Security features of WSO2 WSAS

Monday, August 18, 2008

One of the main advantages of WSO2 WSAS is it’s built in security features. They can be very easily configured using the web administration console.

  • SSL Support
    WSO2 WSAS has out of the box SSL support. All you need to do is change the WSAS default SSL certificate with your certificate which you may have purchased from a certificate authority or you can even use a self signed certificate.
  • WSAS Security Configuration
    WSAS Security Configuration consists of WS–Security Policies for most commonly used transport level and message level security scenarios. These policies are based on security requirements such as Authentication, Integrity, Confidentiality, Non-repudiation, Message Freshness and combinations of them. There are policies which optimize securing multiple messages using WS – Secure conversation and also policies which allow trust brokering through WS-Trust. These default policies can be further tweaked to suit custom scenarios using the built in policy editor.
  • User Management and Key Store Management
    WSO2 WSAS provides user management features such as adding users, deleting users and changing user passwords through the web administration console. It also allows users to be grouped in to roles. Set of users or roles can be easily associated with a web service for Authentication.
    WSO2 WSAS also provides key store / certificate management features. WSAS can handle both JKS and PCKS12 keys stores. Using the WSAS administration console, we can upload key stores, view the content of a key store, import certificates to a key store as trusted certificates, remove certificates from key store and remove certificates from existing key stores.
  • WSAS Security Token Service (WSAS STS)
    WSO2 WSAS comes with a built in Security Token Service built on top of WS-Trust protocol which can be used to issue SAML tokens. Security Token Services can be used to broker trust between two untrusted parties when both parties have a trust relationship with the Security Token Service. WSAS STS supports all the four bindings defined in the WS – Trust that is Issue binding, Validate binding, Renew binding and Cancel binding.
  • WSO2 XKMS (XML Key Management Specification) service
    WSO2 WSAS also ships a inbuilt XKMS trust web service. Main objective of XKMS trust web services is processing and management of PKI-based cryptographic keys. This allows web services to delegate the key processing functionality to XKMS service reducing the complexity and making it more manageable.
  • WSO2 Mex and WSO2 XFer modules
    WSO2 Mex (implementation of WS-MetadataExchange) and WSO2 XFer (WS-Transfer) are two modules that ship with WSO2 WSAS which supports metadata exchange. These modules can be used to exchanges metadata about web services such as policies, WSDLs, schema specially when you want to implement web services federation.
  • WSO2 POX (Plain Old XML) security handler
    WSO2 WSAS allows RESTful web service invocations to be protected with HTTP Basic Authentication via WSO2 POX security handler. This is integrated with the user management.

4 comments:

Jonathan Gershater said...

Question about setting up the STS service
The readme states:
"# Select "wso2wsas-sts" service and setup security scenario #3 on it. "

what is security scenario #3 ?

Jonathan Gershater said...

please reply by comment, thanks

Jonathan Gershater said...

Ok, this step, scenario #3, has been resolved.

However this step, "Upload sts-sample/conf/client.cert into the wso2wsas keystore using the WSO2WSAS admin console."

requires the keystore password.

What is that password? '

Stepherd said...

Really very useful and at the same time much needed information you had provided here. And if you are trying for the better placement career you may choose with our Staffing Companies in Bangalore