You can use the policy sets that ship with this product
to simplify configuring the qualities of service for your web services.
Using these policy sets, you can combine configurations for different
policies.
WebSphere Application
Server v7.0.0.7 and later policy sets
Starting in WebSphere® Application Server
v7 Fix Pack 7, you can secure web services using Security Assertion
Markup Language (SAML). Use SAML assertions to represent user identity
and user security attributes, and optionally, to sign and to encrypt
SOAP message elements. WebSphere Application
Server supports SAML assertions using the bearer subject confirmation
method and the holder-of-key subject confirmation method as defined
in the OASIS Web Services Security SAML Token Profile Version 1.1
specification. Policy sets and general bindings that support SAML
are included with the product SAML function. To use SAML assertions,
you must modify the provided sample general binding.
It is strongly
recommended that you read the WebSphere Application
Server documentation on SAML policy sets before you apply them to
your web service. This documentation describes how SAML is supported
within WebSphere Application
Server, and what limitations exist. The WebSphere Application Server SAML documentation
can be found here: Securing Web services using Security Assertion Markup
Language (SAML).
WebSphere Application
Server v7.0 and v8.0 policy sets
The following WebSphere Application Server v7.0 and v8.0
policy sets are included with the product:
- Kerberos V5 HTTPS default. This policy set provides message
authentication with a Kerberos Version 5 token. Message integrity
and confidentiality are provided by Secure Sockets Layer (SSL) transport
security. This policy set follows the OASIS Kerberos Token Profile
V1.1 and WS-Security specifications.
When you use this policy set,
configure the basic authentication data and custom properties such
as the com.ibm.wsspi.wssecurity.krbtoken.targetServiceName and com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost
custom properties in the client bindings. For more information, see
the Authentication generator or consumer token settings and Protection
token settings (generator or consumer) topics.
- LTPA WSSecurity default. This policy set provides:
- Message integrity through digital signature (using RSA public-key
cryptography) to sign the body, time stamp, and WS-Addressing headers
using WS-Security specifications.
- Message confidentiality through encryption (using RSA public-key
cryptography) to encrypt the body, signature and signature elements
using WS-Security specifications.
- A Lightweight Third Party Authentication (LTPA) token included
in the request message to authenticate the client to the service.
- SSL WSTransaction. Use this policy set to coordinate distributed
transactional work atomically, interoperably and securely, by using
the WS-AtomicTransaction specification and SSL Transport security.
Also, use this policy set to coordinate loosely coupled business processes,
with the ability to compensate actions if a failure occurs in the
business activity, securely, by using the WS-BusinessActivity specification
and SSL Transport security.
- Username SecureConversation. This policy set provides:
- Message integrity through digital signature that includes signing
the body, time stamp, and WS-Addressing headers using WS-SecureConversation
and WS-Security specifications
- Message confidentiality through encryption that includes encrypting
the body, signature and signature confirmation elements, using WS-SecureConversation
and WS-Security specifications
- A username token included in the request message to authenticate
the client to the service. The username token is encrypted in the
request
- Username WSSecurity default. This policy set provides the
following features:
- Message integrity by digital signature (using RSA public-key cryptography)
to sign the body, timestamp, and WS-Addressing headers using WS-Security
specifications
- Message confidentiality by encryption (using RSA public-key cryptography)
to encrypt the body, signature and signature confirmation elements
using WS-Security specifications
- A username token included in the request message to authenticate
the client to the service. The username token is encrypted in the
request
- WS-I RSP. This policy set enables unmanaged non-persistant
WS-ReliableMessaging, which provides the ability to deliver a message
reliably to its intended receiver. This policy set only works in a
single server environment and does not work in a clustered environment.
Message integrity is provided by digitally signing the body, the time
stamp, and the WS-Addressing headers. Message confidentiality is provided
by encrypting the body and the signature. This policy set follows
the WS-SecureConversation and WS-Security specifications.
Web Services
Reliable Messaging policy sets should be applied at the service level
for the Reliable Messaging quality of service to be respected by the
runtime. Applying the policy set at the endpoint level or the operation
level will be ignored by the runtime.
- WSAddressing default. The WSAddressing default policy set
provides a transport-neutral way to uniformly address web services
and messages. The WSAddressing default policy set is based on the
WS-Addressing specification. The WS-Addressing standard uses endpoint
references and message addressing properties to facilitate the addressing
of web services in a standard and interoperable way. Use the WSAddressing
default policy set as provided with the application server. To customize
the policy set, you must first copy the policy set, and then configure
custom policy settings and bindings to meet your needs.
- WSHTTPS default. This policy set provides SSL transport
security for the HTTP protocol with web services applications.
- WSReliableMessaging persistent. This policy set enables
both WS-ReliableMessaging and WS-Addressing and uses the maximum quality
of service, managed persistent. This quality of service supports asynchronous
Web service invocations and uses a service integration messaging engine
and message store to manage the sequence state. Messages are processed
within transactions, are persisted at the web service requester server
and at the web service provider server, and are recoverable in the
event of server failure. In-order delivery is set to "false", so messages
are not necessarily delivered in the order in which they were sent.
Because
this policy set specifies managed persistent quality of service, you
have to define bindings to the service integration bus and messaging
engine that you want to use to manage the WS-ReliableMessaging state.
You can attach and bind a WS-ReliableMessaging policy set to a web
service application by using the administrative console or the wsadmin
tool.
Web Services Reliable Messaging policy sets should be
applied at the service level for the Reliable Messaging quality of
service to be respected by the runtime. Applying the policy set at
the endpoint level or the operation level will be ignored by the runtime.
WebSphere Application
Server v6.1 policy sets
The following WebSphere Application Server v6.1 policy
sets are included with the product:
- RAMP default policy sets:
- RAMP default: Default Reliable Asynchronous Messaging Profile
(RAMP) 1.0. This policy set provides the following features:
- Reliable message delivery to the intended receiver by enabling
WS-ReliableMessaging
- Message integrity by digital signature that includes signing the
body, timestamp, WS-Addressing headers and WS-ReliableMessaging headers
using the WS-SecureConversation and WS-Security specifications
- Confidentiality by encryption that includes encrypting the body,
signature and signature confirmation elements, using the WS-SecureConversation
and WS-Security specifications
- LTPA RAMP default. This policy set provides the following
features:
- Reliable message delivery to the intended receiver by enabling
WS-ReliableMessaging
- Message integrity by digital signature that includes signing the
body, timestamp, WS-Addressing headers and WS-ReliableMessaging headers
using the WS-SecureConversation and WS-Security specifications
- Confidentiality by encryption that includes encrypting the body,
signature and signature confirmation elements, using the WS-SecureConversation
and WS-Security specifications
- A Lightweight Third Party Authentication (LTPA) token included
in the request message to authenticate the client to the service
- Username RAMP default. This policy set provides the following
features:
- Reliable message delivery to the intended receiver by enabling
WS-ReliableMessaging
- Message integrity by digital signature that includes signing the
body, timestamp, WS-Addressing headers and WS-ReliableMessaging headers
using the WS-SecureConversation and WS-Security specifications
- Confidentiality by encryption that includes encrypting the body,
signature and signature confirmation elements, using the WS-SecureConversation
and WS-Security specifications
- A user name token included in the request message to authenticate
the client to the service. The user name token is encrypted in the
request
- SecureConversation policy sets:
- SecureConversation. This policy set provides the following
features:
- Message integrity by digital signature that includes signing the
body, timestamp, and WS-Addressing headers using WS-SecureConversation
and WS-Security specifications
- Message confidentiality by encryption that includes encrypting
the body, signature and signature confirmation elements, using WS-SecureConversation
and WS-Security specifications
- LTPA SecureConversation. This policy set provides the following
features:
- Message integrity by digital signature that includes signing the
body, timestamp, and WS-Addressing headers using WS-SecureConversation
and WS-Security specifications
- Message confidentiality by encryption that includes encrypting
the body, signature and signature confirmation elements, using WS-SecureConversation
and WS-Security specifications
- A Lightweight Third Party Authentication (LTPA) token included
in the request message to authenticate the client to the service
- Username SecureConversation. This policy set provides the
following features:
- Message integrity by digital signature that includes signing the
body, timestamp, and WS-Addressing headers using WS-SecureConversation
and WS-Security specifications
- Message confidentiality by encryption that includes encrypting
the body, signature and signature confirmation elements, using WS-SecureConversation
and WS-Security specifications
- A username token included in the request message to authenticate
the client to the service. The username token is encrypted in the
request
- WSReliableMessaging policy sets:
- WSReliableMessaging default. This policy set enables both
WS-ReliableMessaging and WS-Addressing, and the policy set uses the
minimum quality of service unmanaged non-persistent. This quality
of service requires minimal configuration. However it is non-transactional
and, although it allows for the re-sending of messages that are lost
in the network, failure of a server results in lost messages. This
quality of service is for single server only; it does not work in
a cluster.
- WSReliableMessaging 1_0. This policy set enables both WS-ReliableMessaging
Version 1.0 and WS-Addressing, and it uses the minimum quality of
service unmanaged non-persistent. This quality of service requires
minimal configuration. This quality of service is non-transactional,
however. Although it allows for the re-sending of messages that are
lost in the network, failure of a server results in lost messages.
This quality of service is for single-server use only; it does not
work in a cluster. You can use this policy set with .NET-based web
services.
- WSReliableMessaging persistent. This policy set enables
both WS-ReliableMessaging and WS-Addressing, and the policy set uses
the maximum quality of service managed persistent. This quality of
service supports asynchronous web service invocations, and uses a
service integration messaging engine and message store to manage the
sequence state. Messages are processed within transactions, are persisted
at the web service requester server and at the web service provider
server, and are recoverable in the event of server failure.
Web Services Reliable Messaging policy sets should be applied
at the service level for the Reliable Messaging quality of service
to be respected by the runtime. Applying the policy set at the endpoint
level or the operation level will be ignored by the runtime.
- WSSecurity default policy sets:
- WSSecurity default. This policy set provides the following
features:
- Message integrity by digital signature (using RSA public-key cryptography)
to sign the body, timestamp, and WS-Addressing headers using WS-Security
specifications
- Message confidentiality by encryption (using RSA public-key cryptography)
to encrypt the body, signature and signature confirmation elements
using WS-Security specifications
- LTPA WSSecurity default. This policy set provides the following
features:
- Message integrity by digital signature (using RSA public-key cryptography)
to sign the body, timestamp, and WS-Addressing headers using WS-Security
specifications
- Message confidentiality by encryption (using RSA public-key cryptography)
to encrypt the body, signature and signature confirmation elements
using WS-Security specifications
- A Lightweight Third Party Authentication (LTPA) token included
in the request message to authenticate the client to the service
- Username WSSecurity default. This policy set provides the
following features:
- Message integrity by digital signature (using RSA public-key cryptography)
to sign the body, timestamp, and WS-Addressing headers using WS-Security
specifications
- Message confidentiality by encryption (using RSA public-key cryptography)
to encrypt the body, signature and signature confirmation elements
using WS-Security specifications
- A username token included in the request message to authenticate
the client to the service. The username token is encrypted in the
request
- WSTransaction policy sets:
- WSTransaction. This policy set enables WS-Transaction,
which provides the ability to coordinate distributed transactional
work atomically and interoperably using the WS-AtomicTransaction specification.
- SSL WSTransaction. This policy set enables WS-Transaction,
which provides the ability to coordinate distributed transactional
work atomically, interoperably and securely using the WS-AtomicTransaction
specification and SSL Transport security.
- Other default policy sets:
- WSAddressing default. This policy set enables WS-Addressing
support, which uses endpoint references and message addressing properties
to facilitate the addressing of web services in a standard and interoperable
way.
- WSHTTPS default. This policy set provides SSL transport
security for the HTTP protocol with web services applications.
WebSphere Application
Server v7.0 and v8.0 system policy sets
The following WebSphere Application Server
v7.0 and v8.0 system policy sets are included with the product:
- SystemWSSecurityDefault. This system policy set specifies
the asymmetric algorithm and both the public and private keys to provide
message security. Message integrity is provided by digitally signing
the body, time stamp, and WS-Addressing headers using RSA encryption.
Message confidentiality is provided by encrypting the body and signature
using RSA encryption. This policy set follows the WS-Security specifications
for the issue and renew trust operation requests.