has to be modified to match both of the configurations.

Note: The following steps are to be used only in development and test environments.

The Web Services Security (WS-Security) default bindings that are used here contain sample key files and must be customized before use in a production. For the production environment, use of custom bindings is advised. Also note that, if the profile is created by using the choice of Create the server using the development template, you can skip steps 2 and 3.

To configure secure conversation, configure the policy set, and add a policy assertion to the policy, complete the following steps:

Procedure

  1. Make a copy of a default secure conversation policy so you can customize the policy set for your own environment.
    1. Launch the administrative console, and click Services > Policy sets > Application policy sets.
    2. Select the check box next to an existing policy set that follows the WS-SecureConversation specifications. For example, you might click the check box next to SecureConversation. This policy set is one of the pre-configured secure conversation-related application policy sets that is listed in the table. The SecureConversation policy set has a bootstrap policy to match the default policy set for the trust service to issue and renew tokens.
    3. Click Copy.
    4. Enter a unique name for the new copy of the SecureConversation application policy set. For example: CopyOfSCPolicySet
    5. Optional: Change the description, as needed, for your customized version of this policy set.
  2. Attach the policy set and binding to the application.
    1. Click Applications > Application Types > WebSphere enterprise applications > application name .
    2. Click either Service provider policy sets and bindings or Service client policy sets and bindings to attach resources to the CopyOfSCPolicySet policy set. The general binding is assigned automatically as the default.
    3. You can use the Attach Policy Set and Assign Binding menu lists to select a different policy set or binding.

Results

After completing these steps, you have configured secure conversation.

What to do next

Next, review the example scenario about how to establish a security context token to secure a secure conversation.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms of Use | Feedback

Last updatedLast updated: Sep 19, 2011 6:15:55 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-express-dist&topic=twbs_enablesecureconv
File name: twbs_enablesecureconv.html