vCenter Single Sign-On Security Policies

Web service security policies define the requirements for secure communication between a Web service and a client. vCenter Single Sign-On security policies are based on the WS-Policy framework and WS-SecurityPolicy specifications. A policy identifies specific elements for token requests. Based on the policy requirements, a vCenter Single Sign-On client will insert data into the SOAP security header for the token request.
vCenter Single Sign-On defines security policies for end user access, solution access, and for token exchange. The policies stipulate the following elements:
  • Security certificates (x509V3, x509PKIPathV1, x509PKCS7, or WssSamlV20Token11)
  • Message timestamps
  • Security binding (transport)
  • Encryption algorithm (Basic256Sha256)
vCenter Single Sign-On security policies specify that the body of the SOAP message for a holder-of-key token must be signed. Bearer tokens require only the username and timestamp tokens.
The vCenter Single Sign-On server issues SAML tokens to represent client authentication. The standards documentation also uses the term “token” to refer to claims and certificate data that is inserted into SOAP security headers.
The following table shows the vCenter Single Sign-On policies and identifies the requirements for each policy. The vCenter Single Sign-On WSDL defines these policies for use with the vCenter Single Sign-On methods.
vCenter Single Sign-On Policies
Policy
Description
STSSecPolicy
Defines the transport policy and algorithm suite for all communication with the vCenter Single Sign-On server:
  • Certificate-based server-side SSL authentication.
  • HTTPS transport binding using NIST (National Institute of Standards and Technology) Basic256Sha256 encryption algorithm. The HTTPS token is used to generate the message signature.
  • Request security header must contain a timestamp.
IssueRequestPolicy
Defines the security policy for Issue token requests. IssueRequestPolicy specifies either username token (signed), username token (plaintext password), X509 certificate, or holder-of-key token authentication. You specify username/password or X509 certificate credentials to obtain a vCenter Single Sign-On token. If you obtain a holder-of-key token, you can use that token for subsequent Issue requests.
Username token (signed) authentication:
  • X509 endorsing supporting token (WssX509V3Token11, WssX509PkiPathV1Token11, or WssX509Pkcs7Token10)
  • WssUsernameToken11 signed supporting token
Username token (plaintext password) authentication:
  • WssUsernameToken11 signed supporting token
X509 certificate authentication:
  • X509 endorsing supporting token (WssX509V3Token11, WssX509PkiPathV1Token11, or WssX509Pkcs7Token10)
Holder-of-Key token authentication:
  • WssSamlV20Token11 assertion referenced by a KeyIdentifier
  • Token must be used to sign the SOAP message body.
RenewRequestPolicy
Defines the security policy for Renew token requests. The request must contain one of the following endorsing supporting tokens. The SOAP message body must be included in the signature generated with the token.
  • WssX509V3Token11
  • WssX509PkiPathV1Token11
  • WssX509Pkcs7Token10

vCenter Single Sign-On SDK Support for vCenter Single Sign-On Security Policies

The vCenter Single Sign-On SDK provides Java utilities that support the vCenter Single Sign-On security policies. Your vCenter Single Sign-On client can use these utilities to create digital signatures and supporting tokens, and insert them into SOAP headers as required by the policies. The SOAP header utilities are defined in files that are located in the samples directory:
SDK\sso\java\JAXWS\samples\com\vmware\sso\client\soaphandlers