OASIS Web Services Security: SOAP Message Security v1.1: https://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf
OASIS Web Services Security: WS-SecurityPolicy v1.2: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
OASIS Web Services Security: SAML Token Profile v1.1 (http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SAMLTokenProfile.pdf) describes three Subject Confirmation Methods: Bearer, Holder-of-Key, and Sender Vouches. Of the Holder-of-Key method, there are two flavors, secret (symmetric) and public (asymmetric) key. SAP and Microsoft environments use the secret (symmetric) key method, which is not today supported by CICS TG. This enhancement will allow secure integration between business application processes using WebServices running in SAP and MS environments to securely send message traffic, authenticating the sender and protecting the content with the symmetric holder of key subject confirmation method. The standard implies that both methods secret and public key methods must be supported. The addition of this capability would yield a more compliant, but more importantly, a implementation that is interoperable not only with Microsoft and SAP products - but w/ WebSphere also (see references below)
References: The OASIS Web Services Security: SAML Token Profile v1.1 (http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SAMLTokenProfile.pdf) From Page 18 of the document: “The SubjectConfirmation elements MUST include a <ds:KeyInfo> element that identifies a public or secret key that can be used to confirm the identity of the subject.“
From WebSphere Version 7.007 Info for Fixpack 7 (http://pic.dhe.ibm.com/infocenter/wasinfo/fep/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/cwbs_samltokenprofilespec.html): “When using the holder-of-key subject confirmation method, proof of the relationship between the subject and claims is established by signing part of the SOAP message with the key specified in the SAML assertion. Since there is key material associated with a holder-of-key token, this token can be used to provide message level protection (signing and encryption) of the SOAP message.” And for the same reference IBM Implies support for secret key use in SAML assertions: “The ds:KeyInfo information inside the SubjectConfirmation element identifies a public or secret key that is used to confirm the identity of the subject. The holder-of-key assertion also contains a ds:Signature element that protects the integrity of the confirmation ds:KeyInfo element as established by the assertion authority.” AND “The following sample SubjectConfirmation element contains a SymmetricKey encrypted for the relying party.
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<ds:KeyInfo xmlns:ds=“http://www.w3.org/2000/09/xmldsig#”>
<enc:EncryptedKey xmlns:enc=“http://www.w3.org/2001/04/xmlenc#”>
<enc:EncryptionMethod Algorithm=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”>
<ds:DigestMethod Algorithm=“http://www.w3.org/2000/09/xmldsig#sha1” />
</enc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIB3 . . . vO3bdg</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<enc:CipherData>
<enc:CipherValue>P5Kb . . . rOTvII</enc:CipherValue>
</enc:CipherData>
</enc:EncryptedKey>
</ds:KeyInfo>
</saml:SubjectConfirmation>”
We have assessed this requirement. We have no current plans for this to be implemented and so this requirement is being declined at this point. The requirement will be kept in the RFE system and might be reassessed in the future. You also have an opportunity to resubmit in twelve months time if you wish it to be reconsidered then.
Due to processing by IBM, this request was reassigned to have the following updated attributes:
Brand - Servers and Systems Software
Product family - Transaction Processing
Product - CICS Transaction Server
For recording keeping, the previous attributes were:
Brand - WebSphere
Product family - Transaction Processing
Product - CICS Transaction Server
We want to implement WS-Security using CICS Web Services.
Our security policies demands:
1. fully WS-Security 1.1 support
2.Support of RSA-SHA256
Furthermore some additional requirements are raised from different projects that wants to communicate with external parties via CICS Web Services.
1. encryption of elements in de SOAP Body (for inbound and outbound services)
2. Use of as reference to a X509 certificate within
In our Core Banking Transformation we intent to position CICS Web Services as a strategic part of the new architecture. If (especially) bullets 1 and 2 are not on the roadmap of CICS Web Services then we consider CICS Web Service not as a strategic part from IBM and we have to look for alternatives.
The need to support SAML is a well understood requirement