IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

WS-Security mechanisms

The WS-Security specification provides three mechanisms for securing Web services at the message level: authentication, integrity, and confidentiality.

Authentication

This mechanism uses a security token to validate the user and determine whether a client is valid in a particular context. A client can be a user, computer, or application. Without authentication, an attacker can use spoofing techniques to send a modified SOAP message to the service provider.

In authentication, a security token is inserted in the request message. Depending on the type of security token that is being used, the security token can also be inserted in the response message. The following types of security token are supported for authentication:

Username tokens are used to validate user names and passwords. When a Web service server receives a username token, the user name and password are extracted and passed to a user registry for verification. If the user name and password combination is valid, the result is returned to the server and the message is accepted and processed. When used in authentication, username tokens are typically passed only in the request message, not the response message.

X.509 tokens are validated by using a certificate path.

The broker support for SAML assertions is restricted to passing the token to a WS-Trust security token server (STS) for validation.

Kerberos tickets are validated against the host's Kerberos keytab file.

The broker support for LTPA binary tokens is restricted to passing the token to a WS-Trust STS for validation.

All types of token must be protected. For this reason, if you send them over an untrusted network, take one of the following precautions:
  • Use HTTPS
  • Configure the policy set to protect the appropriate elements in the SOAP header

Integrity

This mechanism uses message signing to ensure that information is not changed, altered, or lost accidentally. When integrity is implemented, an XML digital signature is generated on the contents of a SOAP message. If unauthorized changes are made to the message data, the signature is not validated. Without integrity, an attacker can use tampering techniques to intercept a SOAP message between the Web service client and server, and modify it.

Confidentiality

This mechanism uses message encryption to ensure that no party or process can access or disclose the information in the message. When a SOAP message is encrypted, only a service that knows the appropriate key can decrypt and read the message.

Parent topic: WS-Security
Related concepts:
WS-Security
Public key cryptography
Digital certificates
Digital signatures
Policy sets
ac55640_.htm | Last updated Friday, 21 July 2017