Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Secure requests to the trust service using system policy sets > Enable secure conversation
Web Services Secure Conversation standard
WS-SecureConversation is a proposed Organization for the Advancement of Structured Information Standards (OASIS) standard that defines mechanisms for establishing and sharing security contexts, and deriving keys from security contexts, to enable a secure conversation.
The base Web Services Security (WS-Security) standard from OASIS defines how to digitally sign and encrypt the SOAP message to provide message level protection. The standard also defines how to attach and reference a security token for digital signature and encryption. However, it does not provide session-based protection when a long series of related messages were exchanged. The WS-Security specification focuses on the message authentication model. This approach, while useful in many situations, could be subject to several forms of attack.
The WS-SecureConversation specification introduces the concept of a security context and its usage. The security context token is a new WS-Security token type that represents the security context abstract concept. The token is identified by a URI and consists of negotiated keys as well as other security related properties. The context authentication model authenticates a series of messages and, therefore, addresses these concerns. The context authentication model increases the overall performance and security of the subsequent exchanges, but it requires additional communications when authentication happens prior to normal application exchanges.
Version 1.0 of the OASIS WS-SecureConversation specification defines extensions that build on the Web Services Security (WS-Security) and WS-Trust standards to provide secure communication across one or more messages.
IBM, Microsoft, and other vendors have been working on the WS-SecureConversation specification since 2004. A draft of this document was jointly published in February, 2005. The WS-SecureConversation draft was submitted to the OASIS Web Service Secure Exchange Technical Committee (WS-SX TC), which was formed in December 2005, along with WS-Trust and Web Services Security Policy (WS-SecurityPolicy) drafts in order to begin the standardization process.
A revised v1.1 draft version of the WS-SecureConversation specification standard was submitted to OASIS in February 2005 and further defines the extensions in v1.0. This specification defines extensions to allow security context establishment and sharing, and session key derivation. These extensions allow contexts to be established and potentially more efficient keys or new key material to be exchanged.
The most recent version of the specification standard is version 1.3, which was approved by the WS-SX TC on March 1, 2007. Key requirements in this level of the specification include derived keys and per-message keys, and extensible security contexts. WAS adds support for version 1.3 of WS-SecureConversation, providing improved error handling using the standard fault codes as defined in the specification.
The WS-SecureConversation standard is a building block used in conjunction with the other web service and application-specific protocols such as Web Services Security and Web Services Trust to accommodate a wide variety of security models and technologies. WS-SecureConversation is built on top of the WS-Security and WS-Trust models to provide secure communication between services. The WS-SecureConversation draft specification describes how to establish a security context token between two parties, and the WS-Trust specification describes how to issue and exchange security tokens.
This WS-SecureConversation draft specification includes extensions to Web Services Security and:
- Describes the security context token.
- Defines how security contexts are established.
- Describes how security contexts are amended, renewed, and cancelled. Amending context is not supported by WAS.
- Specifies how derived keys are computed.
- Specifies how to associate a specific security context with an action, if multiple security contexts exist.
WAS supports the client establishing a secured conversation with the target service endpoint.
WAS supports the OASIS v1.1 submission draft, which became available in February 2005. The WAS does not support all of the functions in the submission draft. WAS support of WS-SecureConversation focuses on:
- A security context token that is established between the initiating party and the recipient party.
- The operations that are supported on security context token, such as Issue token, Renew token, and Cancel token.
- The derived key (both explicit and implied)
Secure conversation provided with WAS does not provide support for a security context token that is acquired from a third-party trust server, and does not provide support for a security context token that is created by the client.
For information about WS-SecureConversation:
- See the IBM developerWorks website.
- See the schema for this specification: WS-SecureConversation schema
- Refer to the following namespace prefixes that are used for WS-SecureConversation: http://schemas.xmlsoap.org/ws/2005/02/sc and http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512
Related
Configure the token generator and token consumer to use a specific level of WS-SecureConversation
Web Services Secure Conversation
Trust service
Scoping of Web Services Secure Conversation
Enable secure conversation
Web Services Secure Conversation Language