LinkedIn
Copied!

Table of Contents

Configuring WS-Trust in Pega Platform

Use WS-Trust to issue, renew, and validate security tokens. WS-Trust utilizes a Secure Token Service (STS) to acquire secure tokens that are used to communicate with external systems that provide data to your application via web services.

Perform the steps in this task for each resource provider that requires secure tokens for SOAP messaging with your application.

  1. Define a WS-Policy file for STS token acquisition. For more information, see Creating a web service policy data instance.

    The STS web service policy specifies how your application can interact with the STS. Create both the STS policy and the resource provider policy before you create the STS SOAP connector. The resource provider web service policy can contain metadata about the STS service and other information, such as the token type to be requested.

    Unless your security requirements specify SSL-only access, you should manually create an assertion for user security information. For example, the Apache Rampart <RampartConfig> assertion provides information about the user needed for signing and encryption, as in the following example Rampart assertion:

    <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
    <ramp:user>.pyUsername</ramp:user>
    <ramp:encryptionUser>.pyEncryptionUser</ramp:encryptionUser>
    <ramp:userCertAlias>.pySignatureUser</ramp: userCertAlias>
    <ramp:userPassword>.pyUserPassword</ramp:userPassword>
    <ramp:signaturePassword>.pysignaturePassword</ramp:signaturePassword>
    </ramp:RampartConfig>
  2. Create the STS SOAP connector to request a token from the STS. For more information, see Creating a Connect SOAP rule and Configuring advanced details for a SOAP Connector.

    • On the Service tab, ensure that the Method name field specifies the SOAP operation name.
    • Ensure the Service endpoint URL field specifies the URL of the remote service provider to which the SOAP request message is sent. This field supports the Global Resource Settings syntax (=.PageName.PropertyName). The default property name for this field is pySOAPURL. For more information, see Configuring dynamic references to external systems by using the Global Resource Settings feature.
  3. Create a resource provider web service policy in Pega Platform. The Service policy specifies how your application can interact with the resource provider via web service.

    1. In the Service policy XML file, add the endpoint URL to the <wsp:AppliesTo> child element of the <sp:IssuedToken> element.

      Service policy XML file
      Example of adding the endpoint URL to the
                                        <wsp:AppliesTo> child element
    2. Create a resource provider web service policy. For more information, see Creating a web service policy data instance.

      Make sure to copy the namespaces specified in the WSDL file to <wsp:Policy.../>. In this example, namespaces copied manually from the WSDL include:
      wsu:Id="CalculatorServicePortBindingPolicy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" 
      xmlns:sunwsp="http://java.sun.com/xml/ns/wsit/policy" xmlns:ssp="http://schemas.sun.com/2006/03/wss/server" 
      xmlns:wsaw3c="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  4. Create the Connect SOAP connector to invoke the resource provider’s SOAP web service using the token. On the Advanced tab of the Connect SOAP rule, in the Service policy field, enter the name of the service policy that you create in step 3b.

    For more information, see Creating a Connect SOAP rule and Configuring advanced details for a SOAP Connector.

    Upon receiving credentials from your application, the STS issues a token for secure SOAP messaging. Credentials can be a username/password, or a token issued by a broker, such as an SAML token, digital signature, or Kerberos token.

  5. Create an activity that calls the STS and resource provider SOAP connectors as methods. The recommended approach is for the activity to execute the STS connector, and the service connector immediately after.

    1. In the activity that you created, on the Steps tab, in the Method field, press the Down arrow key and select Connect-SOAP.

    2. Click the Expand icon to expand the step.

    3. In the ServiceName field, enter the service name for the STS connection.

    4. In the ExecutionMode field, select Run.

    5. Click Add a step to add a step for the secure web service. Then, repeat steps 5a through 5d.

    6. Click Save.

  6. At the point in your flow where you want to establish a secure SOAP connection by using a token, add or edit an Integrator shape to reference the activity. For more information, see Activity form - how to create activities for flows.

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.