WS Security XML Signature/Encryption

WS Security is a standard for securing SOAP messages. By using WS Security, you protect the SOAP messages that are exchanged between the Web service provider and the Web service client with digital XML signatures, XML encryption, time stamps, and security tokens.

Note Note

WS Security affects only SOAP messages and it not supported for HTTP get profile, HTTP Post, or SOAP with attachments. WS Security is only supported by deployable proxies.

End of the note.

Prerequisites

To use WS-Security XML signatures and encryption with X.509 certificates, you need to activate the use of cryptographic functions for the AS ABAP system. More information: Digital Signatures and Encryption

Features

XML Signatures

Digital signatures are added to a SOAP document in order to ensure the integrity and the authenticity of the message. If parts of the message are changed during transport, the signature becomes invalid and the message is rejected by the recipient. Signatures can be attached to the client request and the server response. Signatures are always used in connection with a time stamp to avoid repetition of the messages (both the element SOAP:Envelope/SOAP:Body and the element SOAP:Envelope/SOAP:Header/wsse:Security/wsu:Timestamp are signed).

More information: Digital Signatures and Encryption

Authentication with XML Signatures

You can also use digital signatures for authentication. To do this, the user assignment of users to X.509 certificates in the Security Provider service is provided.

XML Encryption

Encryption is used to protect elements that are sent as part of the SOAP message. This protects the confidentiality of the message and prevents the undesired disclosure of the sent data.

More information: Digital Signatures and Encryption

Keystores Used

Purpose	Keystore
Storage location of the private key of the system, with which a message can be signed. Storage location of the trusted certificates that are used to check the signature. Storage location of the keys for decrypting encrypted messages.	AS ABAP: WS-Security PSE WS Security Keys (`WSSKEY`)
Storage location of the keys for sending encrypted messages.	AS ABAP: WS-Security PSE Other System Encryption Certs (`WSSCRT`)

Purpose

Keystore

Storage location of the private key of the system, with which a message can be signed.

Storage location of the trusted certificates that are used to check the signature.

Storage location of the keys for decrypting encrypted messages.

AS ABAP: WS-Security PSE WS Security Keys (WSSKEY)

Storage location of the keys for sending encrypted messages.

AS ABAP: WS-Security PSE Other System Encryption Certs (WSSCRT)

More information:

Keystore in AS ABAP: Trust Manager