WS Security is a standard with which SOAP messages can be saved. The SSL protocol is not used. Using WS Security, SOAP messages between the provider of a Web service and the Web service client can be protected through digital XML signatures, XML encryption, time stamps, and security tokens.
At the time of creation of this document, the standardization process for WS Security was not yet completed. For up-to-date information, read SAP Note 716741.
WS Security can be used for SOAP messages only. WS Security is not supported by HTTP Get, HTTP Post or SOAP with attachments. Since SAP WebAS 6.40 SP2 (ABAP), WS Security has been supported for Web services, but not for proxies.
Digital signatures are added to a SOAP document in order to ensure the integrity and the authenticity of the message. If parts of the message are changed during the transport, the signature becomes invalid and the message is refused from the receiving side. Signatures can be attached to the client request and the server response. Signatures are always used in combination with a time stamp in order to prevent repeated runs of a message (both parts - SOAP:envelope/SOAP:body element and the SOAP:envelope/SOAP:header/wsse:Security/wsu:timestamp – are signed).
Encryption is used to protect elements that are sent as part of the SOAP message.
XML encryption is currently not supported for the SAP WebAS 6.40 release.
In addition to XML signatures, other authorization proofs for authentication of the Web service client can be integrated into the message. The SAP Web AS implementation of WS Security supports the security tokens User Name and X.509.
As proof of possession of the X.509 certificate that is used in the X.509 security token, an XML signature is required that uses the corresponding private key.
To configure a Web service with WS Security, you must perform the following two steps:
...
1. A profile with the runtime configuration settings (for example, X.509 certificate data) is required for each of the WS security templates used. Administration of the profiles is described in the chapter Configuring Security
2. After the WS Security profiles have been created, they must be assigned to the operations. A profile could be assigned to several operations – for example, if the same certificate is to be used for an XML signature or different profiles of the same template are to be used for operations with different XML signatures.
The following WS Security templates for inbound/outbound messages are available:
Outbound Message (Client Request, Server Response):
Security Template |
Effect |
Configuration Parameters |
SET_SIGNATURE |
Adds a wsu:time stamp to the message and signs the elements SOAP:Envelope/SOAP:Header/wsse:Security/wsu:Timestamp and SOAP:Envelope/SOAP:Body. |
J2EE Keystore View, J2EE keystore alias for the signature key |
SET_USERNAME |
Adds a SOAP:Envelope/SOAP:Header/wsse:Security/wsse:Username element to the message, which contains a time stamp, a user name, and a password.
The password is stored in encrypted form – provided the cryptographic toolkit has been installed.
|
User name, password |
SET_USERNAME_TIMESTAMP |
Adds a SOAP:Envelope/SOAP:Header/wsse:Security/wsu:Timestamp and a SOAP:Envelope/SOAP:Header/wsse:Security/wsse:Username element to the message, which contains a user name and a password.
|
User name, password |
Inbound Messages (Client Response, Server Request):
Security Template |
Effect |
Configuration Parameters |
CHECK_SIGNATURE |
Checks the signature using the SOAP:Envelope/SOAP:Body and SOAP:Envelope/SOAP:Header/wsse:Security/wsu:Timestamp, and checks the validity of the time stamp.
|
J2EE keystore view with the certificates of the trusted certificate authorities. For authentication purposes, the user mapping between the X.509 certificate-and the user is used. |
CHECK_USERNAME |
Authenticates the sender through use of the SOAP:Envelope/SOAP:Header/wsse:Security/wsse:Username element, which contains a time stamp, a user name, and a password. |
None |
CHECK_USERNAME_TIMESTAMP |
Checks the validity of the SOAP:Envelope/SOAP:Header/wsse:Security/wsu:Timestamp and authenticates the sender using a SOAP:Envelope/SOAP:Header/wsse:Security/wsse:Username element in the message. The element contains a time stamp, a user name, and a password. |
Maximum age of the time stamp |
See also: