Adding security stacks

To provide better WSDL security, you can make use of many security algorithms in the service test.

About this task

Procedure

  1. From the Test Navigator view or from the Request Library section of Generic Service Client, right-click the WSDL file and select Edit WSDL Security.
  2. In the Security Algorithms area of Algorithm Stacks tab, click Add to create a profile.
  3. In the Stack Contents area, click Add and add any of the following security algorithms:
    Custom Security Algorithm
    If you want to use a Java class as a custom security algorithm, then use this stack element to apply the custom algorithm to the service.
    Java Project
    If you have not implemented a custom Java class, select Java Project, type a name for the new project, and click Generate to create a new Java class with the default structure for custom security implementations.
    Note: If you are using IBM® Security AppScan®, this field is not available.
    Implementation class
    Specify the name of the class that implements the custom security algorithm. Click Browse Class to select an existing Java class from the workspace.
    Properties
    Use this table to send any specific properties and associated values to the custom security algorithm.
    WS-Addressing Algorithm
    Use this block if your service uses either WS-Addressing 2004/08 or the WS-Addressing 1.0 Core standard.
    Namespace
    Specify the namespace for either WS-Addressing 2004/08 or WS-Addressing 1.0 Core.
    Action if request uses WS-Addressing
    Select the action to complete if WS-Addressing is already in the request.
    Replace anonymous address in Reply-to with:
    Select this option to generate the specified address in the Reply-to header instead of an anonymous address.
    Remove WS-Addressing from response
    Select this option to strip any WS-Addressing headers from the response.
    Encrypted Key
    This block defines an encrypted key that can be used in an XML signature or XML encryption block. The encrypted key block must be before a block that uses the encrypted key.
    Actor / Role name
    Specify the name of the recipient of the algorithm header element, if required.
    Must understand
    Select whether it is mandatory that the algorithm header is processed by the recipient, if required. The recipient is either the Actor name or the server.
    Key name
    Specify the name of the encrypted key.
    Identifier type
    Select the type of key identifier to be used for the key. The following key identifiers are available, as defined in the the Web Service Security (WSS) specification X509 profile and OASIS WSS 1.1 specification:
    • ISSUER_SERIAL
    • BST_DIRECT_REFERENCE
    • X509_KEY_IDENTIFIER
    • THUMBPRINT_IDENTIFIER
    • SKI_KEY_IDENTIFIER
    Key size
    Specify the size of the key in bits.
    Key encoding algorithm name
    Specify the algorithm to be used for encoding the key.
    Keystore
    Select a keystore or click Edit Security to define a new keystore or to manage the existing keystores.
    Name
    Select a key contained in the specified keystore.
    Password
    Type the password for the selected key name.
    XML Signature
    The XML signature security algorithm specifies how the XML document is signed. For details on security algorithms, refer to the web service security specification.
    Actor / Role name
    Specify the name of the recipient of the algorithm header element, if required.
    Must understand
    Select whether it is mandatory that the algorithm header is processed by the recipient, if required. The recipient is either the Actor name or the server.
    Security token
    Select the type of key identifier to be used for the signature. The following key identifiers are available, as defined in the the Web Service Security (WSS) specification X509 profile and OASIS WSS 1.1 specification:
    • ISSUER_SERIAL
    • BST_DIRECT_REFERENCE
    • X509_KEY_IDENTIFIER
    • SKI_KEY_IDENTIFIER
    • KEY_VALUE
    • USER_NAME_TOKEN
    • CUSTOM_SYMM_SIGNATURE
    In addition, the following identifiers are available when the signature is based on a UsernameToken profile:
    • USER_NAME_TOKEN
    • CUSTOM_SYMM_SIGNATURE
    User XPath part selection
    Specify an XPath query that describes parts of the XML document that can be the subjects of the algorithm. By default, the body is the subject. Click the XPath Helper button to build the Xpath expression.
    Key
    Select the key used for the encryption. The details of each key vary.
    • x509 key: This key specifies the name and password of the x509 key and the keystore where it is located.
    • User name token key: This specifies a user name and password for the signature.
    • Encrypted key: This specifies a reference to an encrypted key that was previously defined in the security stack. Click Insert a new encrypted key to create a new encrypted key definition block.
    Signature algorithm name
    Specify the signature method algorithm as described in the XML Signature Syntax and Processing specification.
    Canonicalization
    Specify the canonicalization method to be used as described in the XML Signature Syntax and Processing specification.
    Digest algorithm method
    Specify which digest method to be used based on the algorithm method used on the server side.
    Inclusive namespaces
    Specify whether the canonicalization is exclusive as described in the Exclusive XML Canonicalization specification.
    XML Encryption
    The XML encryption security algorithm specifies how the XML document is encrypted. For details on security algorithms, refer to the web service security specification.
    Actor / Role name
    Specify the name of the recipient of the algorithm header element, if required.
    Must understand
    Select whether it is mandatory that the algorithm header is processed by the recipient, if required. The recipient is either the Actor name or the server.
    Identifier type
    Select the type of key identifier to be used for the encryption. The following key identifiers are available, as defined in the Web Services Security (WSS) specification X509 profile and the OASIS WSS 1.1 specification:
    • ISSUER_SERIAL
    • BST_DIRECT_REFERENCE
    • X509_KEY_IDENTIFIER
    • SKI_KEY_IDENTIFIER
    • EMBEDDED_KEYNAME
    • THUMBPRINT_IDENTIFIER
    • ENCRYPTED_KEY_SHA1_IDENTIFIER
    User XPath part selection
    This enables you to specify an XPath query that describes parts of the XML document that can be subjects of the algorithm. By default, the body is the subject.
    Key
    Select the key used for the encryption. The details of each key vary.
    • x509 key: This specifies the name and password of the x509 key and the keystore where it is located.
    • Raw key: This specifies the name and the byte value of your SecretKey in hexadecimal.
    • Encrypted key: This specifies a reference to an encrypted key that was previously defined in the security stack. Click Insert a new encrypted key to create a new encrypted key definition block.
    Encoding Algorithm Name
    Specify the encryption method to be used as defined in the XML Encryption Syntax and Processing specification.
    Key Encoding Algorithm
    Specify the standard algorithm for encoding the key as defined in the XML Encryption Syntax and Processing specification.
    User name token
    The user name token security algorithm adds a user name token to the XML document in the message. For details on security algorithms, refer to the web service security specification.
    Actor / Role name
    Specify the name of the recipient of the algorithm header element, if required.
    Must understand
    Select whether it is mandatory that the algorithm header is processed by the recipient, if required. The recipient is either the Actor name or the server.
    Name
    Type the name of the user.
    Password
    Type the password of the user.
    Password type
    Specify the password type for the security algorithm as defined in the Web Services Security UsernameToken profile.
    Use nonce
    Select this check box to add the Nonce element to the User Name Token XML code. In most cases, the Nonce ID is required.
    Use created
    Select this check box to add current timestamp to the Created XML element in the User Name Token XML.
    Time Stamp
    The time stamp security algorithm adds time stamp information to the XML document in the response. For details on security algorithms, refer to the web service security specification.
    Actor / Role name
    Specify the name of the recipient of the algorithm header element, if required.
    Must understand
    Select whether it is mandatory that the algorithm header is processed by the recipient, if required. The recipient is either the Actor name or the server.
    Expiration delay
    Specify the delay after which the time stamp expires.
    Millisecond precision
    Select this option to produce a time stamp that uses millisecond precision instead of the default (1/100th second).
    SAML Assertion Block
    To use the self-signed SAML assertion security algorithm, add the SAML Assertion stack to the request or WSDL files.
    User XPath part selection
    Specify an XPath query that describes parts of the XML document that can be the subjects of the algorithm. By default, the body is the subject. Click the XPath Helper button to build the Xpath expression.
    Key
    Select the key used for the encryption. The details of each key vary.
    • x509 key: This key specifies the name and password of the x509 key and the keystore where it is located.
    • User name token key: This specifies a user name and password for the signature.
    • Encrypted key: This specifies a reference to an encrypted key that was previously defined in the security stack. Click Insert a new encrypted key to create a new encrypted key definition block.
    Signature algorithm name
    Specify the signature method algorithm as described in the XML Signature Syntax and Processing specification.
    Canonicalization
    Specify the canonicalization method to be used as described in the XML Signature Syntax and Processing specification.
    Digest algorithm method
    Specify which digest method to be used based on the algorithm method used on the server side.
    Inclusive namespaces
    Specify whether the canonicalization is exclusive as described in the Exclusive XML Canonicalization specification.
    Signed Assertion
    Select this check box to self-sign the SAML Assertion.
    Issuer
    Specify the description of the issuer of the SAML Assertion or protocol message.
    Subject
    Specify the principal that is the subject of all of the statements in the assertion. It might contain an identifier or a series of one or more subject confirmations.
    Subject Qualifier
    Specify the Name Qualifier of the Subject
    Subject Format
    Specify the format used for the Subject.
    Subject Locality DNS
    Specify the DNS domain name for the system from which the assertion subject was authenticated.
    Subject Locality IP
    Specify the IP address for the system from which the assertion subject was authenticated.
    Statement Type
    Specify the authentication method to use for the assertion.

    Authentication: The assertion subject was authenticated

    Attribute: The specified subject is associated with the supplied attributes.

    Authorization decision: Permission to allow a subject to access the specified resource.

    Requested Resource
    When Authorization decision option is used, specify the resource for which you need access.
    Action
    Specify what action to take to access the resource.
    Confirmation number
    Confirmation methods define the mechanism by which an entity provides evidence (proof) of the relationship between the subject and the claims of the SAML assertions.

    Sender vouches: Select this option when a server needs to share the client identity with SOAP messages on behalf of the client. This method is similar to identity assertion, but it has the added flexibility of using SAML assertions to share not only the client identity, but also client attributes.

    Holder of key: Select this option when the proof of the relationship between the subject and claims is established by signing part of the SOAP message with the key specified in the SAML assertion. Because there is key material associated with a holder-of-key token, this token can be used to provide a message-level protection (signing and encryption) of the SOAP message.

    Bearers: Select this option when the proof of the relationship between the subject and claims is implicit. No specific steps are taken to establish the relationship. Because there is no key material associated with a bearer token, protection of the SOAP message, if required, must be performed using a transport-level mechanism or another security token, such as an X.509 or Kerberos token, for message level protection.

    Version
    Specify the SAML version used.
  4. Optional: To verify simple SAML code, use the Analyze Security from Pasted Content option.
    For more information about that option, see Creating security for WSDL profiles.