Supported functionality from OASIS specifications

[Version 6 only]

Supported functionality from OASIS specifications

WebSphere Application Server Version 6 supports the following Web services security specifications and profiles.

OASIS: Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)
OASIS: Web Services Security: UsernameToken Profile 1.0
OASIS: Web Services Security X.509 Certificate Token Profile 1.0

OASIS: Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)

The following list shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 (WS-Security 2004) specification that is supported in WebSphere Application Server Version 6.

Supported topic Specific aspect that is supported

Security header

@S11 :actor (for an intermediary)
@S11:mustUnderstand

Security tokens

Username token (user name and password)
Binary security token (X.509 and Lightweight Third Party Authentication (LTPA))
Custom token

Other binary security token
XML token
Note: WebSphere Application Server does not provide an implementation, but you can use an XML token with plug-in point.

Token references

Direct reference
Key identifier
Key name
Embedded reference

Signature algorithms

Digest

SHA1

http://www.w3.org/2000/09/xmldsig#sha1

MAC

HMAC-SHA1

http://www.w3.org/2000/09/xmldsig#hmac-sha1

Signature

DSA with SHA1

http://www.w3.org/2000/09/xmldsig#dsa-sha1

RSA with SHA1

http://www.w3.org/2000/09/xmldsig#rsa-sha1

Canonicalization

Canonical XML (with comments)

http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

Canonical XML (without comments)

http://www.w3.org/TR/2001/REC-xml-c14n-20010315

Exclusive XML canonicalization (with comments)

http://www.w3.org/2001/10/xml-exc-c14n#WithComments

Exclusive XML canonicalization (without comments)

http://www.w3.org/2001/10/xml-exc-c14n#

Transform

STR transform

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform

XPath

http://www.w3.org/TR/1999/REC-xpath-19991116

Enveloped signature

http://www.w3.org/2000/09/xmldsig#enveloped-signature

XPath Filter2

http://www.w3.org/2002/06/xmldsig-filter2

Decryption transform

http://www.w3.org/2002/07/decrypt#XML

Signature signed parts

WebSphere Application Server key words:

body, which signs the Simple Object Access Protocol (SOAP) message body
timestamp, which signs all of the time stamps
securitytoken, which signs all of the security tokens
dsigkey, which signs the signing key
enckey, which signs the encryption key
messageid, which signs the wsa :MessageID element in WS-Addressing.
to, which signs the wsa:To element in WS-Addressing
action, which signs the wsa:Action element in WS-Addressing
relatesto, which signs the wsa:RelatesTo element in WS-Addressing
wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing

XPath expression to select an XML element in a Simple Object Access protocol (SOAP) message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.

Encryption algorithms

Block encryption

Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc
AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.
AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.

Key transport

RSA Version 1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5

Symmetric key wrap

Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes
AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128
AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.
AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256
This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.

Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core

xenc:ReferenceList
xenc:EncryptedKey

Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES. Therefore, it is recommended that you use AES, if possible, for symmetric key encryption.
Encryption message parts

WebSphere Application Server keywords

bodycontent, which is used to encrypt the SOAP body content
usernametoken, which is used to encrypt the username token
digestvalue, which is used to encrypt the digest value of the digital signature

XPath expression to select the XML element in the SOAP message

XML elements
XML element contents

Time stamp

Within Web services security header
WebSphere Application Server is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.

Error handling SOAP faults

Supported topic	Specific aspect that is supported
Security header	@S11 :actor (for an intermediary) @S11:mustUnderstand
Security tokens	Username token (user name and password) Binary security token (X.509 and Lightweight Third Party Authentication (LTPA)) Custom token Other binary security token XML token Note: WebSphere Application Server does not provide an implementation, but you can use an XML token with plug-in point.
Token references	Direct reference Key identifier Key name Embedded reference
Signature algorithms	Digest SHA1 http://www.w3.org/2000/09/xmldsig#sha1 MAC HMAC-SHA1 http://www.w3.org/2000/09/xmldsig#hmac-sha1 Signature DSA with SHA1 http://www.w3.org/2000/09/xmldsig#dsa-sha1 RSA with SHA1 http://www.w3.org/2000/09/xmldsig#rsa-sha1 Canonicalization Canonical XML (with comments) http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments Canonical XML (without comments) http://www.w3.org/TR/2001/REC-xml-c14n-20010315 Exclusive XML canonicalization (with comments) http://www.w3.org/2001/10/xml-exc-c14n#WithComments Exclusive XML canonicalization (without comments) http://www.w3.org/2001/10/xml-exc-c14n# Transform STR transform http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform XPath http://www.w3.org/TR/1999/REC-xpath-19991116 Enveloped signature http://www.w3.org/2000/09/xmldsig#enveloped-signature XPath Filter2 http://www.w3.org/2002/06/xmldsig-filter2 Decryption transform http://www.w3.org/2002/07/decrypt#XML
Signature signed parts	WebSphere Application Server key words: body, which signs the Simple Object Access Protocol (SOAP) message body timestamp, which signs all of the time stamps securitytoken, which signs all of the security tokens dsigkey, which signs the signing key enckey, which signs the encryption key messageid, which signs the wsa :MessageID element in WS-Addressing. to, which signs the wsa:To element in WS-Addressing action, which signs the wsa:Action element in WS-Addressing relatesto, which signs the wsa:RelatesTo element in WS-Addressing wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing XPath expression to select an XML element in a Simple Object Access protocol (SOAP) message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.
Encryption algorithms	Block encryption Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings. AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings. Key transport RSA Version 1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5 Symmetric key wrap Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128 AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192 This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings. AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256 This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings. Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core xenc:ReferenceList xenc:EncryptedKey Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES. Therefore, it is recommended that you use AES, if possible, for symmetric key encryption.
Encryption message parts	WebSphere Application Server keywords bodycontent, which is used to encrypt the SOAP body content usernametoken, which is used to encrypt the username token digestvalue, which is used to encrypt the digest value of the digital signature XPath expression to select the XML element in the SOAP message XML elements XML element contents
Time stamp	Within Web services security header WebSphere Application Server is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.
Error handling	SOAP faults

OASIS: Web Services Security: UsernameToken Profile 1.0

The following list shows the aspects of the OASIS: Web Services Security: UsernameToken Profile 1.0 specification that is supported in WebSphere Application Server Version 6.

Supported topic Specific aspect that is supported

Password types Text
Token references Direct reference

Supported topic	Specific aspect that is supported
Password types	Text
Token references	Direct reference

OASIS: Web Services Security X.509 Certificate Token Profile

The following list shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that is supported in WebSphere Application Server Version 6.

Supported topic Specific aspect that is supported

Token types

X.509 Version 3: Single certificate
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3
X.509 Version 3: X509PKIPathv1 without certificate revocation lists (CRL)
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1
X.509 Version 3: PKCS7 with or without CRLs. The IBM software development kit (SDK) supports both. The Sun Java Development Kit (JDK) supports PKCS7 without CRL only.

Token references

Key identifier - subject key identifier
Direct reference
Custom reference - issuer name and serial number

Supported topic	Specific aspect that is supported
Token types	X.509 Version 3: Single certificate http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3 X.509 Version 3: X509PKIPathv1 without certificate revocation lists (CRL) http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1 X.509 Version 3: PKCS7 with or without CRLs. The IBM software development kit (SDK) supports both. The Sun Java Development Kit (JDK) supports PKCS7 without CRL only.
Token references	Key identifier - subject key identifier Direct reference Custom reference - issuer name and serial number

Functionality that is not supported

The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations, but is not supported by WebSphere Application Server Version 6:

Non-managed client with Web services security. For example, a Java 2 Platform, Standard Edition (J2SE) client or a Dynamic Invocation Interface (DII) client
The Web services security binding is not collected during the application installation process. It can be configured after the application is deployed.
Web services security for SOAP attachment
SAML token profile, WS-SecurityKerberos token profile, and XrML token profile
Web Services Interoperability Organization (WS-I) basic security profile
XML enveloping digital signature
XML enveloping digital encryption
Security header
- @S12:role
  S12 is the namespace prefix of http://www.w3.org/2003/05/soap-envelope
The following transport algorithms for digital signatures are not supported:
- XSLT: http://www.w3.org/TR/1999/REC-xslt-19991116
- SOAP Message Normalization
  For more information, see SOAP Version 1.2 Message Normalization.
The following key transport algorithm for encryption is not supported:
- RSA-OAEP: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
The following key agreement algorithm for encryption is not supported:
- Diffie-Hellman: http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-DHKeyValue
The following canonicalization algorithm for encryption, which is optional in the XML encryption specification, is not supported:
- Canonical XML with or without comments
- Exclusive XML canonicalization with or without comments
In the Username Token Version 1.0 Profile specification, the digest password type is not supported.

Related reference
Encryption information configuration settings

Searchable topic ID: cwbs_supportfunction