9.84.2.4 Web Service Profile Security Tab

eWeb Services can be secured by using various combinations of security configurations:

  • Transport Level Security with the option of enabling a Timestamp
  • Transport Level Security with Web Service Security standard with the option of enabling a Timestamp

  • Transport Level Security with Username Token and/or Addressing with the option of enabling a Timestamp

  • Transport Level Security with Web Service Security standard combined with Username Token and/or Addressing with the option of enabling a Timestamp

  • Web Service Security standard with the option of enabling a Timestamp

  • Web Service Security standard with Username Token and/or Addressing with the option of enabling a Timestamp

  • Username Token and/or Addressing with the option of enabling a Timestamp

To apply Transport Level Security (TLS v1.2), select the Enable Transport Security check box. The Web Service agents provide Web Service security by supporting XML-signature and encryption. A TimeStamp records the time of messages. Username Token uses authentication tokens and Addressing provides unique message IDs. 

The Web Service Profile - Security tab


SettingDescription

Enable Transport Security

Select this check box if you want to communicate the web service using the transfer protocol HTTPS. If you want to use the the transfer protocol HTTP, leave the check box empty.

Keystore

Click on the Import Keystore button and select the keystore JKS-file that contains the private keys that you want to apply. See create a keystore to know how to create a keystore and password. 

Note

To export the original Keystore file, select Export from the main menu of the Web Service profile, and then select Export Web Service Security Settings Keystore.

Note!

If the web service is a client then the client certificate is added to the Web Service profile used for the Web Service agent. And, if the web service is a server then the server certificate is added to the Web Services profile used for the Web Service agent.

Keystore Password

Enter the password that protects the keystore file.

Web Service Security Settings

Applicable whether you select Enable Transport Security or not.

Enable Web Service Security For This Profile

When selected, Web Service security is used, and the other text boxes in the dialog are highlighted. The Web Service Security Settings and Username Token and Addressing check boxes are also enabled for you to configure your security settings. If you do not select any other check boxes on this tab, no Web Service Security is enabled.

Keystore Alias

The alias of the keystore entry that should be used.

Key Password

Enter the password that is used to protect the private key that is associated with the Keystore alias.

Enable Encryption

When selected, messages will be encrypted. If you select this option, you must complete the text boxes in the Web Service Security Settings dialog.

Enable Binary Security TokenWhen selected, messages will be signed and the public certificate will be sent in the Binary Security Token element in the header of the message.
Use request signing certificateWhen selected, the public certificate sent in the Binary Security Token element will be used to encrypt the message back to the client. This option will be ignored in case of a Web Service client agent.

Enable Signing

When selected, messages will be signed. If you select this option, you must complete the text boxes in the Web Service Security Settings dialog.

Enable TimeStamp

When selected, messages will be recorded with the date and time.

Keystore Encryption AliasThe encryption alias to use, in a client it should be the alias to the server public certificate. If left empty the Keystore Alias will be used to encrypt the message.

Enable Username Token and Addressing

When selected, Username Token authentication is used, and the other text boxes in the dialog are highlighted and must be completed.

Note!

When selected, this option is applicable to both Web Service Provider agent and Web Service Request agent.

Enable WS Addressing

When selected, messages will be sent with a unique ID.

Disable Underscore Binding Mode

Use this check box to determine whether you want to enable or disable underscore binding mode.

Generating a keystore for TLS

TLS requires a keystore file that is generated by using the Java standard command keytool. For further information about the keytool command, see the JDK product documentation.

Example - To generate a keystone

  1. To Create a keystore:

    $ keytool -genkey -alias server -keyalg RSA -keystore ./server.jks

    alias = name of the key, for example, server 
    keystore = name of the keystore, for example, server.jks

    Note!

    The keystore is stored in the directory where you ran this command.


    Keytool prompts for required information such as identity details and password. When prompted for the first and last name, you must add the domain details for SSL/TLS certificate. The keystore password must be the same as the key password.


  2. To Add the certificate:
    If the web service is a server, you should export the certificate (server.cer) and send it to the client side.

    $ keytool -export -alias server -keystore ./server.jks -file ./server.cer


    If the web service is a client, you must get a certificate from the server (server.cer) and import the certificate to the keystore.

    $ keytool -import -alias client -file ./server.cer -keystore ./client.jks


    The certificate file can now be distributed to the other peers.

    Note!

    Currently the certificates do not work in the Web Services Security settings. It is a known issue.

  3. Enter the keystore path and the keystore password in the Web Service Profile.

Generate Keystore for Web Service Security

There are multiple ways to setup a server and client keystores, in general, both client and the server needs the public certificate to sign the messages. If the server host multiple clients it is not needed to import all clients' certificates in server keystore but then a Certificate Authority (CA) is needed. So in a multiple client scenario, the server imports the CA certificate and get its own certificate signed by the CA. All clients get their certificates signed by CA and import server public certificate in keystore. Normally this type of certificate is signed by a trusted CA.

To generate server and client keystores, you need to follow the steps in the mentioned sequence:

  1. Setup a CA as mentioned in Setting Up a Certificate Authority
  2. Generate the server keystore and certificate as mentioned in Creating Server Keystore and Certificate 
  3. Generate the client keystore and certificate as mentioned in Creating Client Keystore and Certificate.

The Web Service Profile for client and server need to select the Binary Security Token option. For the server, you also need to select the checkbox Use request signing certificate.

After following the examples of setting up the keystores, the profile settings for the client should look like this:

Profile settings for the client

And the server settings should look like this:

Profile settings for the server