The web services that are part of the profile can be secured using different combinations of security configurations.
...
Security Tab
The following options are available:
Transport Level Security with the option of enabling a Timestamp
Transport Level Security with Web Service Security standard with the option of enabling a Timestamp
Transport Level Security with Username Token and/or Addressing with the option of enabling a Timestamp
Transport Level Security with Web Service Security standard combined with Username Token and/or Addressing with the option of enabling a Timestamp
Web Service Security standard with the option of enabling a Timestamp
Web Service Security standard with Username Token and/or Addressing with the option of enabling a Timestamp
Username Token and/or Addressing with the option of enabling a Timestamp
To apply Transport Level Security (TLS v1.2), select the Enable Transport Security checkbox. The Web Service agents provide Web Service security by supporting XML-signature and encryption. A Timestamp records the time of messages. Username Token uses authentication tokens and Addressing provides unique message IDs.
Setting | Description |
---|---|
Enable Transport Security | Select this checkbox to communicate with the web service using the transfer protocol HTTPS. If you want to use the the transfer protocol HTTP, leave the checkbox empty. |
Security Profile | Click Browse to select a security profile with certificate and configuration to use, if you prefer to use a secure connection. Refer to Security Profile for more information. |
Web Service Security Settings | Applicable whether you select Enable Transport Security or not. |
Enable Web Service Security For This Profile | When selected, Web Service security is used. The Web Service Security Settings and Username Token and Addressing checkboxes are also enabled for you to configure security settings. If you do not select any other checkboxes on this tab, no Web Service Security is enabled. |
Enable Encryption | When selected, encryption will be enabled. |
Enable Binary Security Token | When selected, messages are signed and the public certificate is sent in the Binary Security Token element in the message header. |
Use request signing certificate | When selected, the public certificate sent in the Binary Security Token element is used to encrypt the message that is sent back to the client. This option is ignored in case you are using a Web Service client agent. |
Enable Signing | When selected, messages will be signed. |
Security Profile | Click Browse to select a Web services security profile. Refer to Security Profile for more information. |
Enable TimeStamp | When selected, messages are recorded with the date and time. |
Username Token and Addressing | |
Enable Username Token | When selected, Username Token authentication is used, and the other text boxes in the dialog are highlighted and must be completed. Note that when selected, this option is applicable to both the Web Service Provider agent and the Web Service Request agent. |
WS Token Username | Enter the WS Token username. |
WS Token Password | Enter the WS Token password. |
Enable WS Addressing | When selected, messages are sent with a unique ID. |
Generate Keystore for Web Service Security
There are multiple ways to set up a server and client keystores. In general, both the client and the server need the public certificate to sign the messages. If the server hosts multiple clients it is not needed to import all clients' certificates into the server keystore but then a Certificate Authority (CA) is needed. So in a multiple client scenario, the server imports the CA certificate and gets its own certificate signed by the CA. All clients get their certificates signed by CA and import the server public certificate into the keystore. Normally this type of certificate is signed by a trusted CA.
To generate server and client keystores, you need to follow the steps in the mentioned sequence:
Setup a CA as mentioned in Setting Up a Certificate Authority
Generate the server keystore and certificate as mentioned in Creating Server Keystore and Certificate
Generate the client keystore and certificate as mentioned in Creating Client Keystore and Certificate.
You need to select the Binary Security Token checkbox for the Web Service profile client and server. For the server, you also need to select the checkbox Use request signing certificate.