How IBM Integration Bus complies with Web Service Security specifications

Compliance with Web Services Security: SOAP Message Security

Security header

The <wsse:Security> header provides a mechanism, in the form of a SOAP actor or role, for attaching security-related information that is targeted at a specific recipient. The recipient can be the ultimate recipient of the message or an intermediary. The following attributes are supported in IBM Integration Bus:

• S11:actor (for an intermediary)
• S11:mustUnderstand
• S12:role (for an intermediary)
• S12:mustUnderstand

Security tokens

The following security tokens are supported in the security header:

• Username and password
• Binary security tokens:
  • X.509 certificate
  • Kerberos ticket
  • LTPA certificate
• SAML assertion

Token references

A security token conveys a set of claims. Sometimes these claims are elsewhere and need to be accessed by the receiving application. The <wsse:SecurityTokenReference> element provides an extensible mechanism for referencing security tokens. The following mechanisms are supported:

• Direct reference
• Key identifier
• Key name
• Embedded reference

Signature algorithms

This specification builds on XML Signature and therefore has the same algorithm requirements as those specified in the XML Signature specification. IBM Integration Bus supports the signature algorithms as shown in the following table.

Algorithm type	Algorithm	URI
Digest	SHA1	http://www.w3.org/2000/09/xmldsig#sha1
Signature	DSA with SHA1 (validation only)	http://www.w3.org/2000/09/xmldsig#dsa-sha1
Signature	RSA with SHA1	http://www.w3.org/2000/09/xmldsig#rsa-sha1
Canonicalization	Exclusive XML canonicalization (without comments)	http://www.w3.org/2001/10/xml-exc-c14n#

Signature signed parts

IBM Integration Bus allows the following SOAP elements to be signed:

• The SOAP message body
• The identity token (a type of security token) that is used as an asserted identity

Encryption algorithms

The data encryption algorithms that are supported are shown in the following table.

Algorithm	URI
Triple Data Encryption Standard algorithm (Triple DES)	http://www.w3.org/2001/04/xmlenc#tripledes-cbc
Advanced Encryption Standard (AES) algorithm with a key length of 128 bits	http://www.w3.org/2001/04/xmlenc#aes128-cbc
Advanced Encryption Standard (AES) algorithm with a key length of 192 bits	http://www.w3.org/2001/04/xmlenc#aes192-cbc
Advanced Encryption Standard (AES) algorithm with a key length of 256 bits	http://www.w3.org/2001/04/xmlenc#aes256-cbc

The key encryption algorithm that is supported is shown in the following table.

Algorithm	URI
Key transport (public key cryptography) RSA Version 1.5	http://www.w3.org/2001/04/xmlenc#rsa-1_5

Encryption message parts

IBM Integration Bus allows the following SOAP elements to be encrypted:

• The SOAP body

Timestamp

The <wsu:Timestamp> element provides a mechanism for expressing the creation and expiration times of the security semantics in a message. IBM Integration Bus tolerates the use of timestamps within the Web services security header on inbound SOAP messages.

Error handling

IBM Integration Bus generates SOAP fault messages using the standard list of response codes listed in the specification.

Compliance with Web Services Security: Username Token Profile 1.1

Compliance with Web Services Security: X.509 Certificate Token Profile 1.1

Compliance with Web Services Security: SAML Token Profile

SAML passthru support is provided, which enables interoperability with WS-Security SAML profiles, without performing subject confirmation processing. This means that it does not provide validation of the trust relationship between the SAML subject and message content signatures.

The token is passed through for processing by the message flow security manager, which passes the token to a WS-Trust STS for processing.

Compliance with Web Services Security: Kerberos Token Profile

Aspects that are not supported