WS-Security for Incoming SOAP Messages (Deprecated) |
|
With WS-Security, you can sign or encrypt parts of SOAP messages. Process Platform supports WS-Security (SOAP Message Security 1.0) for incoming and outgoing SOAP messages, which is part of Basic Security Profile 1.0.
Process Platform accepts incoming SOAP messages following the WS-Security standard that contains a binary security token, (the X.509 signed security token). Outgoing messages are described in WS-Security for Outgoing SOAP Messages.
WS-Security Service Group Configuration
You can enable WS-Security in the service group configuration in LDAP. Thus, you can configure the WS-Security properties per Service Group. To enable WS-Security, refer to Configuring a Service Group for WS-Security.
If WS-Security is enabled, the Service Group checks for WS-Security headers in every SOAP message. WS-Security is not mandatory for incoming SOAP messages, but if WS-Security headers are present, those are checked and used to verify the integrity or decrypt the message.
Signatures
Service groups that receive WS-Security requests must have the trust correctly configured. This means that the Service Group must have the certificates of the complete trust chain.
The public certificate of the sending client must be given in the SOAP request using the X.509 signed security token. The parent of that certificate must be available in the trust store of the service group.
With these certificates, the service group can verify the signatures of the message. If these certificates are not present, the service group cannot proceed with processing the SOAP message.
Encryption
To use encryption, the client must have the public certificate of the target service group. This public certificate can be retrieved using the procedure described in Viewing Certificate Details of a Service Group.