login      my ps      about      contact  



home instructor-led on-demand! screencasts blogs technical staff


Kirill's notes » WS-Security, WSE2.0 SP3 and WebSphere 6.0

WS-Security, WSE2.0 SP3 and WebSphere 6.0

I'm sure WS fans applaud when IBM released WebSphere 6.0 last December with support for WS-Security. Finally IBM and Microsoft support the same version of a WS-* protocol other then SOAP and WSDL in their mainline supported products.

So how can we make them work?

Consider the following three basic WS-Security scenarios supported by both products

1. UsernameToken sent over HTTPS. UsernameToken is used for client authentication, HTTPS is used for message protection. Beneficial for the internet deployments, supersedes HTTP Basic Auth over HTTPS, as incorporates token in the message, allows to flow the token end to end, allows for multiple tokens.

In order to configure WSE 2.0 SP3 to consume UsernameToken from WebSphere, one needs to send Password in Text and disable WSE replayDetection feature as discussed here . The reverse (sending UsernameToken from WSE2.0 client to WebSphere 6.0 service) does not require any config changes.

2. X509 Signing. Requestor signs a request using private key associated with Requestor's X509v3 certificate. Responder verifies the message signature using the public key associated with Requestor's certificate.

To make WebSphere 6.0 and WSE2.0 interoperate on this scenario, one needs to set on WebSphere 6.0 side (on the Security config tab) the BinarySecurityToken token type to be “http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3” - the value from the OASIS WSS1.0 standard. The default setting in WebSphere 6.0 is “…#X509” which was introduced in the non-normative errata from TC and would not interoperate with WSE2.0 SP3.

3. X509 Mutual Authentication, Sign then Encrypt. Client and Service each have a cert, representing their identities. Client authentication is provided using Client's certificate. Server's authentication is provided using Server's cert. Request is signed using private key corresponding to the Client's certificate then encrypted using ephemeral key K1 wrapped for Server's certificate. Response is signed using private key of Server;s certificate then encrypted using ephemeral key K2 wrapped for Client's cert. This is a great scenario for server to server (B2B) communication. Or if the client app relies on PKI infrastructure (e.g. smartcards).

There is unfortunately no way to make WSE2.0 SP3 and WebSphere 6.0 interoperate on Scenario #3 due to breaking differences between the OASIS WSS X509 Token Profile 1.0 standard that WSE2.0 SP3 implements and OASIS WSS X509 Token Profile 1.0 non-normative errata that WebSphere 6.0 followed. Specifically the issue is in the different URIs used for KeyIdentifier/@ValueType in an external reference to the wrapping X509 token inside EncryptedKey. OASIS TC is aware of the problem with errata and is working to resolve the issue and remove breaking changes from errata. IBM is aware of the issue and plans to have a fix in the next service pack to support OASIS WSS 1.0

Posted Apr 13 2005, 11:47 PM by kirill-gavrylyuk
Filed under:

Comments

Sean Chase wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 05-10-2005 1:57 PM
How do they work with 1 or 2??? If I set up a Web Service right now using UsernameToken, the WSDL for my service doesn't show the WS-Security requirements like it will if I create a soap header to process username password. Upon reading some more of the WSE documentation, I tried creating a policy file which seemed to just force my client app to enable username token request policy...but still no information about these requirements in the WSDL. Isn't there a simple way to do this with WSE in Visual Studio??? Arg. :-)
Kirill Gavrylyuk wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 05-11-2005 9:52 PM
Interoperable way of expressing security mechanisms in WSDL will be addressed with WS-Policy + PolicyAttachments + Security Policy.

For example if you take a look at Indigo WSDL published at
http://131.107.153.195/WSSecurity/svc/WSSecurity10.svc?wsdl
you can see how Indigo describes security requirements using WS-Policy / PolicyAttachments and Security Policy.
Sean Chase wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 05-17-2005 9:45 AM
Hmmmm...I created a policy using WSE in VS.NET and I don't see any changes in how the WSDL is being broadcasted. I'll have to keep working through the "WS-Policy + PolicyAttachments + Security Policy" specs to figure it out I guess. Someone should write an article and/or book on how to do this stuff. It's nuts. :-)
Kirill Gavrylyuk wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 05-17-2005 10:06 AM
Sorry, I should be more clear. Neither WSE nor WebSphere currently support WS-PolicyAttachment which is the mechanism to attach policies to WSDL. So currently you have to write security policy on WSE side and use configuration tooling ("Security" tab) on WebSphere side. I'll try to put here an end-to-end example of how one configures a simple X509 signing sample to work.
Didier Romelot wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 05-24-2005 5:53 AM
How can the second scenario works if the third doesn't ? How can the server verifies the signature in scenario 2 if it can't decrypt messages in scenario 3 ?
Ian wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 06-07-2005 9:14 AM
Any progress on that end to end example?
We've come to the point of trying to establish
communication with a client who's using WebSphere. We're using scenario #2. They're trying to send a simple signed request to our WSE service and we get the WSE402 error, which is most likely telling us that our policies don't match but nothing useful beyond that. We've trimmed our WSE policy down so that it expects only the body to be signed, and on the WebSphere side they say they've set it to only sign the entire message (which they think means body only). The problem is, the terminology used at both ends is not quite the same so we're not sure which settings in WebSphere correspond to what in the WSE policy. We're willing to change settings and code at both ends, so an example of a simple working configuration (minimal policy without username token and such) would be very useful.
Sean Chase wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 06-08-2005 11:33 AM
Oh good, I thought it wasn't showing up in the WSDL because of pilot error. Do you know if WSE are going to support this in the future? Right now I can just create a SOAP header and it will show up in my WSDL just fine. I'd rather use WS-Security though if that is the standard to follow.
Hassan Faouaz wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 06-21-2005 1:40 PM
Is there a way in WebSphere 6.0 to do a composite Security Token. In otherwords, authenticate using username and passsword and X509 as well. I keep getting the following error:

"There are two candidates used to specify the caller identifier."

Jorge Balderas wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 06-23-2005 8:59 AM
Hi Kirill, I had unsuccessfully attempted to build web services using WS-Security between several versions of WebSphere 5.1 and .NET WSE, after reading your post I decided to give it a try with WAS 6 and WSE 2 SP3. I tried implementing scenario #2 with a Web Service on the WAS side that requires integrity. I'm currently getting an error from WAS (WSEC5620E) specifying that the signature verification failed because of a digest value mismatch. I checked and both sides are using the same version of the algorithms: c14n for canonicalization and rsa-sh1 for signatures. I don't mean to bother you with this, but if you have seen a similar error I would certainly appreciate any tips, or maybe this is just a bizarre issue on my particular case, thanks! jorgerbf@hotmail.com
Aliasgar Muchhala wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 07-26-2005 2:41 AM
Hi Kirill,

I have a web service deployed on WAS 6, that expects the reques to be signed using the clients private key and the body to be encrypted using the server's public key.
The web service should respond with the response being signed using the servers private key and encrypted using the clients public key.

I have tested this from a web client running on WAS... and that worked perfectly okay...

But, Now there is a .Net client that tries to access this web service. It is using a PKCS12 type key pair (generated using the keytool utility). The public certs of this key pair have been imported into a JCEKS type keystore which is referenced in the WAS. (web service needs the public certificate of the client).

However this client gets a "SOAP body not signed; null" error message back from the service.

Just wanted to know if you could throw some light on this. My mail address is aliasgar.muchhala@tatainfotech.com

Thanks.
ReservoirDog wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 12-20-2005 5:08 AM
Hi Kirill, I am trying to setup scenario 2, using a trial version of WebSphere App Server 6.0 and a WebService that requires the body to be signed, implemented in .NET.
What I tried to do is to consume the .NET WebService using WAS 6.0
I had no success sending a correct signed XML, so any small working example would be very helpful. Thanks in advance. Best Regards, ReservoirDog (bluesman2k4@yahoo.com)
Rober wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 09-13-2006 3:24 AM
I tried it one year ago without success, has one year already passed, has there been some advance in this matter?, do we continue without being able to interop with the scenario 3 between NET and IBM?

roberto.gmourente@gmail.com
古埃及法老(pharaohsprince) wrote Web Services开发体会和项目教训
on 04-27-2007 10:17 AM
Web Services?????????
勇敢的心 wrote Web Services开发体会和项目教训
on 05-01-2007 4:28 AM
Web Services?????????
xuzj2006 wrote Web Services开发体会和项目教训【转】
on 06-21-2007 3:41 AM
Web Services????????????
Rober wrote re: WS-Security, WSE2.0 SP3 and WebSphere 6.0
on 07-09-2007 3:48 AM
Other one year already passed, some advance?

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation