Message Security enables a server to perform end-to-end authentication of web service invocations and responses at the message layer. The Application Server implements message security using message security providers on the SOAP layer. The message security providers provide information such as the type of authentication that is required for the request and response messages. The types of authentication that are supported include the following:
Two message security providers are included with this release. The message security providers can be configured for authentication for the SOAP layer. The providers that can be configured include ClientProvider
and ServerProvider
.
Support for message layer security is integrated into the Application Server and its client containers in the form of (pluggable) authentication modules. By default, message layer security is disabled on the Application Server.
To enable and configure message layer security, follow these steps:
Configuring a JCE provider is discussed in "Configuring a JCE Provider".
Configuring a user database is discussed in "Editing a Realm".
Managing keystore and truststore files is discussed in "About Certificate Files".
Specifying a message security configuration is discussed in "Enabling Providers for Message Security".
Configuring the message security providers is discussed in "Configuring a Message Security Provider".
Configuring the application client container for message security is discussed in "Enabling Message Security for Client Applications".
See Also:
When the Application Server provider configuration is insufficient for your security needs, and you want to override the default protection, you can apply application-specific message security to a web service.
Application-specific security is implemented by adding the message security binding to the web service endpoint, whether it is an EJB or servlet web service endpoint. Modify Sun-specific deployment descriptor files to add the message binding information.
For more details, refer to the Securing Applications chapter of the Developers’ Guide. There is a link to this chapter in "Further Information".
The topic of enabling message security for specific methods is discussed in the Securing Applications chapter of the Developers’ Guide. There is a link to this chapter in "Further Information".
The Java Cryptography Extension (JCE) provider included with J2SE 1.4.x does not support RSA encryption. Because many WSS applications use RSA encryption, you must download and install a JCE provider that does support RSA encryption in order to run WSS applications that use encryption.
Note: RSA is public-key encryption technology developed by RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman, the inventors of the technology.
If you are running the Application Server on version 1.5 of the Java SDK, the JCE provider is already configured properly. If you are running the Application Server on version 1.4.x of the Java SDK, follow these steps to add a JCE provider statically as part of your JDK environment:
<
JAVA_HOME>/jre/lib/ext/
.<
JAVA_HOME>/jre/lib/security/java.security
properties file in any text editor. Add the JCE provider you’ve just downloaded to this file. The java.security
file contains detailed instructions for adding this provider. Basically, you need to add a line of the following format in a location with similar properties:
security.provider.<n>=<provider class name>
In this example, <n> is the order of preference to be used by the Application Server when evaluating security providers. Set <n> to 2
for the JCE provider you’ve just added.
For example, if you’ve downloaded The Legion of the Bouncy Castle JCE provider, you would add this line.
security.provider.2=org.bouncycastle.jce.provider.
BouncyCastleProvider
Make sure that the Sun security provider remains at the highest preference, with a value of 1.
security.provider.1=sun.security.provider.Sun
Adjust the levels of the other security providers downward so that there is only one security provider at each level.
The following is an example of a java.security
file that provides the necessary JCE provider and keeps the existing providers in the correct locations.
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.
BouncyCastleProvider
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.rsajca.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider