Support for securing web services

CICS® Transaction Server for z/OS® provides support for a number of related technologies that you can use to secure SOAPStart of change and JSONEnd of change messages.

Start of changeSome of these technologies are available as part of the HTTP protocol, and are equally applicable to both SOAP and JSON. Some use the Web Services Security (WSS): SOAP Message Security 1.0 specification, and are only available for SOAP. For information on the shared TCP/IP and HTTP security options, see Security for TCP/IP clients and Security for CICS web support.End of change

Start of changeFor information about using SAML assertions, see Overview of SAML support.End of change

SOAP web services security

Web Services Security (WSS): SOAP Message Security 1.0 describes the use of security tokens and digital signatures to protect and authenticate SOAP messages. For more information, see the WSS: Soap Message Security 1.0 specification.

Web Services Security protects the privacy and integrity of SOAP messages by, respectively, protecting messages from unauthorized disclosure and preventing unauthorized and undetected modification. WSS provides this protection by digitally signing and encrypting XML elements in the message. The elements that can be protected are the body or any elements in the body or the header. You can give different levels of protection to different elements in the SOAP message.

The Web Services Trust Language specification enhances Web Services Security further by providing a framework for requesting and issuing security tokens, and managing trust relationships between web service requesters and providers. This extension to the authentication of SOAP messages enables web services to validate and exchange security tokens of different types byusing a trusted third party. This third party is called a Security Token Service (STS). For more information about the Web Services Trust Language, see the WS-Trust Language specification.

CICS Transaction Server for z/OS provides support for these specifications by using a CICS-supplied security handler in the pipeline:
  • For outbound messages, CICS provides support for digital signing and encryption of the entire SOAP body. CICS can also exchange a username token for a security token of a different type with an STS.
  • For inbound messages, CICS supports messages in which the body, or elements of the body and header, are encrypted or digitally signed. CICS can also exchange and validate security tokens with an STS.

CICS also provides a separate Trust client interface so that you can interact with an STS without using the CICS security handler.

Note: Web Services Security is potentially not conformant with SP800-131A. Web Services Security is configured by adding a handler into the pipeline and CICS has no control over the processing in a customer-written handler. If you use digital signatures, you can specify only the algorithms dsa-sha1 and rsa-sha1. These algorithms are not SP800-131A-conformant. The two-key tripledes encryption algorithm, which can be used to encrypt a SOAP body, is also non-conformant.