IBM Support

WS-Security Client and Provider sample bindings with SHA256 signature algorithms

Technote (troubleshooting)


Problem(Abstract)

WS-Security general bindings should be available to make it easier to avoid using the vulnerable SHA1 signature algorithms that are specification-required by the algorithm suites in the WS-Security policies.

Resolving the problem

A new set of client and provider sample general bindings will be added to the application server with APAR PI58160 in fixpacks 7.0.0.43, 8.0.0.13, and 8.5.5.10:

  • Provider sample SHA256

    This binding is the same as the standard provider sample binding, except 1) it adds the SignatureAlgorithm custom property for the SHA256 signature algorithms to all the symmetric and assymetric sign parts and 2) it contains the SAML Bearer token consumers. You should modify this binding to meet your security requirements before using it in a production environment.

  • Client sample SHA256

    This binding is the same as the standard client sample binding, except 1) to all the symmetric and assymetric sign parts, it adds the SignatureAlgorithm custom property for the SHA256 signature algorithms and 2) it contains the SAML Bearer token generators. You should modify this binding to meet your security requirements before using it in a production environment.

These new sample bindings will be available to new profiles created after a fixpack containing APAR PI58160 is installed.

Since these bindings use functionality that was added to WebSphere with APAR PM62842, these bindings are only applicable to fixpacks 7.0.0.25 and later, 8.0.0.4 and later, 8.5.0.1 and later and 8.5.5.0 and later. The bindings can be imported into profiles on application servers that are outside of these ranges. However, when either of the bindings is attached to a service in an out-of-range fixpack, a SHA1 signature algorithm will be applied to the signature in the SOAP Security header instead of a SHA256 algorithm.

This document provides a copy of each of the new sample bindings that you can import into existing profiles on your application server. To import the bindings into an application server profile, perform the following steps:

    1. Download the Provider sample SHA256.zip and Client sample SHA256.zip files attached to this document
      • Ensure that the files are placed in a directory that is accessible to the browser on which you will run the administrative console.
    2. In the administrative console, navigate to Services > Policy sets
    3. Import the new provider general binding
      1. Click General provider policy set bindings > Import
      2. Click Browse
      3. Enter the fully-qualified path to the Provider sample SHA256.zip file that you downloaded from this document.
      4. Click Open, then OK
    4. Import the new client general binding
      1. Click General client policy set bindings > Import
      2. Click Browse
      3. Enter the fully-qualified path to the Client sample SHA256.zip file that you downloaded from this document.
      4. Click Open, then OK
    5. Click Save

New WS-Security sample general bindings with SHA256:

Document information

More support for: WebSphere Application Server
Web Services Security

Software version: 7.0, 8.0, 8.5

Operating system(s): AIX, HP-UX, IBM i, Inspur K-UX, Linux, Solaris, Windows, z/OS

Software edition: Advanced, Base, Enterprise, Network Deployment, Single Server

Reference #: 1978836

Modified date: 15 March 2016