[Version 6 only]WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Supported functionality from OASIS specifications

WebSphere Application Server Version 6.0.x supports the following Web services security specifications and profiles.

OASIS: Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)

The following list shows the aspects of the OASIS: Web Services Security: SOAP Message Security 1.0 (WS-Security 2004) specification that is supported in WebSphere Application Server Version 6.0.x.

Supported topic Specific aspect that is supported
Security header
  • @S11 :actor (for an intermediary)
  • @S11:mustUnderstand
Security tokens
  • Username token (user name and password)
  • Binary security token (X.509 and Lightweight Third Party Authentication (LTPA))
  • Custom token
    • Other binary security token
    • XML token
      Note: WebSphere Application Server does not provide an implementation, but you can use an XML token with plug-in point.
Token references
  • Direct reference
  • Key identifier
  • Key name
  • Embedded reference
Signature algorithms
  • Digest
    SHA1
    http://www.w3.org/2000/09/xmldsig#sha1
  • MAC
    HMAC-SHA1
    http://www.w3.org/2000/09/xmldsig#hmac-sha1
  • Signature
    DSA with SHA1
    http://www.w3.org/2000/09/xmldsig#dsa-sha1
    RSA with SHA1
    http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • Canonicalization
    Canonical XML (with comments)
    http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
    Canonical XML (without comments)
    http://www.w3.org/TR/2001/REC-xml-c14n-20010315
    Exclusive XML canonicalization (with comments)
    http://www.w3.org/2001/10/xml-exc-c14n#WithComments
    Exclusive XML canonicalization (without comments)
    http://www.w3.org/2001/10/xml-exc-c14n#
  • Transform
    STR transform
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage- security-1.0#STR-Transform
    XPath
    http://www.w3.org/TR/1999/REC-xpath-19991116
    Enveloped signature
    http://www.w3.org/2000/09/xmldsig#enveloped-signature
    XPath Filter2
    http://www.w3.org/2002/06/xmldsig-filter2
    Decryption transform
    http://www.w3.org/2002/07/decrypt#XML
Signature signed parts
  • WebSphere Application Server key words:
    • body, which signs the Simple Object Access Protocol (SOAP) message body
    • timestamp, which signs all of the time stamps
    • securitytoken, which signs all of the security tokens
    • dsigkey, which signs the signing key
    • enckey, which signs the encryption key
    • messageid, which signs the wsa :MessageID element in WS-Addressing.
    • to, which signs the wsa:To element in WS-Addressing
    • action, which signs the wsa:Action element in WS-Addressing
    • relatesto, which signs the wsa:RelatesTo element in WS-Addressing

      wsa is the namespace prefix of http://schemas.xmlsoap.org/ws/2004/08/addressing

  • XPath expression to select an XML element in a Simple Object Access protocol (SOAP) message. For more information, see http://www.w3.org/TR/1999/REC-xpath-19991116.
Encryption algorithms
  • Block encryption
    • Triple DES in CBC: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
    • AES128 in CBC: http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • AES192 in CBC: http://www.w3.org/2001/04/xmlenc#aes192-cbc

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.

    • AES256 in CBC: http://www.w3.org/2001/04/xmlenc#aes256-cbc

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.

  • Key transport
    • RSA Version 1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5
  • Symmetric key wrap
    • Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes
    • AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128
    • AES key wrap (aes192): http://www.w3.org/2001/04/xmlenc#kw-aes192

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.

    • AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256

      This algorithm requires the unrestricted JCE policy file. For more information, see the Key encryption algorithm description in the Encryption information configuration settings.

  • Manifests-xenc is the namespace prefix of http://www.w3.org/TR/xmlenc-core
    • xenc:ReferenceList
    • xenc:EncryptedKey

Advanced Encryption Standard (AES) is designed to provide stronger and better performance for symmetric key encryption over Triple-DES. Therefore, it is recommended that you use AES, if possible, for symmetric key encryption.

Encryption message parts
  • WebSphere Application Server keywords
    • bodycontent, which is used to encrypt the SOAP body content
    • usernametoken, which is used to encrypt the username token
    • digestvalue, which is used to encrypt the digest value of the digital signature
  • XPath expression to select the XML element in the SOAP message
    • XML elements
    • XML element contents
Time stamp
  • Within Web services security header
  • WebSphere Application Server is extended to allow you to insert time stamps into other elements so that the age of those elements can be determined.
Error handling SOAP faults

OASIS: Web Services Security: UsernameToken Profile 1.0

The following list shows the aspects of the OASIS: Web Services Security: UsernameToken Profile 1.0 specification that is supported in WebSphere Application Server Version 6.0.x.

Supported topic Specific aspect that is supported
Password types Text
Token references Direct reference

OASIS: Web Services Security X.509 Certificate Token Profile

The following list shows the aspects of the OASIS: Web Services Security X.509 Certificate Token Profile specification that is supported in WebSphere Application Server Version 6.0.x.

Supported topic Specific aspect that is supported
Token types
  • X.509 Version 3: Single certificate

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509v3

  • X.509 Version 3: X509PKIPathv1 without certificate revocation lists (CRL)

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509- token-profile-1.0#X509PKIPathv1

  • X.509 Version 3: PKCS7 with or without CRLs. The IBM software development kit (SDK) supports both. The Sun Java Development Kit (JDK) supports PKCS7 without CRL only.
Token references
  • Key identifier – subject key identifier
  • Direct reference
  • Custom reference – issuer name and serial number

Functionality that is not supported

The following list shows the functionality that is supported in the OASIS specifications, OASIS drafts, and other recommendations, but is not supported by WebSphere Application Server Version 6.0.x:
  • Non-managed client with Web services security. For example, a Java 2 Platform, Standard Edition (J2SE) client or a Dynamic Invocation Interface (DII) client
  • The Web services security binding is not collected during the application installation process. It can be configured after the application is deployed.
  • Web services security for SOAP attachment
  • SAML token profile, WS-SecurityKerberos token profile, and XrML token profile
  • Web Services Interoperability Organization (WS-I) basic security profile
  • XML enveloping digital signature
  • XML enveloping digital encryption
  • Security header
    • @S12:role

      S12 is the namespace prefix of http://www.w3.org/2003/05/soap-envelope

  • The following transport algorithms for digital signatures are not supported:
  • The following key transport algorithm for encryption is not supported:
  • The following key agreement algorithm for encryption is not supported:
  • The following canonicalization algorithm for encryption, which is optional in the XML encryption specification, is not supported:
    • Canonical XML with or without comments
    • Exclusive XML canonicalization with or without comments
  • In the Username Token Version 1.0 Profile specification, the digest password type is not supported.



Related reference
Encryption information configuration settings

Concept topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/cwbs_supportfunction.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)