+

Search Tips   |   Advanced Search

Secure web services applications at the transport level

Transport-level security is a well-known and often used mechanism to secure HTTP Internet and intranet communications. Transport level security can be used to secure web services messages. Transport-level security functionality is independent from functionality provided by message-level security (WS-Security) or HTTP basic authentication.

Common usage scenarios...

Transport-level security runs beneath HTTP, the most popular protocol for web services. HTTP is an inherently insecure protocol because all information is sent in clear text between unauthenticated peers over an insecure network. To secure HTTP, transport-level security can be applied.

Transport level security can be used to secure web services messages. However, transport-level security functionality is independent from functionality provided by WS-Security or HTTP Basic Authentication.

SSL and TLS provide security features including authentication, data protection, and cryptographic token support for secure HTTP connections. To run with HTTPS, the service port address must be in the form https://. The integrity and confidentiality of transport data, including SOAP messages and HTTP basic authentication, is confirmed when you use SSL and TLS.

Web services applications can also use FIPS approved ciphers for more secure TLS connections.

WAS uses the Java Secure Sockets Extension (JSSE) package to support SSL and TLS.

This task is one of several ways that we can configure the HTTP outbound transport level security for a web service acting as a client to another Web service server. We can also configure the HTTP outbound transport level security with an assembly tool or using the Java properties. If we do not configure the HTTP outbound transport level security, the web services runtime defers to the Java EE security runtime in the WebSphere product for an effective SSL configuration. If there is no SSL configuration with the Java EE security runtime in the WebSphere product, the Java Secure Socket Extension (JSSE) system properties are used.

We can define additional HTTP transport properties for web services applications. Use the additional properties to manage the connection pool for HTTP outbound connections, configure the content encoding of the HTTP message, enable HTTP persistent connection, and resend the HTTP request when a timeout occurs.

  1. Develop and assemble a web services application.
  2. Deploy the application.
  3. Configure transport level security for the application.
  4. Define additional HTTP transport properties for the Web services application.


Results

By completing these steps, we have secured web services applications at the transport level.


Subtopics

  1. Develop and assemble a web services application.
  2. Deploy the application.
  3. Configure transport level security for the application.
  4. Define additional HTTP sport properties for the Web services application.


Related concepts

Secure web services
  • Overview of standards and programming models for web services message-level security


    Related tasks

    Deploy web services
  • Configure HTTP outbound transport level security with the administrative console
  • Configure HTTP outbound transport level security using Java properties
  • Configure additional HTTP transport properties using the JVM custom property panel in the administrative console
  • Configure additional HTTP transport properties using wsadmin-line tool
  • Configure additional HTTP transport
  • Configure HTTP outbound transport level security with an assembly tool
  • Authenticating web services clients using HTTP basic authentication
  • Associate a Secure Sockets Layer configuration dynamically with an outbound protocol and remote secure endpoint

    HTTP transport custom properties for web services applications

  • HTTP SSL Configuration collection
  • Global security settings