Secure Runtime Configuration with the SOA Manager

Use

You can configure security settings for the service provider and service consumer for the runtime of Web services.

To edit the security settings for service providers:

From the main screen of SOA Manager, go to the Service Administration tab.
Select Web Service Configuration.
Search for a service definition.
Click the Internal Name of the service definition to display details.
Click the (Edit binding) icon for a selected binding.

The Provider Security settings are displayed on the first tab.

Security Settings

You can edit the following settings:

Security Area	Description
Transport Level Security	The level of security provided for the transport layer, that is, the transport of messages. You can either use HTTP or HTTPS.
Message Level Security	The level of security provided for each message. Messages can be secured using an XML signature/certificate and XML encryption with either symmetric or asymmetrical keys. Using Secure Conversation, messages are secured with a pre-defined symmetrical key. The key is re-used in further calls.

Security Area

Description

Transport Level Security

The level of security provided for the transport layer, that is, the transport of messages. You can either use HTTP or HTTPS.

Message Level Security

The level of security provided for each message.

Messages can be secured using an XML signature/certificate and XML encryption with either symmetric or asymmetrical keys. Using Secure Conversation, messages are secured with a pre-defined symmetrical key. The key is re-used in further calls.

More information: SAP Help Portal: SAP NetWeaver > Security Guide > Network and Communication Security.

Authentication Method	Description
No Authentication	Select whether authentication is required to use the Web service or not. You can use Transport Channel Authentication or Message Authentication (but not both).
Transport Channel Authentication	Authentication information is found in the HTTP header. User ID/Password X.509 SSL Client Certificate Single Sign On using SAP Assertion Ticket More information: SAP Help Portal: SAP NetWeaver > Security Guide > SAP NetWeaver Single Sign-On.
Message Authentication	Authentication information is found in the SOAP header. User ID/Password Authentication with WS Security Username Token X.509 SSL Client Certificate Authentication with a signed SOAP message, user authentication by certificate Single Sign-on using SAML Authentication with a signed SAML Assertion To use an external security token service to receive or request a SAML 1.1 token, select a Token Issuer. More information: SAP Help Portal: SAP NetWeaver > Security Guide > SAP NetWeaver Single Sign-On.

Authentication Method

Description

No Authentication

Select whether authentication is required to use the Web service or not. You can use Transport Channel Authentication or Message Authentication (but not both).

Transport Channel Authentication

Authentication information is found in the HTTP header.

User ID/Password
X.509 SSL Client Certificate
Single Sign On using SAP Assertion Ticket

More information: SAP Help Portal: SAP NetWeaver > Security Guide > SAP NetWeaver Single Sign-On.

Message Authentication

Authentication information is found in the SOAP header.

User ID/Password

Authentication with WS Security Username Token
X.509 SSL Client Certificate

Authentication with a signed SOAP message, user authentication by certificate
Single Sign-on using SAML

Authentication with a signed SAML Assertion

To use an external security token service to receive or request a SAML 1.1 token, select a Token Issuer.

More information: SAP Help Portal: SAP NetWeaver > Security Guide > SAP NetWeaver Single Sign-On.

Recommended WS Security Scenarios

SAP has put together recommendations for you on combining authentication and transport guarantee mechanisms. You can also get information on what prerequisites you have to fulfill to implement the scenario in your systems.

More information: SAP Help Portal: SAP NetWeaver > Security Guide.

Configuration Examples for AS ABAP

More information about secure Web services scenarios: Configuration Examples for AS ABAP