Basic Security Profile compliance tips
The Web Services Interoperability Organization (WS-I) Basic Security Profile (BSP) 1.0 promotes interoperability by providing clarifications and amplifications to a set of nonproprietary web services specifications. WebSphere® Application Server Web Services Security provides configuration options to ensure that the BSP recommendations and security considerations can be enabled to ensure interoperability. The degree to which you follow these recommendations is then a measure of how well the application you are configuring complies with the Basic Security Profile (BSP).
Support for applications to comply to the Basic Security Profile (BSP) is new in WebSphere Application Server Version 8.5. For more information on the Basic Security Profile, see Web Services Interoperability Organization (WS-I) Basic Security Profile (BSP), Basic Security Profile Version 1.0.
You can use either a predefined list of keywords or XPath expressions to comply to the BSP. Both the keywords and the XPath expressions are specified in the deployment descriptor configuration file and are configured using an assembly tool.
Basic Security Profile recommendations
- Do not use the original XPath transform, https://www.w3.org/TR/1999/REC-xpath-19991116
When you refer to an element in a SECURE_ENVELOPE that does not carry an ID attribute type from a ds:Reference in a SIGNATURE element, you must use the XPath Filter 2.0 transform, https://www.w3.org/2002/06/xmldsig-filter2 to refer to that element.
Any ds:Transform/@Algorithm attribute in a SIGNATURE element must have one of these values:- https://www.w3.org/2001/10/xml-exc-c14n#
- https://www.w3.org/2002/06/xmldsig-filter2
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- https://www.w3.org/2000/09/xmldsig#enveloped-signature
- http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Only-Transform
- http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Transform
- Do not use the https://www.w3.org/2000/09/xmldsig#dsa-sha1 signature
algorithm.Any ds:SignatureMethod/@Algorithm element in a SIGNATURE that is based on a symmetric key must have one of the following values:
- Do not specify the digestvalue keyword for the message part to
encrypt. Instead, use the signature keyword.
If the value of a ds:DigestValue element in a SIGNATURE element requires encryption, the entire parent ds:Signature element must be encrypted. A SIGNATURE must not have any xenc:EncryptedData elements among its descendants.
- Do not use the KEYNAME key information type
KEYNAME references can be ambiguous and compliance with the BSP disallows the use of KEYNAME.
A SECURITY_TOKEN_REFERENCE must not use a key name to reference a SECURITY_TOKEN. The child element of a ds:KeyInfo element in an ENCRYPTED_KEY must be either a SECURITY_TOKEN_REFERENCE or a ds:MgmtData element. Using a KEYNAME key information type for an encryption key results in a KeyName child element of a ds:KeyInfo element and is disallowed for BSP compliance.
- Do not use the https://www.w3.org/2001/04/xmlenc#aes192-cbc bit
data encryption algorithm.Any xenc:EncryptionMethod/@Algorithm attribute in an ENCRYPTED_DATA element must have one of these values:
- Do not use the advanced encryption standard (AES) key wrap (aes192): https://www.w3.org/2001/04/xmlenc#kw-aes192 key
encryption algorithm.When used for key wrap, any xenc:EncryptionMethod/@Algorithm attribute in an ENCRYPTED_KEY element must have one of these values:
Configuration Options for BSP Compliance
- When configuring the ds:Transforms element in a signature, the list of transforms must include as its last child element https://www.w3.org/2001/10/xml-exc-c14n# or http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- Add a wsse:Nonce or wsse:Created element to a Username token to prevent replay. After the element is added, sign the Username token to prevent undetected alteration of these fields; otherwise, replay can occur.