Inbound WS-Security configuration [Settings]
WS-Security configuration for an inbound request. This defines WS-Security requirements for the request consumed from the client and the response generated. The objects created may be applied to one or more inbound ports.
To view this page in the console, click the following path:
We can configure the service integration bus for secure transmission of SOAP messages by using tokens, keys, signatures and encryption in accordance with the Web Services Security (WS-Security) 1.0 specification.
Alternatively, we can configure the bus in accordance with the previous WS-Security specification, WS-Security Draft 13 (also known as the Web Services Security Core Specification). However, use of the WS-Security Draft 13 specification is deprecated, and you should only use it to allow continued use of an existing web services client application that has been written to the WS-Security Draft 13 specification.
You use an inbound configuration to secure the SOAP messages that pass between a service requester (client) and an inbound service (which acts as a target web service). The configuration specifies the level of security that you require (for example "The body must be signed"). This level of security is then implemented through the run-time information contained in the following types of WS-Security binding:
For WS-Security Version 1.0:
- request consumer, for use when consuming requests from a client to an inbound service.
- response generator, for use when generating responses from an inbound service to a client.
For WS-Security Draft 13:
- request receiver, for use when receiving requests from a client to an inbound service.
- response sender, for use when sending responses from an inbound service to a client.
WS-Security configurations are administered independently from any web service that uses them, so we can create an inbound configuration then apply it to many inbound services.
Configuration tab
The Configuration tab shows configuration properties for this object. These property values are preserved even if the runtime environment is stopped then restarted. See the information center task descriptions for information about how to apply configuration changes to the runtime environment.
General Properties
WS-Security version
Identifies the version of the WS-Security specification this configuration uses.
| Information | Value |
|---|---|
| Required | No |
| Data type | String |
Service type
The type of service the WS-Security configuration applies to.
| Information | Value |
|---|---|
| Required | No |
| Data type | String |
Name
The name of the inbound WS-Security configuration.
This name must be unique across both WS-Security Version 1.0 and Draft 13 Inbound configurations, and it must obey the following syntax rules:
- It must not start with "." (a period).
- It must not start or end with a space.
- It must not contain any of the following characters: \ / , # $ @ : ; " * ? < > | = + & % '
| Information | Value |
|---|---|
| Required | Yes |
| Data type | String |
Actor URI
WS-Security headers within the consumed request message will only be processed if they have the specified Actor URI.
| Information | Value |
|---|---|
| Required | No |
| Data type | String |
Request consumer
- Required integrity
- Integrity constraints consumed messages must meet. This includes specifying which message parts within the incoming message must be digitally signed, and the message parts to which attached digitally signed Nonce and time stamp elements are expected.
- Required confidentiality
- Confidentiality constraints consumed messages must meet. This includes specifying which message parts within the incoming message must be encrypted, and the message parts to which attached encrypted Nonce and time stamp elements are expected.
- Required security token
- Specifies accepted stand-alone security tokens within a consumed message. Stand-alone security tokens are those not already used for signature or encryption. Defining a required security token means that messages containing a token of that type will be processed according to the usage assertion. The security token will not be used for authentication unless it is also specified within a caller.
- Caller
- Security token, signed part or encrypted part used for authentication. If a signed or encrypted part is used, the value of the part attribute must be the name of a defined required integrity or required confidentiality constraint. If a stand-alone security token is used for authentication, then the URI and local name attributes must define the type of security token used for authentication.
- Add time stamp
- When add time stamp is specified for a consumer, a time stamp is added indicating when the message was consumed. For a generator, a time stamp is added indicating when the message was generated.
- Properties
- General properties for the inbound WS-Security configuration.
Response generator
- Actor
- Defines the Actor URI to be included in WS-Security headers of generated response.
- Integrity
- Integrity constraints applied to generated messages. This includes specifying which message parts within the generated message must be digitally signed, and the message parts to attach digitally signed Nonce and time stamp elements to.
- Confidentiality
- Confidentiality constraints applied to generated messages. This includes specifying which message parts within the generated message must be encrypted, and the message parts to attach encrypted Nonce and time stamp elements to.
- Security Token
- Specifies stand-alone security tokens to insert into the generated message. Stand-alone security tokens are those not already used for signature or encryption. Standard and custom security tokens may be defined by URI and local name.
- Add time stamp
- When add time stamp is specified for a consumer, a time stamp is added indicating when the message was consumed. For a generator, a time stamp is added indicating when the message was generated.
- Properties
- General properties for the inbound WS-Security configuration.
Related information:
Reference topic