Using Strong Message
Authentication
Use
You can use the strong message authentication functions for WS access to enable additional security options that are specific to the authentication needs for WS communication. The strong message authentication options include the use of XML signature, XML encryption, message aging, WS-Secure Conversation and fault reporting.
Integration
WS communication may pass through several intermediary systems before reaching the target WS provider. For such a communication pattern you can ensure that the integrity of the SOAP message is protected, but limit the use of encryption for confidentiality to allow intermediary systems access to SOAP headers. For such cases you can use the strong document authentication mechanisms, supported by SAP NetWeaver.
You can use strong message authentication in addition to the message and transport level authentication mechanisms, such as username token profile or SAML. WS consumer systems can use strong message authentication for incoming responses and outgoing requests, whereas WS provider systems can use strong message authentication for incoming requests and outgoing responses.
Activities
...
1. Using the NWA, go to the configuration functions for message security for WS Client Configuration or WS Configuration .
2. Use the checkboxes to enable the use of required strong message authentication options for incoming and outgoing requests and responses. You can choose Details for these options to configure advanced settings for the strong message authentication options you choose.
Require Signature for Incoming Requests or Responses
a. Enable the Require Signature checkbox
■ Using the advanced configuration options you can choose the Trusted Certificate Keystore View, which stores the X.509 certificate for the system that signed the incoming request or response.
By default the AS Java uses the WebServiceSecuritykeystore view.
■ You can require the use of specific certificates by enabling the Specify Explicit Trust check box, and entering the certificate attributes for Subject Name, Issuer and Serial Number.
■ In addition, you can limit the presence of signed elements to the message body or header.
Require Encryption for Incoming Requests or Responses
...
a. Enable the Require Encryption checkbox.
Require Message Age for Incoming Requests or Responses
...
a. Enable Require Message Agecheckbox.
■ Use the advanced configuration options for Incoming Message Age to enter the maximum message age in seconds.
Add Signature for Outgoing Responses or Requests
...
a. Enable the Add Signature checkbox.
■ Use the advanced configuration options for Add Signature to choose the Keystore View and Private Key for generating a signature.
Add Encryption for Outgoing Responses or Requests
...
a. Enable the Add Encryption checkbox.
■ For WS consumers (using WS logical ports), you can choose the Keystore View and Certificate to use for the encryption.
■ For Web providers (using WS service endpoints), you can use additional advanced configuration options to select the Certificate for Encryption. You can choose among the certificate used for signing the incoming request, a certificate assigned to the user, or manually choose a keystore view and certificate to use for the encryption.
Apply security settings for reporting SOAP faults
...
a. For the WS service endpoints on the WS providers, enable the check boxes for SOAP Fault Settings to report technical and application faults for outgoing messages.
Apply security settings for WS-Secure Conversation
...
a. For the WS logical ports on WS consumers, enable the check boxes for Use WS-Secure Conversation.
See also: