How IBM App Connect Enterprise complies with Web Service Security specifications

IBM® App Connect Enterprise conditionally complies with Web Services Security: SOAP Message Security and related specifications by supporting the following aspects.

Compliance with Web Services Security: SOAP Message Security

Security header

The <wsse:Security> header provides a mechanism, in the form of a SOAP actor or role, for attaching security-related information that is targeted at a specific recipient. The recipient can be the ultimate recipient of the message or an intermediary. The following attributes are supported in IBM App Connect Enterprise:

S11:actor (for an intermediary)
S11:mustUnderstand
S12:role (for an intermediary)
S12:mustUnderstand

Security tokens

The following security tokens are supported in the security header:

Username and password
Binary security tokens:
- X.509 certificate
- Kerberos ticket
- LTPA certificate
SAML assertion

Token references

A security token conveys a set of claims. Sometimes these claims are elsewhere and need to be accessed by the receiving application. The <wsse:SecurityTokenReference> element provides an extensible mechanism for referencing security tokens. The following mechanisms are supported:

Direct reference
Key identifier
Key name
Embedded reference

Signature algorithms

This specification builds on XML Signature and therefore has the same algorithm requirements as those specified in the XML Signature specification. IBM App Connect Enterprise supports the signature algorithms as shown in the following table.

Algorithm type	Algorithm	URI
Digest	SHA1	`http://www.w3.org/2000/09/xmldsig#sha1`
Signature	DSA with SHA1 (validation only)	`http://www.w3.org/2000/09/xmldsig#dsa-sha1`
Signature	RSA with SHA1	`http://www.w3.org/2000/09/xmldsig#rsa-sha1`
Canonicalization	Exclusive XML canonicalization (without comments)	`http://www.w3.org/2001/10/xml-exc-c14n#`

Signature signed parts

IBM App Connect Enterprise allows the following SOAP elements to be signed:

The SOAP message body
The identity token (a type of security token) that is used as an asserted identity

Encryption algorithms

The data encryption algorithms that are supported are shown in the following table.

Algorithm	URI
Triple Data Encryption Standard algorithm (Triple DES)	`http://www.w3.org/2001/04/xmlenc#tripledes-cbc`
Advanced Encryption Standard (AES) algorithm with a key length of 128 bits	`http://www.w3.org/2001/04/xmlenc#aes128-cbc`
Advanced Encryption Standard (AES) algorithm with a key length of 192 bits	`http://www.w3.org/2001/04/xmlenc#aes192-cbc`
Advanced Encryption Standard (AES) algorithm with a key length of 256 bits	`http://www.w3.org/2001/04/xmlenc#aes256-cbc`

The key encryption algorithm that is supported is shown in the following table.

Algorithm	URI
Key transport (public key cryptography) RSA Version 1.5	`http://www.w3.org/2001/04/xmlenc#rsa-1_5`

Encryption message parts

IBM App Connect Enterprise allows the following SOAP elements to be encrypted:

The SOAP body

Timestamp

The <wsu:Timestamp> element provides a mechanism for expressing the creation and expiration times of the security semantics in a message. IBM App Connect Enterprise tolerates the use of timestamps within the web services security header on inbound SOAP messages.

Error handling

IBM App Connect Enterprise generates SOAP fault messages using the standard list of response codes listed in the specification.

Compliance with Web Services Security: Username Token Profile 1.1

The following aspects of this specification are supported:

Password types: Text
Token references: Direct reference

Compliance with Web Services Security: X.509 Certificate Token Profile 1.1

The following aspects of this specification are supported:

Token types

X.509 Version 3: Single certificate.
X.509 Version 3: X509PKIPathv1 without certificate revocation lists (CRL).
X.509 Version 3: PKCS7 with or without CRLs. The IBM Software Development Kit (SDK) supports both. The Sun Java™ Development Kit (JDK) supports PKCS7 without CRL only.

For more information, refer to Web Services Security X.509 Certificate Token Profile.

Note: Only X.509 Certificate Token Profile 1.0 is supported when X.509 tokens are used as authentication tokens.

Token references

Key identifier - subject key identifier
Direct reference
Custom reference - issuer name and serial number

Compliance with Web Services Security: SAML Token Profile

SAML passthru support is provided, which enables interoperability with WS-Security SAML profiles, without performing subject confirmation processing. This means that it does not provide validation of the trust relationship between the SAML subject and message content signatures.

The token is passed through for processing by the message flow security manager, which passes the token to a WS-Trust STS for processing.

Compliance with Web Services Security: Kerberos Token Profile

The following aspects of this specification are supported:

Token types

Kerberos GSS v5 AP_REQ
Kerberos v5 AP_REQ

Aspects that are not supported

The following items are not supported in IBM App Connect Enterprise:

Validation of Timestamps for freshness.
Nonces.
Web services security for SOAP attachments.
XrML token profile.
Web Services Interoperability (WS-I) Basic Security Profile.
XML enveloping digital signature.
XML enveloping digital encryption.
The following transport algorithms for digital signatures:
- XSLT: http://www.w3.org/TR/1999/REC-xslt-19991116.
- SOAP Message Normalization. For more information, refer to http://www.w3.org/TR/2003/NOTE-soap12-n11n-20031008.
The Diffie-Hellman key agreement algorithm for encryption. For more information, refer to Diffie-Hellman Key Values.
The following canonicalization algorithm for encryption, which is optional in the XML encryption specification:
- Canonical XML with or without comments
- Exclusive XML canonicalization with or without comments
The digest password type in the Username Token Version 1.0 Profile specification.