Web Services can be secured by using various combinations of security configurations:
- Transport Level Security with the option of enabling a Timestamp
Transport Level Security with Web Service Security standard with the option of enabling a Timestamp
Transport Level Security with Username Token and/or Addressing with the option of enabling a Timestamp
Transport Level Security with Web Service Security standard combined with Username Token and/or Addressing with the option of enabling a Timestamp
Web Service Security standard with the option of enabling a Timestamp
Web Service Security standard with Username Token and/or Addressing with the option of enabling a Timestamp
- Username Token and/or Addressing with the option of enabling a Timestamp
To apply Transport Level Security (TLS v1.2), select the Enable Transport Security check box. The Web Service agents provide Web Service security by supporting XML-signature and encryption. A TimeStamp records the time of messages. Username Token uses authentication tokens and Addressing provides unique message IDs.
The Web Service profile - Security tab
Setting | Description |
---|---|
Enable Transport Security | Select this check box if you want to communicate the web service using the transfer protocol HTTPS. If you want to use the the transfer protocol HTTP, leave the check box empty. |
Keystore | Click on the create a keystore to know how to create a keystore and password. button and select the keystore JKS-file that contains the private keys that you want to apply. SeeNote To export the original Keystore file, select from the main menu of the Web Service profile, and then select Note! If the web service is a client then the client certificate is added to the Web Service profile used for the Web Service agent. And, if the web service is a server then the server certificate is added to the Web Services profile used for the Web Service agent. |
Keystore Password | Enter the password that protects the keystore file. |
Web Service Security Settings | Applicable whether you select Enable Transport Security or not. |
Enable Web Service Security For This Profile | When selected, Web Service security is used, and the other text boxes in the dialog are highlighted. The Web Service Security Settings and Username Token and Addressing check boxes are also enabled for you to configure your security settings. If you do not select any other check boxes on this tab, no Web Service Security is enabled. |
Keystore Alias | The alias of the keystore entry that should be used. |
Key Password | Enter the password that is used to protect the private key that is associated with the Keystore alias. |
Enable Encryption | When selected, messages will be encrypted. If you select this option, you must complete the text boxes in the Web Service Security Settings dialog. |
Enable Signing | When selected, messages will be signed. If you select this option, you must complete the text boxes in the Web Service Security Settings dialog. |
Enable TimeStamp | When selected, messages will be recorded with the date and time. |
Enable Username Token and Addressing | When selected, Username Token authentication is used, and the other text boxes in the dialog are highlighted and must be completed. Note! When selected, this option is applicable to both Web Service Provider agent and Web Service Request agent. |
Enable WS Addressing | When selected, messages will be sent with a unique ID. |
Disable Underscore Binding Mode | Use this check box to determine whether you want to enable or disable underscore binding mode. |
Generating a keystore for TLS
TLS requires a keystore file that is generated by using the Java standard command keytool. For further information about the keytool command, see the JDK product documentation.
Example - To generate a keystone
To Create a keystore:
$ keytool -genkey -alias server -keyalg RSA -keystore ./server.jks
alias
= name of the keystore alias, for example,server
keystore
= name of the keystore, for example,server.jks
Note!
The keystore is stored in the directory where you ran this command.
Keytool prompts for required information such as identity details and password. When prompted for the first and last name, you must add the domain details for SSL/TLS certificate. The keystore password must be the same as the key password.To Add the certificate:
If the web service is a server, you should export the certificate (server.cer
) and send it to the client side.$ keytool -export -alias server -keystore ./server.jks -file ./server.cer
If the web service is a client, you must get a certificate from the server (server.cer
) and import the certificate to the keystore.$ keytool -import -alias client -file ./server.cer -keystore ./client.jks
The certificate file can now be distributed to the other peers.Note!
Currently the certificates do not work in the Web Services Security settings. It is a known issue.
Enter the keystore path and the keystore password in the Web Service Profile.
Generete Keystore for Web Service Security
There are multiple ways of how to setup a server and client keystores, in general both sides needs there public certificate to sign the messages. If the server will host multiple clients it is not needed to import all clients certificates in server keystore but the a Certificate Authority is needed. So in a multiple client scenario server import CA certificate and get it's own certificate sign by the CA. All clients get there certificate sign by CA and import server public certificate in keystore.
To generate server and client keystores you first need a CA following this page. Then the server can be generated follow this and at least the client.
The Web Service Profile for client and server need to turn on Binary Security Token. The Server also needs turn on Use request signing certificate.