Using WS-Security to enhance SOAP messages
The WS-Security standard provides a set of enhancements to the SOAP messaging standard for the purpose of adding message-level security to web service transactions.
Depending on the service, you can configure the SOAP connector to include any combination of the following:
- Encryption – Provides message confidentiality by encrypting some or all of the SOAP message content, in addition to any transport-layer encryption (SSL/TLS) that is used in the transmission of the message. Encryption ensures that the message content remains confidential until the appropriate receiving party decrypts it.
- Signature – Provides message integrity by adding a digital signature to some or all of the SOAP message content. The receiving party must verify the signature to guarantee the authenticity of the message.
- Timestamp – Increases message integrity by defining a time-to-live for the message, which prevents replay attacks.
- Username token – Provides message-level authentication for web service transactions. When combined with Timestamp, Signature, and Encryption, a username token is a more secure alternative to HTTP basic authentication.
Outflow defines the configuration and run-time behavior of the outgoing SOAP message. In a SOAP connector, this is the request message. In a SOAP service, this is the response message.
- Username tokens are added to the outgoing SOAP message.
- Timestamps are added to the outgoing message
- For Signature configurations, applicable message parts are assigned a hash value that is encrypted using Public Key Encryption (PKI) and added to the outgoing SOAP message.
- For Encryption configurations, applicable message parts are encrypted using PKI, and added to the outgoing SOAP message.
Inflow defines the configuration and run-time behavior of the incoming SOAP message. In a SOAP connector, this is the response message. In a SOAP service, this is the request message.
- Username tokens are validated against the configured value.
- Timestamps are checked to determine whether the message has expired.
- Digital signature is decrypted and validated against the incoming SOAP message content.
- For Encryption configurations, applicable message parts of the incoming SOAP message are decrypted and converted back to standard XML text.