Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services


 Securing JAX-RPC web services using message-level security

Standards and profiles address how to provide protection for messages that are exchanged in a web service environment.

Best practice: IBM WAS supports the JAX-WS programming model and JAX-RPC. JAX-WS is the next generation web services programming model extending the foundation provided by JAX-RPC. Using the strategic JAX-WS programming model, development of web services and clients is simplified through support of a standards-based annotations model. Although JAX-RPC and applications are still supported, take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients. bprac JAX-WS

To secure web services with WAS, specify several different configurations. Although there is not a specific sequence in which specify these different configurations, some configurations reference other configurations. See Web Services Security configuration considerations.

Web service security is supported in the managed web service container. To establish a managed environment and to enforce constraints for Web Services Security, perform a JNDI lookup on the client to resolve the service reference.

Because of the relationship between the different Web Services Security configurations, IBM recommends that you specify the configurations on each level of the configuration in the following order. We can choose to configure Web Services Security for the application level, the server level or the cell level as it depends upon the environment and security needs.


Procedure

  1. Learn about Web Services Security.

  2. Decide which programming model, JAX-WS or JAX-RPC, works best for securing your web services applications.

  3. Configure Web Services Security.

  4. Specify the application-level configuration.

  5. Specify the server-level configuration.

  6. Specify the cell-level configuration.

  7. Specify the platform-level configuration.

  8. Develop and assemble a JAX-RPC application, or migrate an existing application.

  9. Deploy the JAX-RPC application.


Results

After completing these steps for WAS, we have secured web services.



Subtopics

Migrate JAX-RPC Web Services Security applications to applications

Secure messages using JAX-RPC at the request and response generators

Secure messages using JAX-RPC at the request and response consumers

Configure Web Services Security using JAX-RPC at the platform level

Develop web services clients that retrieve tokens from the JAAS Subject in an application

Develop web services applications that retrieve tokens from the JAAS Subject in a server application

Related concepts

Assembly tools

Related tasks

Troubleshoot web services
Tune Web Services Security for applications
Secure web services applications at the transport level
Authenticate web services clients using HTTP basic authentication
Configure trust anchors for the generator binding on the application level
Configure the collection certificate store for the generator binding on the application level
Configure token generators using JAX-RPC to protect message authenticity at the application level
Configure the key locator using JAX-RPC for the generator binding on the application level
Configure the key information using JAX-RPC for the generator binding on the application level
Configure the signing information using JAX-RPC for the generator binding on the application level
Configure encryption using JAX-RPC to protect message confidentiality at the application level
Configure trust anchors for the consumer binding on the application level
Configure the collection certificate store for the consumer binding on the application level
Configure token consumers using JAX-RPC to protect message authenticity at the application level
Configure the key locator using JAX-RPC for the consumer binding on the application level
Configure the key information for the consumer binding on the application level
Configure the signing information using JAX-RPC for the consumer binding on the application level
Configure encryption to protect message confidentiality at the application level
Configure trust anchors on the server or cell level
Configure the collection certificate on the server or cell level
Configure a nonce on the server or cell level
Configure token generators using JAX-RPC to protect message authenticity at the server or cell level
Configure the key locator using JAX-RPC on the server or cell level
Configure the key information for the generator binding using JAX-RPC on the server or cell level
Configure the signing information using JAX-RPC for the generator binding on the server or cell level
Configure encryption using JAX-RPC to protect message confidentiality at the server or cell level
Configure trusted ID evaluators on the server or cell level
Configure token consumers using JAX-RPC to protect message authenticity at the server or cell level
Configure the key information for the consumer binding using JAX-RPC on the server or cell level
Configure the signing information using JAX-RPC for the consumer binding on the server or cell level
Configure encryption to protect message confidentiality at the server or cell level

Related reference

Security considerations for web services
rrdSecurity.props file









+

Search Tips   |   Advanced Search