Web services security

Navigate to help topics within this section.

• Algorithm URI collection
  Use this page to view a list of uniform resource identifier (URI) algorithms for XML digital signature or XML encryption that are mapped to an algorithm factory engine class. With algorithm mappings, service providers can use other cryptographic algorithms for digest value calculation, digital signature signing and verification, data encryption and decryption, and key encryption and decryption.
• Algorithm URI configuration settings
  Use this page to specify the algorithm uniform resource identifier (URI) and its usage type.
• Algorithm mapping collection
  You can view a list of custom uniform resource identifier (URI) algorithms for digest value calculation, signature, key encryption, and data encryption. The application server maps these algorithms to an implementation of the algorithm factory engine interface. With algorithm mappings, service providers can extend the cryptographic algorithms for XML digital signature and XML encryption.
• Algorithm mapping configuration settings
  Use this page to view a list of custom uniform resource identifier (URI) algorithms for digest value calculation, signature, key encryption, and data encryption. The application server maps these algorithms to an implementation of the algorithm factory engine interface. With algorithm mappings, service providers can extend the cryptographic algorithms for XML digital signature and XML encryption.
• Callback handler configuration settings for JAX-RPC
  Use this page to specify how to acquire the security token that is inserted in the Web Services Security header for JAX-RPC within the SOAP message. The token acquisition is a pluggable framework that leverages the Java Authentication and Authorization Service (JAAS) javax.security.auth.callback.CallbackHandler interface for acquiring the security token.
• Certificate revocation list collection
  Use this page to determine the location of the certificate revocation list (CRL) known to the application server. The Application Server checks the CRL to determine the validity of the client certificate. A certificate that is found in a certificate revocation list might not be expired, but is no longer trusted by the certificate authority (CA) that issued the certificate. The CA might add the certificate to the certificate revocation list if it believes that the client authority is compromised.
• Certificate revocation list configuration settings
  Use this page to specify a list of certificate revocations that check the validity of a certificate. The application server checks the certificate revocation lists (CRL) to determine the validity of the client certificate. A certificate that is found in a certificate revocation list might not be expired, but is no longer trusted by the certificate authority (CA) that issued the certificate. The CA might add the certificate to the certificate revocation list if it believes that the client authority is compromised.
• Collection certificate store collection
  Use this page to view a list of certificate stores that contains untrusted, intermediary certificate files awaiting validation. Validation might consist of checking to see if the certificate is on a certificate revocation list (CRL), checking that the certificate is not expired, and checking that the certificate is issued by a trusted signer.
• Collection certificate store configuration settings
  Use this page to specify the name and the provider for a collection certificate store. A collection certificate store is a collection of non-root, certificate authority (CA) certificates and certificate revocation lists (CRLs). This collection of CA certificates and CRLs is used to check the signature of a digitally signed SOAP message.
• Default bindings and runtime properties for Web Services Security
  Use this page to configure the settings for nonce on the server level and to manage the default bindings for the signing information, encryption information, key information, token generators, token consumers, key locators, collection certificate store, trust anchors, trusted ID evaluators, algorithm mappings, and login mappings.
• Default bindings and security runtime properties
  Use this page to specify the configuration on the cell level in a WebSphere Application Server, Network Deployment environment. In addition, use this page to define the default generator bindings, default consumer bindings, and additional properties such as key locators, the collection certificate store, trust anchors, trusted ID evaluators, algorithm mappings, and login mappings.
• Encryption information collection
  Use this page to specify the configuration for the encrypting and decrypting parameters. This configuration is used to encrypt and decrypt parts of the message, including the body and user name token.
• Encryption information configuration settings: Message parts
  Use this page to configure the encryption and decryption parameters. You can use these parameters to encrypt and decrypt various parts of the message, including the body and the token.
• Encryption information configuration settings: Methods
  Use this page to configure the encryption and decryption parameters for the signature method, digest method, and canonicalization method.
• HTTP SSL Configuration collection
  Use this page to configure transport-level Secure Sockets Layer (SSL) security. You can use this configuration when a web service is a client to another web service.
• HTTP basic authentication collection
  Use this page to specify a user name and password for transport-level basic authentication security for this port. You can use this configuration when a web service is a client to another web service.
• JAAS configuration settings
  Use this page to specify the name of the Java Authentication and Authorization Service (JAAS) configuration that is defined in the JAAS login panel.
• Key collection
  Use this page to view a list of logical names that is mapped to a key alias in the keystore file.
• Key configuration settings
  Use this page to define the mapping of a logical name to a key alias in a keystore file.
• Key information collection
  Use this page to view the configurations that are currently available for generating or consuming the key for XML digital signatures and XML encryption.
• Key information configuration settings
  Use this page to specify the related configuration need to specify the key for XML digital signature or XML encryption.
• Key information reference configuration settings
  Use this page to specify a reference to the message parts for signature and encryption that is defined in the deployment descriptors.
• Key information references collection
  Use this page to view the key information references that are needed for encryption or signing.
• Key locator collection
  Use this page to view a list of key locator configurations that retrieve keys from the keystore for digital signature and encryption. A key locator must implement the com.ibm.wsspi.wssecurity.config.KeyLocator interface.
• Key locator configuration settings
  Use this page to specify the settings for a key locator configuration. The key locators retrieve keys from the keystore file for digital signature and encryption. This product enables you to plug in a custom key locator configuration.
• Login bindings configuration settings
  Use this page to specify the Java Authentication and Authorization Service (JAAS) login configuration settings that are used to validate security tokens within incoming messages.
• Login mapping configuration settings
  Use this page to specify the Java Authentication and Authorization Service (JAAS) login configuration settings that are used to validate security tokens within incoming messages.
• Login mappings collection
  Use this page to view a list of configurations for validating security tokens within incoming messages. Login mappings map an authentication method to a Java Authentication and Authorization Service (JAAS) login configuration to validate the security token. Four authentication methods are predefined in the WebSphere Application Server: BasicAuth, Signature, IDAssertion, and Lightweight Third Party Authentication (LTPA).
• Part reference collection
  Use this page to view the message part references for signature and encryption that are defined in the deployment descriptors.
• Part reference configuration settings
  Use this page to specify a reference to the message parts for signature and encryption that are defined in the deployment descriptors.
• Request consumer (receiver) binding configuration settings
  Use this page to specify the binding configuration for the request consumer.
• Request generator (sender) binding configuration settings
  Use this page to specify the binding configuration for the request generator.
• Request receiver binding collection
  Use this page to specify the binding configuration to receive request messages for Web Services Security.
• Request sender binding collection
  Use this page to specify the binding configuration to send request messages for Web Services Security.
• Response consumer (receiver) binding configuration settings
  Use this page to specify the binding configuration for the response consumer.
• Response generator (sender) binding configuration settings
  Use this page to specify the binding configuration for the response generator or response sender.
• Response receiver binding collection
  Use this page to specify the binding configuration for receiver response messages for Web Services Security.
• Response sender binding collection
  Use this page to specify the binding configuration for sender response messages for Web Services Security.
• Signing information collection
  Use this page to view a list of signing parameters. Signing information is used to sign and validate parts of a message including the body, time stamp, and user name token. You can also use these parameters for X.509 validation when the authentication method is IDAssertion and the ID type is X509Certificate in the server-level configuration. In such cases, you must fill in the certificate path fields only.
• Signing information configuration settings
  Use this page to configure new signing parameters.
• Signing parameter configuration settings
  Use this page to configure new signing parameters.
• Token consumer collection
  Use this page to view the token consumer. The information is used on the consumer side only to process the security token.
• Token consumer configuration settings
  Use this page to specify the information for the token consumer. The information is used at the consumer side only to process the security token.
• Token generator collection
  Use this page to view the token generators. The information is used on the generator side only to generate the security token.
• Token generator configuration settings
  Use this page to specify the information for the token generator. The information is used at the generator side only to generate the security token.
• Transforms collection
  Use this page to view the transform algorithm that is used for processing the Web Services Security message.
• Transforms configuration settings
  Use this page to specify the transform algorithm that is used for processing the Web Services Security message.
• Trust anchor collection
  Use this page to view a list of keystore objects that contain trusted root certificates. These objects are used for certificate path validation of incoming X.509-formatted security tokens. Keystore objects within trust anchors contain trusted root certificates that are used by the CertPath API to validate the trust of a certificate chain.
• Trust anchor configuration settings
  Use this information to configure a trust anchor. Trust anchors point to keystores that contain trusted root or self-signed certificates. This information enables you to specify a name for the trust anchor and the information that is needed to access a keystore. The application binding uses this name to reference a predefined trust anchor definition in the binding file (or the default).
• Trusted ID evaluator collection
  Use this page to view a list of trusted identity (ID) evaluators. The trusted ID evaluator determines whether to trust the identity-asserting authority. After the ID is trusted, the application server issues the proper credentials based on the identity, which are used in a downstream call for invoking resources. The trusted ID evaluator implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface.
• Trusted ID evaluator configuration settings
  Use this information to configure trust identity (ID) evaluators.
• View web services client deployment descriptor
  Use this page to view your client deployment descriptor.
• View web services server deployment descriptor
  Use this page to view your server deployment descriptor settings.
• Web Services Security property collection
  Use this page to a view a list of additional properties for the configuration.
• Web Services Security property configuration settings
  Use this page to configure additional security properties.
• Web services: Client security bindings collection
  Use this page to view a list of application-level, client-side binding configurations for Web Services Security. These bindings are used when a web service is a client to another web service.
• Web services: Server security bindings collection
  Use this page to view a list of server-side binding configurations for Web Services Security.
• X.509 certificate configuration settings
  Use this page to specify a list of untrusted, intermediate certificate files. This collection certificate store is used for certificate path validation of incoming X.509-formatted security tokens.
• X.509 certificates collection
  Use this page to view a list of untrusted, intermediate certificate files. This collection certificate store is used for certificate path validation of incoming X.509-formatted security tokens.