WS-Security Implementations

Web services security, or to be more precise, SOAP message security identifies and provides solutions for general computer security threats as well as threats unique to Web services. WSO2 Micro Integrator supports WS-Security, WS-Policy, and WS-Security Policy specifications. These specifications define a behavioral model for Web services.

Since a requirement for one web service may not be valid for another, the WSO2 Micro Integrator also helps define service-specific security. It provides 16 predefined, commonly-used security scenarios. All you have to do is apply the required security scenario when you define the service. You can also define a custom security policy. Understanding the exact security requirement is the first step in planning to secure web services. Consider what security aspects are important to your service; integrity, confidentiality, or both.

Applying WS-Security

See the following resources on how to apply WS security to integration artifacts:

Note

An external user store should be configured for the Micro Integrator in order to use these security implementation.

Security scenarios

The topics below explain the 16 default security scenarios supported by WSO2 Micro Integrator.

UsernameToken

ws scenario 1

Non-repudiation

ws scenario 2

Integrity

ws scenario 3

Confidentiality

ws scenario 4

Sign and Encrypt - X509 Authentication

ws scenario 5

Sign and Encrypt - Anonymous clients

ws scenario 6

Encrypt Only - Username Token Authentication

ws scenario 7

Sign and Encrypt - Username Token Authentication

ws scenario 8

Secure Conversation - Sign only - Service as STS - Bootstrap policy - Sign and Encrypt , X509 Authentication

ws scenario 9

Secure Conversation - Encrypt Only - Service as STS - Sign and Encrypt , X509 Authentication

ws scenario 10

Secure Conversation - Sign and Encrypt - Service as STS - Bootstrap policy - Sign and Encrypt , X509 Authentication

ws scenario 11

Secure Conversation - Sign Only - Service as STS - Bootstrap policy - Sign and Encrypt , Anonymous clients

ws scenario 3

Secure Conversation - Encrypt Only - Service as STS - Bootstrap policy - Sign and Encrypt , Anonymous clients

ws scenario 13

Secure Conversation - Encrypt Only - Service as STS - Bootstrap policy - Sign and Encrypt , Username Token Authentication

ws scenario 14

Secure Conversation - Sign and Encrypt - Service as STS - Bootstrap policy - Sign and Encrypt , Username Token Authentication

ws scenario 15

Kerberos Token-based Security

If you apply security scenario 16 (Kerberos Token-based Security), you must associate your service with a service principal. Security scenario 16 is only applicable if you have a Key Distribution Center (KDC) and an Authentication Server in your environment. Ideally you can find KDC and an Authentication Server in an LDAP Directory server.

Two configuration files are used to specify Kerberos related parameters as follows.

  • krb5.conf - Includes KDC server details, encryption/decryption algorithms etc.
  • jaas.conf - Includes information relevant to authorization.

Follow the steps below to create the configuration files required.

  1. Create the <MI_HOME>/repository/conf/identity folder.

  2. Create a new file jaas.conf with the below code in the <MI_HOME>/repository/conf/identity folder.

    Client {    
    com.sun.security.auth.module.Krb5LoginModule required    
    useTicketCache=false;
    };

  3. Create a new file krb5.conf with the below code. The default location of the file varies according to your operating system.
Operating System Default Location
Windows c:\windows\krb5.ini
Linux /etc/krb5.conf
UNIX-based OS /etc/krb5/krb5.conf
```
[libdefaults]
        default_realm = WSO2.ORG
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        allow_weak_crypto = true

[realms]
        WSO2.ORG = {
                kdc = 127.0.0.1:8000
        }

[domain_realm]
        .wso2.org = WSO2.ORG
        wso2.org = WSO2.ORG
```

After selecting scenario 16, fill in the information about the service principal to associate the Web service . You must specify the service principal name and password. The service principal must be already defined in the LDAP Directory server.

Top