WS Security XML Signature/Encryption

WS Security is a standard for securing SOAP messages. By using WS Security, you protect the SOAP messages that are exchanged between the Web service provider and the Web service client with digital XML signatures, XML encryption, time stamps, and security tokens.

You can use symmetric or asymmetric encryption. The main difference between symmetric and asymmetric encryption is the type of signature.

WS Security XML

Symmetric Method

Asymmetric Method

Signature

With HMAC and symmetric key

With asymmetric key, that is the secret key of the system

Encryption

Encryption of the message with a symmetric key that the consumer generates. This encrypted message is then encrypted with the asymmetric key.

Encryption of the message with a symmetric key that the consumer generates. This encrypted message is then encrypted with the asymmetric key.

Validity of the key

Within a request-response cycle, the symmetric key is always the same, that is, the provider and consumer use the same symmetric key.

The symmetric key is generated again for each message, that is, the consumer generates a symmetric key for the request and the provider generates a new symmetric key for the response.

Prerequisites

To use WS-Security XML signatures and encryption with X.509 certificates, you need to activate the use of cryptographic functions for SAP NetWeaver AS for ABAP.

XML Signatures

Digital signatures are added to a SOAP document to ensure the integrity and the authenticity of the message. If parts of the message are changed during transport, the signature becomes invalid and the message is rejected by the recipient. Signatures can be attached to the client request and the server response. Signatures are always used in combination with a time stamp to prevent repeats of the messages (both the SOAP:Envelope/SOAP:Body element and the SOAP:Envelope/SOAP:Header/wsse:Security/wsu:Timestamp element are signed).

Authentication with XML Signatures

You can also use digital signatures for authentication. The user assignment of users to X.509 certificates is used to do this.

XML Encryption

Encryption is used to protect elements that are sent as part of the SOAP message. This protects the confidentiality of the message and prevents the undesired disclosure of the sent data.

Keystores Used

Purpose

Keystore

Storage location of the private key of the system, with which a message can be signed.

Storage location of the trusted certificates that are used to check the signature.

Storage location of the keys for decrypting encrypted messages.

SAP NetWeaver AS for ABAP: WS-Security PSE WS Security Keys (WSSKEY)

Storage location of the keys for sending encrypted messages.

SAP NetWeaver AS for ABAP: WS-Security PSE Other System Encryption Certs (WSSCRT)