ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wssecovarch.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Web services security architecture</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h5><a name="wssecovrarch"></a>Web services security architecture</h5>

<p>The Web services security model employed by WebSphere Application Server - Express is the declarative model. There are no APIs in for programmatically interacting with Web services security, but there are a few Server Provider Interfaces (SPIs) for extending some security-related behaviors.</p>

<p><strong>Figure 1: Web services security model</strong></p>
<p><img src="rzamy515.gif" width="584" height="265" alt="Web services security model"></p>

<p>The security constraints for Web services security are specified in the IBM deployment descriptor extension for Web services. The Web services security run time acts on the constraints to enforce Web services security for the SOAP message. The scope of the IBM deployment descriptor extension is at the Web module level. Bindings are also associated with each of the following IBM deployment descriptor extensions:</p>

<ul>
<li><strong>Client</strong> (A Web services client be either a stand-alone client or a Web service that acts as a client to another Web service.)
    <ul>
    <li>ibm-webservicesclient-ext.xmi</li>
    <li>ibm-webservicesclient-bnd.xmi</li>
    </ul></li>

<li><strong>Server</strong>
    <ul>
    <li>ibm-webservices-ext.xmi</li>
    <li>ibm-webservices-bnd.xmi</li>
    </ul></li>
</ul>

<p>It is recommended that you use the tools provided by IBM (such as WebSphere Development Client for iSeries) to create the IBM deployment descriptor extension and bindings. After the bindings are created, you can use the tools or the WebSphere administrative console to specify the bindings.</p>

<p><strong>Note:</strong> The binding information is collected after the application has been deployed, not during deployment itself. The alternative is to specify the required binding information before deploying your application.</p>

<p><strong>Figure 2: Web services security message interpretation</strong></p>
<p><img src="rzamy516.gif" width="583" height="380" alt="Web services security message interpretation"></p>

<p>The Web services security run time enforces or applies Web services security based on the defined security constraints in the deployment descriptor and binding files. In Figure 2, Web services security has the following points where it intercepts the message and acts on the security constraints that are defined:</p>

<ul>
<li><strong>Request sender</strong>
    <ul>
    <li>Is defined in the ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi files.</li>
    <li>Applies the appropriate security constraints to the SOAP message (such as signing or encryption) before the message is sent across the wire, generating the time stamp or the required security token.</li>
    </ul><p></p></li>

<li><strong>Request receiver</strong> 
    <ul>
    <li>Is defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files.</li>
    <li>Verifies that the Web services security constraints are met.</li>
    <li>Verifies the freshness of the message based on the time stamp.</li>
    <li>Verifies the required signature.</li>
    <li>Verifies that the message is encrypted and decrypts the message if encrypted.</li>
    <li>Validates the security tokens and sets up the security context for the down-stream call.</li>
    </ul><p></p></li>

<li><strong>Response sender</strong>
    <ul>
    <li>Is defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files.</li>
    <li>Applies the appropriate security constraints to the SOAP message response, like signing the message, encrypting the message, or generating the time stamp.</li>
    </ul><p></p></li>

<li><strong>Response receiver</strong>
    <ul>
    <li>Is defined in the ibm-webservicesclient-ext.xmi or ibm-webservicesclient-bnd.xmi file.</li>
    <li>Verifies that the Web services security constraints are met.</li>
    <li>Verifies the freshness of the message based on the time stamp.</li>
    <li>Verifies the required signature.</li>
    <li>Verifies that the message is encrypted and decrypts the message, if encrypted.</li>
    </ul></li>
</ul>

<p><strong>Web services security programming interfaces</strong></p>

<p>SPIs are provided to extend the capability of the Web services security run time. The following SPIs and application programming interfaces (APIs) are available:</p>

<ul>
<li><p><strong>com.ibm.wsspi.wssecurity.config.KeyLocator</strong>
<br>This SPI is an abstract class for obtaining the keys for digital signature and encryption. The following implementations are the defaults:</p>
    <ul>
    <li><p><strong>com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator</strong>
    <br>Implements the Java key store.</p></li>
    
    <li><p><strong>com.ibm.wsspi.wssecurity.config.WSIdKeyStoreMapKeyLocator</strong>
    <br>Provides a mapping of authenticated identity to a key for encryption, or uses the default key that is specified. This is typically used in the response sender configuration.</p></li>

    <li><p><strong>com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator</strong>
    <br>Provides the capability of using the signer key for encryption in the response message. This is typically used in the response sender configuration.</p></li>
    </ul></li>

<li><p><strong>com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator</strong>
<br>An interface that used to evaluate the trust for identity assertion. The following implementation is the default:</p>
    <ul>
    <li><p><strong>com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl</strong>
    <br>Enables you to define a list of trusted identities.</p></li>
    </ul></li>
    
<li><p><strong>JAAS CallbackHandler APIs</strong>
<br>Used for token generation by the request sender. These APIs can be extended to generate a custom token that is inserted in the Web services security header. The following implementations are the defaults that are provided by WebSphere Application Server - Express:</p>
    <ul>
    <li><p><strong>com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler</strong>
    <br>Presents a login prompt to gather the basic authentication data. Use this implementation in the client environment only.</p></li>
    
    <li><p><strong>com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler</strong>
    <br>Collects the basic authentication data with Standard in (stdin). Use this implementation in the client environment only.</p></li>

    <li><p><strong>com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler</strong>
    <br>Reads the basic authentication data from the application binding file. This may be used on the server side to generate a user name token.</p></li>
    
    <li><p><strong>com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler</strong>
    <br>Generates an LTPA token in the Web services security header as binary security token. If there is basic authentication data that is defined in the application binding file, this implementation is used to perform a login, extract the LTPA token from the WebSphere credentials, and insert the token in the Web services security header. Otherwise, it extracts the LTPA security token from the invocation credentials (RunAs identity) and inserts the token in the Web services security header.</p></li>
    </ul></li>


<li><p><strong>JAAS LoginModule API</strong>
<br>Used for token validation of the request receiver side of the message. You can implement a custom LoginModule to perform validation of the custom token on the request receiver of the message. After the token is verified and validated, the token is set as the caller (the RunAs identity in the WebSphere run time) and the identity is used for authorization checks by the containers before a J2EE resource is invoked.</p>

<p>The following configurations are the default AuthMethod configurations that are provided by WebSphere Application Server - Express:</p>
    <ul>
    <li><p><strong>BasicAuth</strong>
    <br>Validates a user name token.</p></li>

    <li><p><strong>Signature</strong>
    <br>Maps a distinguished name (DN) of a verified certificate to a JAAS subject.</p></li>

    <li><p><strong>IDAssertion</strong>
    <br>Maps a trusted identity to a JAAS subject.</p></li>
    
    <li><p><strong>LTPA</strong>
    <br>Validates an LTPA token received in the message and creates a JAAS subject.</p></li>
    </ul></li>
</ul>

<p><strong>Default configuration (ws-security.xml) for WebSphere Application Server - Express</strong></p>
<p>In WebSphere Application Server - Express, each application server has a copy of ws-security.xml, the file that defines the default binding information for Web services security. The following is a list of defaults defined in the ws-security.xml file:</p>

<ul>
<li><p><strong>Trust Anchors</strong>
<br>Identifies the trusted root certificates for signature verification.</p></li>

<li><p><strong>Certificate Stores</strong>
<br>Contains certificate revocation lists (CRLs) and non-trusted certificates for verification.</p></li>

<li><p><strong>KeyLocators</strong>
<br>Locates the keys for digital signature and encryption.</p></li>

<li><p><strong>TrustedIDEvaluators</strong>
<br>Evaluates the trust of the received identity before identity assertion.</p></li>

<li><p><strong>LoginMappings</strong>
<br>Contains the JAAS configurations for AuthMethod token validation.</p></li>
</ul>

<p>If the Web services security constraints that are specified in the deployment descriptors and the required bindings are not defined in the bindings file, the default constraints in the ws-security.xml file are used.</p>

<p><strong>Figure 3: Runtime configuration</strong></p>

<p><img src="rzamy517.gif" width="433" height="294" alt="Web services security runtime configuration"></p>

</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">`
			`<html>`
			`<head>`
			`<META http-equiv="Content-Type" content="text/html; charset=utf-8">`
			`<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">`

			`<title>Web services security architecture</title>`
			`</head>`

			`<BODY>`
			`<!-- Java sync-link -->`
			`<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>`

			`<h5><a name="wssecovrarch"></a>Web services security architecture</h5>`

			`<p>The Web services security model employed by WebSphere Application Server - Express is the declarative model. There are no APIs in for programmatically interacting with Web services security, but there are a few Server Provider Interfaces (SPIs) for extending some security-related behaviors.</p>`

			`<p><strong>Figure 1: Web services security model</strong></p>`
			`<p><img src="rzamy515.gif" width="584" height="265" alt="Web services security model"></p>`

			`<p>The security constraints for Web services security are specified in the IBM deployment descriptor extension for Web services. The Web services security run time acts on the constraints to enforce Web services security for the SOAP message. The scope of the IBM deployment descriptor extension is at the Web module level. Bindings are also associated with each of the following IBM deployment descriptor extensions:</p>`

			`<ul>`
			`<li><strong>Client</strong> (A Web services client be either a stand-alone client or a Web service that acts as a client to another Web service.)`
			`<ul>`
			`<li>ibm-webservicesclient-ext.xmi</li>`
			`<li>ibm-webservicesclient-bnd.xmi</li>`
			`</ul></li>`

			`<li><strong>Server</strong>`
			`<ul>`
			`<li>ibm-webservices-ext.xmi</li>`
			`<li>ibm-webservices-bnd.xmi</li>`
			`</ul></li>`
			`</ul>`

			`<p>It is recommended that you use the tools provided by IBM (such as WebSphere Development Client for iSeries) to create the IBM deployment descriptor extension and bindings. After the bindings are created, you can use the tools or the WebSphere administrative console to specify the bindings.</p>`

			`<p><strong>Note:</strong> The binding information is collected after the application has been deployed, not during deployment itself. The alternative is to specify the required binding information before deploying your application.</p>`

			`<p><strong>Figure 2: Web services security message interpretation</strong></p>`
			`<p><img src="rzamy516.gif" width="583" height="380" alt="Web services security message interpretation"></p>`

			`<p>The Web services security run time enforces or applies Web services security based on the defined security constraints in the deployment descriptor and binding files. In Figure 2, Web services security has the following points where it intercepts the message and acts on the security constraints that are defined:</p>`

			`<ul>`
			`<li><strong>Request sender</strong>`
			`<ul>`
			`<li>Is defined in the ibm-webservicesclient-ext.xmi and ibm-webservicesclient-bnd.xmi files.</li>`
			`<li>Applies the appropriate security constraints to the SOAP message (such as signing or encryption) before the message is sent across the wire, generating the time stamp or the required security token.</li>`
			`</ul><p></p></li>`

			`<li><strong>Request receiver</strong>`
			`<ul>`
			`<li>Is defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files.</li>`
			`<li>Verifies that the Web services security constraints are met.</li>`
			`<li>Verifies the freshness of the message based on the time stamp.</li>`
			`<li>Verifies the required signature.</li>`
			`<li>Verifies that the message is encrypted and decrypts the message if encrypted.</li>`
			`<li>Validates the security tokens and sets up the security context for the down-stream call.</li>`
			`</ul><p></p></li>`

			`<li><strong>Response sender</strong>`
			`<ul>`
			`<li>Is defined in the ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi files.</li>`
			`<li>Applies the appropriate security constraints to the SOAP message response, like signing the message, encrypting the message, or generating the time stamp.</li>`
			`</ul><p></p></li>`

			`<li><strong>Response receiver</strong>`
			`<ul>`
			`<li>Is defined in the ibm-webservicesclient-ext.xmi or ibm-webservicesclient-bnd.xmi file.</li>`
			`<li>Verifies that the Web services security constraints are met.</li>`
			`<li>Verifies the freshness of the message based on the time stamp.</li>`
			`<li>Verifies the required signature.</li>`
			`<li>Verifies that the message is encrypted and decrypts the message, if encrypted.</li>`
			`</ul></li>`
			`</ul>`

			`<p><strong>Web services security programming interfaces</strong></p>`

			`<p>SPIs are provided to extend the capability of the Web services security run time. The following SPIs and application programming interfaces (APIs) are available:</p>`

			`<ul>`
			`<li><p><strong>com.ibm.wsspi.wssecurity.config.KeyLocator</strong>`
			`<br>This SPI is an abstract class for obtaining the keys for digital signature and encryption. The following implementations are the defaults:</p>`
			`<ul>`
			`<li><p><strong>com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator</strong>`
			`<br>Implements the Java key store.</p></li>`

			`<li><p><strong>com.ibm.wsspi.wssecurity.config.WSIdKeyStoreMapKeyLocator</strong>`
			`<br>Provides a mapping of authenticated identity to a key for encryption, or uses the default key that is specified. This is typically used in the response sender configuration.</p></li>`

			`<li><p><strong>com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator</strong>`
			`<br>Provides the capability of using the signer key for encryption in the response message. This is typically used in the response sender configuration.</p></li>`
			`</ul></li>`

			`<li><p><strong>com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator</strong>`
			`<br>An interface that used to evaluate the trust for identity assertion. The following implementation is the default:</p>`
			`<ul>`
			`<li><p><strong>com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl</strong>`
			`<br>Enables you to define a list of trusted identities.</p></li>`
			`</ul></li>`

			`<li><p><strong>JAAS CallbackHandler APIs</strong>`
			`<br>Used for token generation by the request sender. These APIs can be extended to generate a custom token that is inserted in the Web services security header. The following implementations are the defaults that are provided by WebSphere Application Server - Express:</p>`
			`<ul>`
			`<li><p><strong>com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler</strong>`
			`<br>Presents a login prompt to gather the basic authentication data. Use this implementation in the client environment only.</p></li>`

			`<li><p><strong>com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler</strong>`
			`<br>Collects the basic authentication data with Standard in (stdin). Use this implementation in the client environment only.</p></li>`

			`<li><p><strong>com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler</strong>`
			`<br>Reads the basic authentication data from the application binding file. This may be used on the server side to generate a user name token.</p></li>`

			`<li><p><strong>com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler</strong>`
			<br>Generates an LTPA token in the Web services security header as binary security token. If there is basic authentication data that is defined in the application binding file, this implementation is used to perform a login, extract the LTPA token from the WebSphere credentials, and insert the token in the Web services security header. Otherwise, it extracts the LTPA security token from the invocation credentials (RunAs identity) and inserts the token in the Web services security header.</p></li>
			`</ul></li>`


			`<li><p><strong>JAAS LoginModule API</strong>`
			`<br>Used for token validation of the request receiver side of the message. You can implement a custom LoginModule to perform validation of the custom token on the request receiver of the message. After the token is verified and validated, the token is set as the caller (the RunAs identity in the WebSphere run time) and the identity is used for authorization checks by the containers before a J2EE resource is invoked.</p>`

			`<p>The following configurations are the default AuthMethod configurations that are provided by WebSphere Application Server - Express:</p>`
			`<ul>`
			`<li><p><strong>BasicAuth</strong>`
			`<br>Validates a user name token.</p></li>`

			`<li><p><strong>Signature</strong>`
			`<br>Maps a distinguished name (DN) of a verified certificate to a JAAS subject.</p></li>`

			`<li><p><strong>IDAssertion</strong>`
			`<br>Maps a trusted identity to a JAAS subject.</p></li>`

			`<li><p><strong>LTPA</strong>`
			`<br>Validates an LTPA token received in the message and creates a JAAS subject.</p></li>`
			`</ul></li>`
			`</ul>`

			`<p><strong>Default configuration (ws-security.xml) for WebSphere Application Server - Express</strong></p>`
			`<p>In WebSphere Application Server - Express, each application server has a copy of ws-security.xml, the file that defines the default binding information for Web services security. The following is a list of defaults defined in the ws-security.xml file:</p>`

			`<ul>`
			`<li><p><strong>Trust Anchors</strong>`
			`<br>Identifies the trusted root certificates for signature verification.</p></li>`

			`<li><p><strong>Certificate Stores</strong>`
			`<br>Contains certificate revocation lists (CRLs) and non-trusted certificates for verification.</p></li>`

			`<li><p><strong>KeyLocators</strong>`
			`<br>Locates the keys for digital signature and encryption.</p></li>`

			`<li><p><strong>TrustedIDEvaluators</strong>`
			`<br>Evaluates the trust of the received identity before identity assertion.</p></li>`

			`<li><p><strong>LoginMappings</strong>`
			`<br>Contains the JAAS configurations for AuthMethod token validation.</p></li>`
			`</ul>`

			`<p>If the Web services security constraints that are specified in the deployment descriptors and the required bindings are not defined in the bindings file, the default constraints in the ws-security.xml file are used.</p>`

			`<p><strong>Figure 3: Runtime configuration</strong></p>`

			`<p><img src="rzamy517.gif" width="433" height="294" alt="Web services security runtime configuration"></p>`

			`</body>`
			`</html>`