Web eWeb Services can be secured by using various combinations of security configurations:
...
| Setting | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Enable Transport Security | Select this check box if you want to communicate the web service using the transfer protocol HTTPS. If you want to use the the transfer protocol HTTP, leave the check box empty. | ||||||||||
Keystore | Click on the button and select the keystore JKS-file that contains the private keys that you want to apply. See create a keystore to know how to create a keystore and password.
| ||||||||||
Keystore Password | Enter the password that protects the keystore file. | ||||||||||
Web Service Security Settings | Applicable whether you select Enable Transport Security or not. | ||||||||||
Enable Web Service Security For This Profile | When selected, Web Service security is used, and the other text boxes in the dialog are highlighted. The Web Service Security Settings and Username Token and Addressing check boxes are also enabled for you to configure your security settings. If you do not select any other check boxes on this tab, no Web Service Security is enabled. | ||||||||||
Keystore Alias | The alias of the keystore entry that should be used. | ||||||||||
Key Password | Enter the password that is used to protect the private key that is associated with the Keystore alias. | ||||||||||
Enable Encryption | When selected, messages will be encrypted. If you select this option, you must complete the text boxes in the Web Service Security Settings dialog. | ||||||||||
| Enable Binary Security Token | When selected, messages will be signed and the public certificate will be sent in the Binary Security Token element in the header of the message. | ||||||||||
| Use request signing certificate | When selected, the public certificate sent in the Binary Security Token element will be used to encrypt the message back to the client. This option will be ignored in case of a Web Service client agent. | ||||||||||
Enable Signing | When selected, messages will be signed. If you select this option, you must complete the text boxes in the Web Service Security Settings dialog. | ||||||||||
Enable TimeStamp | When selected, messages will be recorded with the date and time. | ||||||||||
| Keystore Encryption Alias | The encryption alias to use, in a client it should be the alias to the server public certificate. If left empty the Keystore Alias will be used to encrypt the message. | ||||||||||
Enable Username Token and Addressing | When selected, Username Token authentication is used, and the other text boxes in the dialog are highlighted and must be completed.
| ||||||||||
Enable WS Addressing | When selected, messages will be sent with a unique ID. | ||||||||||
| Disable Underscore Binding Mode | Use this check box to determine whether you want to enable or disable underscore binding mode. |
Generating a keystore for TLSAnchor createkeystore createkeystore
TLS requires a keystore file that is generated by using the Java standard command keytool. For further information about the keytool command, see the JDK product documentation.
...
There are multiple ways to setup a server and client keystores, in general, both client and the server needs the public certificate to sign the messages. If the server host multiple clients it is not needed to import all clients' certificates in server keystore but then a Certificate Authority (CA) is needed. So in a multiple client scenario, the server imports the CA certificate and get its own certificate signed by the CA. All clients get their certificates signed by CA and import server public certificate in keystore. Normally this type of certificate is signed by a trusted CA.
To generate server and client keystores, you need to follow the steps in the mentioned sequence:
...
Profile settings for the server
| Scroll ignore | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||