9.84.2.4 Web Service Profile Security Tab
- Jenni Wallin
- Former user (Deleted)
- Karthik Bangalore
eWeb Services can be secured by using various combinations of security configurations:
- Transport Level Security with the option of enabling a Timestamp
Transport Level Security with Web Service Security standard with the option of enabling a Timestamp
Transport Level Security with Username Token and/or Addressing with the option of enabling a Timestamp
Transport Level Security with Web Service Security standard combined with Username Token and/or Addressing with the option of enabling a Timestamp
Web Service Security standard with the option of enabling a Timestamp
Web Service Security standard with Username Token and/or Addressing with the option of enabling a Timestamp
- Username Token and/or Addressing with the option of enabling a Timestamp
To apply Transport Level Security (TLS v1.2), select the Enable Transport Security check box. The Web Service agents provide Web Service security by supporting XML-signature and encryption. A TimeStamp records the time of messages. Username Token uses authentication tokens and Addressing provides unique message IDs.
The Web Service Profile - Security tab
| Setting | Description |
|---|---|
Enable Transport Security | Select this check box if you want to communicate the web service using the transfer protocol HTTPS. If you want to use the the transfer protocol HTTP, leave the check box empty. |
Keystore | Click on the button and select the keystore JKS-file that contains the private keys that you want to apply. See create a keystore to know how to create a keystore and password. Note To export the original Keystore file, select from the main menu of the Web Service profile, and then select Note! If the web service is a client then the client certificate is added to the Web Service profile used for the Web Service agent. And, if the web service is a server then the server certificate is added to the Web Services profile used for the Web Service agent. |
Keystore Password | Enter the password that protects the keystore file. |
Web Service Security Settings | Applicable whether you select Enable Transport Security or not. |
Enable Web Service Security For This Profile | When selected, Web Service security is used, and the other text boxes in the dialog are highlighted. The Web Service Security Settings and Username Token and Addressing check boxes are also enabled for you to configure your security settings. If you do not select any other check boxes on this tab, no Web Service Security is enabled. |
Keystore Alias | The alias of the keystore entry that should be used. |
Key Password | Enter the password that is used to protect the private key that is associated with the Keystore alias. |
Enable Encryption | When selected, messages will be encrypted. If you select this option, you must complete the text boxes in the Web Service Security Settings dialog. |
| Enable Binary Security Token | When selected, messages will be signed and the public certificate will be sent in the Binary Security Token element in the header of the message. |
| Use request signing certificate | When selected, the public certificate sent in the Binary Security Token element will be used to encrypt the message back to the client. This option will be ignored in case of a Web Service client agent. |
Enable Signing | When selected, messages will be signed. If you select this option, you must complete the text boxes in the Web Service Security Settings dialog. |
Enable TimeStamp | When selected, messages will be recorded with the date and time. |
| Keystore Encryption Alias | The encryption alias to use, in a client it should be the alias to the server public certificate. If left empty the Keystore Alias will be used to encrypt the message. |
Enable Username Token and Addressing | When selected, Username Token authentication is used, and the other text boxes in the dialog are highlighted and must be completed. Note! When selected, this option is applicable to both Web Service Provider agent and Web Service Request agent. |
Enable WS Addressing | When selected, messages will be sent with a unique ID. |
| Disable Underscore Binding Mode | Use this check box to determine whether you want to enable or disable underscore binding mode. |
Generating a keystore for TLS
TLS requires a keystore file that is generated by using the Java standard command keytool. For further information about the keytool command, see the JDK product documentation.
Example - To generate a keystone
To Create a keystore:
$ keytool -genkey -alias server -keyalg RSA -keystore ./server.jks
alias= name of the key, for example,serverkeystore= name of the keystore, for example,server.jksNote!
The keystore is stored in the directory where you ran this command.
Keytool prompts for required information such as identity details and password. When prompted for the first and last name, you must add the domain details for SSL/TLS certificate. The keystore password must be the same as the key password.To Add the certificate:
If the web service is a server, you should export the certificate (server.cer) and send it to the client side.$ keytool -export -alias server -keystore ./server.jks -file ./server.cer
If the web service is a client, you must get a certificate from the server (server.cer) and import the certificate to the keystore.$ keytool -import -alias client -file ./server.cer -keystore ./client.jks
The certificate file can now be distributed to the other peers.Note!
Currently the certificates do not work in the Web Services Security settings. It is a known issue.
Enter the keystore path and the keystore password in the Web Service Profile.
Generate Keystore for Web Service Security
There are multiple ways to setup a server and client keystores, in general, both client and the server needs the public certificate to sign the messages. If the server host multiple clients it is not needed to import all clients' certificates in server keystore but then a Certificate Authority (CA) is needed. So in a multiple client scenario, the server imports the CA certificate and get its own certificate signed by the CA. All clients get their certificates signed by CA and import server public certificate in keystore. Normally this type of certificate is signed by a trusted CA.
To generate server and client keystores, you need to follow the steps in the mentioned sequence:
- Setup a CA as mentioned in Setting Up a Certificate Authority
- Generate the server keystore and certificate as mentioned in Creating Server Keystore and Certificate
- Generate the client keystore and certificate as mentioned in Creating Client Keystore and Certificate.
The Web Service Profile for client and server need to select the Binary Security Token option. For the server, you also need to select the checkbox Use request signing certificate.
After following the examples of setting up the keystores, the profile settings for the client should look like this:
Profile settings for the client
And the server settings should look like this:
Profile settings for the server