Securing Web services for v6.0.x applications based on WS-Security
Overview
Web services security for WAS is based on standards included in the OASIS WSS V1.0 specification, the Username token V1.0 profile, and the X.509 token V1.0 profile. These standards and profiles address how to provide protection for messages exchanged in a Web service environment. The specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message. Web services security is a message-level standard based on securing SOAP messages through XML digital signature, confidentiality through XML encryption, and credential propagation through security tokens.
Overview
To secure Web services, consider a broad set of security requirements, including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, federation, delegation, and auditing across a spectrum of application and business topologies. One of the key requirements for the security model in today's business environment is the ability to interoperate between formerly incompatible security technologies (such as public key infrastructure, Kerberos and so on) in heterogeneous environments (such as Microsoft .NET and J2EE). The complete Web services security protocol stack and technology roadmap is described in Security in a Web Services World: A Proposed Architecture and Roadmap.
The Web Services Security: SOAP Message Security 1.0 specification outlines a standard set of SOAP extensions that use to build secure Web services. These standards confirm integrity and confidentiality, which are generally provided with digital signature and encryption technologies. In addition, Web services security provides a general purpose mechanism for associating security tokens with messages. A typical example of the security token is a username token, in which a user name and password are included as text. Web services security defines how to encode binary security tokens using methods such as X.509 certificates and Kerberos tickets. However, the required security tokens are not defined in the Web service security V1.0 specification. Instead, the tokens are defined in separate profiles such as the Username token profile, the X.509 token profile, the SAML profile, the Kerberos profile, the XrML profile and so on.
Web service security is supported in the managed Web service container. To establish a managed environment and to enforce constraints for Web services security, perform a JNDI lookup on the client to resolve the service reference. For more information on the recommended client programming model, see "Service lookup" in the JSR 109 specification.
WAS v6.x and V5.x compatibility
In WAS v6.x, one can run a v5.x Web services-secured application on a v6 application server. However, when you use a Web services-secured application, the client and the server must use the same version of the application server. For example, a Web services-secured application does not work properly when the client uses WAS v6.x and the server uses v5.x. Conversely, a Web services-secured application does not work properly when the client uses WAS V5.x and the server uses v6. This issue occurs because the SOAP message format is different between a v5.x application and a v6.0.x application.
Configurations
To secure Web services with WAS, specify several different configurations. Although there is not a specific sequence in which specify these different configurations, some configurations reference other configurations. The following table shows an example of the relationship between each of the configurations. However, the requirements for the bindings depend upon the deployment descriptor. Some binding information depends upon other information in the binding or server and cell-level configuration. For instance, the signing information references the key information.
Configuration level Configuration name Configurations it references Application-level request generator Token generator
- Collection certificate store
- Nonce
- Timestamp
- Callback handler
Application-level request generator Key information
- Key locator
- Key name
- Token
Application-level request generator Signing information
Application-level request generator Encryption information
Application-level request consumer Token consumer
- Trust anchor
- Collection certificate store
- Trusted ID evaluators
- Java Authentication and Authorization Service (JAAS) configuration
Application-level request consumer Key information
- Key locator
- Token
Application-level request consumer Signing information
Application-level request consumer Encryption information
Application-level response generator Token generator
Application-level response generator Key information
- Key locator
- Token
Application-level response generator Signing information
Application-level response generator Encryption information
Application-level response consumer Token consumer
Application-level response consumer Key information
- Key locator
- Key name
- Token
Application-level response consumer Signing information
Application-level response consumer Encryption information
Server-level default generator bindings Token generator
Server-level default generator bindings Key information
- Key locator
- Token
Server-level default generator bindings Signing information
Server-level default generator bindings Encryption information
Server-level default consumer bindings Token consumer
Server-level default consumer bindings Key information
- Key locator
- Token
Server-level default consumer bindings Signing information
Server-level default consumer bindings Encryption information
Cell-level default generator bindings Token generator
Cell-level default generator bindings Key information
- Key locator
- Token
Cell-level default generator bindings Signing information
Cell-level default generator bindings Encryption information
Cell-level default consumer bindings Token consumer
Cell-level default consumer bindings Key information
- Key locator
- Token
Cell-level default consumer bindings Signing information
Cell-level default consumer bindings Encryption information
If multiple applications will use the same binding information, consider configuring the binding information on the server or cell level. For example, you might have a global key locator configuration that is used by multiple applications.
Because of the relationship between the different Web services security configurations, it is recommended that you specify the configurations in following order:
Steps for this task (dependent on configuration)
- Assemble your Web services security-enabled application using an assembly tool. Prior to modifying an Web services security-enabled application in the WAS administrative console, assemble your application using an assembly tool. Although one can modify some of the application settings using the administrative console, configure the generator and the consumer security constraints using an assembly tool such as the Application Server Toolkit or the Rational Application Developer. For information on the assembly tools, see Assembly tools. For information on how to add Web services security to an application using an assembly tool, see Configuring an application for Web services security with an assembly tool. Return to this article after you have assembled your application and imported it into the administrative console.
- Optional: Modify the application-level configurations in the administrative console.
- Configure the trust anchors for the generator binding. For more information, see Configuring trust anchors for the generator binding on the application level.
- Configure the collection certificate store for the generator binding. For more information, see Configuring the collection certificate store for the generator binding on the application level.
- Configure the token for the generator binding. For more information, see Configuring the token generator on the application level.
- Configure the key locators for the generator binding. For more information, see Configuring the key locator for the generator binding on the application level.
- Configure the key information for the generator binding. For more information, see Configuring the key information for the generator binding on the application level.
- Configure the signing information for the generator binding. For more information, see Configuring the signing information for the generator binding on the application level.
- Configure the encryption information for the generator binding. For more information, see Configuring the encryption information for the generator binding on the application level.
- Configure the trust anchors for the consumer binding. For more information, see Configuring trust anchors for the consumer binding on the application level.
- Configure the collection certificate store for the consumer binding. For more information, see Configuring the collection certificate store for the consumer binding on the application level.
- Configure the token for the consumer binding. For more information, see Configuring token consumer on the application level
- Configure the key locators for the consumer binding. For more information, see Configuring the key locator for the consumer binding on the application level.
- Configure the key information for the consumer binding. For more information, see Configuring the key information for the consumer binding on the application level.
- Configure the signing information for the consumer binding. For more information, see Configuring the signing information for the consumer binding on the application level.
- Configure the encryption information for the consumer binding. For more information, see Configuring the encryption information for the consumer binding on the application level.
- Specify the server-level configurations.
- Configure the trust anchors for the server level. For more information, see Configuring trust anchors on the server or cell level
- Configure the collection certificate store for the server level. For more information, see Configuring the collection certificate store for the server or cell-level bindings
- Configure a token generator. For more information, see Configuring token generators on the server or cell level.
- Configure a nonce for the server level. For more information, see Configuring a nonce on the server or cell level.
- Configure the key locators for the generator binding. For more information, see Configuring the key locator on the server or cell level.
- Configure the key information for the generator binding. For more information, see Configuring the key locator on the server or cell level.
- Configure the signing information for the generator binding. For more information, see Configuring the signing information for the generator binding on the server or cell level.
- Configure the encryption information for the generator binding. For more information, see Configuring the encryption information for the generator binding on the server or cell level.
- Configure the trusted ID evaluators for the server level. For more information, see Configuring trusted ID evaluators on the server or cell level
- Configure a token consumer. For more information, see Configuring token consumers on the server or cell level.
- Configure the key information for the consumer binding. For more information, see Configuring the key information for the consumer binding on the server or cell level.
- Configure the signing information for the consumer binding. For more information, see Configuring the signing information for the consumer binding on the server or cell level.
- Configure the encryption information for the consumer binding. For more information, see Configuring the encryption information for the consumer binding on the server or cell level.
- Specify the cell-level configuration.
- Configure the trust anchors for the cell level. For more information, see Configuring trust anchors on the server or cell level
- Configure the collection certificate store for the cell level. For more information, see Configuring the collection certificate store for the server or cell-level bindings
- Configure a token generator. For more information, see Configuring token generators on the server or cell level.
- Configure a nonce for the cell level. For more information, see Configuring a nonce on the server or cell level.
- Configure the key locators for the generator binding. For more information, see Configuring the key locator on the server or cell level.
- Configure the key information for the generator binding. For more information, see Configuring the key locator on the server or cell level.
- Configure the signing information for the generator binding. For more information, see Configuring the signing information for the generator binding on the server or cell level.
- Configure the encryption information for the generator binding. For more information, see Configuring the encryption information for the generator binding on the server or cell level.
- Configure the trusted ID evaluators for the cell level. For more information, see Configuring trusted ID evaluators on the server or cell level
- Configure a token consumer. For more information, see Configuring token consumers on the server or cell level.
- Configure the key information for the consumer binding. For more information, see Configuring the key information for the consumer binding on the server or cell level.
- Configure the signing information for the consumer binding. For more information, see Configuring the signing information for the consumer binding on the server or cell level.
- Configure the encryption information for the consumer binding. For more information, see Configuring the encryption information for the consumer binding on the server or cell level.
Result
After completing these steps on the appropriate level of WebSphere Application Server, you have secured Web services.Note: Configuration information for the application-level precedes similar configuration information on the server-level and the cell level.
See also
What is new for securing Web services
Web services security enhancements
High-level architecture for Web services security
Configuration overview
Security model mixture
Security considerations for Web services
Migrating V5.x applications with Web services security to Version 6 applications
Default implementations of the Web services security service provider programming interfaces
Default configuration
Nonce, a randomly generated token
Configuring an application for Web services security with an assembly tool
Configuring trust anchors for the generator binding on the application level
Configuring the collection certificate store for the generator binding on the application level
Username token element
Configuring the token generator on the application level
Configuring the key locator for the generator binding on the application level
Configuring the key information for the generator binding on the application level
Configuring the signing information for the generator binding on the application level
Configuring the encryption information for the generator binding on the application level
Configuring trust anchors for the consumer binding on the application level
Configuring the collection certificate store for the consumer binding on the application level
Binary security token
Configuring token consumer on the application level
Configuring the key locator for the consumer binding on the application level
Configuring the key information for the consumer binding on the application level
Configuring the signing information for the consumer binding on the application level
Configuring the encryption information for the consumer binding on the application level
Retrieving tokens from the JAAS Subject in a server application
Retrieving tokens from the JAAS Subject in a client application
Configuring trust anchors on the server or cell level
Configuring the collection certificate store for the server or cell-level bindings
Distributed nonce caching
Configuring a nonce on the server or cell level
Configuring token generators on the server or cell level
Configuring the key locator on the server or cell level
Configuring the key information for the generator binding on the server or cell level
Configuring the signing information for the generator binding on the server or cell level
Configuring the encryption information for the generator binding on the server or cell level
Configuring trusted ID evaluators on the server or cell level
Configuring token consumers on the server or cell level
Configuring the key information for the consumer binding on the server or cell level
Configuring the signing information for the consumer binding on the server or cell level
Configuring the encryption information for the consumer binding on the server or cell level
Tuning Web services security for v6.0.x applications
See Also
Assembly tools
Related Tasks
Configuring an application for Web services security with an assembly tool
Import enterprise applications