Show TOC

Background documentationTransport Security for Web Services Locate this document in the navigation structure

 

Security at transport level can be ensured by means of mechanisms used on the Internet. HTTPS sets up an encrypted connection between the client and the server and is suitable for simple situations –for example, when a client communicates directly with a single server. Every single message is sent via an encrypted channel.

This feature of HTTPS, that each message is encrypted, has disadvantages:

  • Firstly, many messages have to be encrypted and decrypted on a single server simultaneously. This can have a negative effect on system performance. Furthermore, the information provided using a Web service is not always confidential and must therefore not always be encrypted.

  • Secondly, a SOAP interaction is not always a point-to-point connection. More than two SOAP nodes can be involved. The additional intermediate nodes obtain information about actions to be executed from the SOAP header. This is not possible in the case of a complete encryption using HTTPS.

At message level, an encryption and signature concept with fine granularity is possible. Here, not the transport channel but the message itself is protected.

  • Default at design time: Integrity and Confidentiality

    The following alternatives are available in the runtime configuration:

    • Transport Protocol HTTPS

    or

    • Message Security, Incoming Request

      • Require Signature

      • Require Encryption

    • Message Security, Outgoing Response

      • Add Signature

      • Add Encryption

  • Default at design time: None

    All security settings possible

Design of Web Services in the AS ABAP and AS Java

In the ABAP application server and Java application server, you provide specifications for the transport security level when designing Web services.

You set the level of transport security through the specification Integrity and Confidentiality.

More information:

Transport Security for Web Services (AS ABAP)

Setting the Transport Guarantee Level

Runtime Configuration in the NetWeaver Administrator

You can display the minimum security level for transport that you have defined in the AS ABAP and AS Java in SAP NetWeaver Administrator under Transport Guarantee. You can only raise and not lower this security level in the runtime configuration.

  • You find the settings for service definitions in NetWeaver Administrator under   SOA Management   Application and Scenario Communication   Single Service Administration   under Service Definitions on tab page Configuration under Design Time Configuration.

  • You find the settings for Web service clients in NetWeaver Administrator under   SOA Management   Application and Scenario Communication   Single Service Administration   under Consumer Proxies on tab page Configuration under Design Time Configuration.

To ensure integrity and confidentiality, enter the following under Security:

  • Under HTTPS choose Transport Protocol.

  • Alternatively, under Message Security, choose Require Signature and Require Encryption for the incoming request and Add Signature and Add Encryption for the outgoing response.

    More information: Using Strong Document Authentication

Runtime Configuration for ABAP Web Services in SOA Manager

You can also configure any Web services that you have developed on AS ABAP in SOA Manager as well (transaction SOAMANAGER). The same security mechanisms are available.

More information: Runtime Configuration with the SOA Manager