WAS v8.5 > Secure applications > Secure web services > Secure web servicesSecure web services applications at the transport level
Transport-level security secures HTTP Internet and intranet communications. TLS can be used to secure web services messages. TLS functionality is independent from functionality provided by message-level security (WS-Security) or HTTP basic authentication.
We can use either WS-Security or transport-level security, or a combination of both. The following examples are common usage scenarios, but are not an exhaustive list of all possible scenarios:
- Use message-level security when security is essential to the Web service application. HTTP basic authentication uses a user name and password to authenticate a service client to a secure endpoint. The basic authentication is encoded in the HTTP request that carries the SOAP message. When the application server receives the HTTP request, the user name and password are retrieved and verified using the authentication mechanism specific to the server.
With message-level security, if you are not using the default outbound SSL port of 443, ensure the dynamic outbound endpoint for SSL is configured properly for the configuration.
- Use transport-level security to enable basic authentication. Transport-level security can be enabled or disabled independently from message-level security. Transport-level security provides minimal security. We can use this configuration when a web service is a client to another web service.
- Use SSL for confidentiality and integrity and HTTP Basic Authentication for authentication.
- Use SSL for confidentiality and integrity and WS-Security for authentication. For example, a Username token or LTPA token can be used for authentication.
- Use WS-Security for both confidentiality and integrity, and authentication.
Transport-level security is based on SSL, or TLS running beneath HTTP. HTTP is an inherently insecure protocol because all information is sent in clear text between unauthenticated peers over an insecure network. To secure HTTP, transport-level security can be applied.
Transport level security can be used to secure web services messages. However, transport-level security functionality is independent from functionality provided by WS-Security or HTTP Basic Authentication.
SSL and TLS provide security features including authentication, data protection, and cryptographic token support for secure HTTP connections. To run with HTTPS, the service port address must be in the form https://. The integrity and confidentiality of transport data, including SOAP messages and HTTP basic authentication, is confirmed when we use SSL and TLS.
Web services applications can also use Federal Information Processing Standard (FIPS) approved ciphers for more secure TLS connections.
WebSphere Application Server uses the Java Secure Sockets Extension (JSSE) package to support SSL and TLS.
This task is one of several ways that we can configure the HTTP outbound transport level security for a web service acting as a client to another Web service server. We can also configure the HTTP outbound transport level security with an assembly tool or using the Java properties. If we do not configure the HTTP outbound transport level security, the web services runtime defers to the Java EE security runtime in the WebSphere product for an effective SSL configuration. If there is no SSL configuration with the Java EE security runtime in the WebSphere product, the JSSE system properties are used.
We can define additional HTTP transport properties for web services applications. Use the additional properties to manage the connection pool for HTTP outbound connections, configure the content encoding of the HTTP message, enable HTTP persistent connection, and resend the HTTP request when a timeout occurs.
Procedure
- Develop and assemble a web services application.
Assemble the HTTP outbound transport level security for the application with an assembly tool.
- Deploy the application.
- Configure transport level security for the application.
- Define additional HTTP transport properties for the Web services application.
- Configure additional HTTP transport properties JVM custom properties
- Configure additional HTTP transport properties using an assembly tool.
Related
Secure web services
Programming models for web services message-level security
Deploy web services
Configure additional HTTP transport properties using wsadmin
Configure additional HTTP transport properties for JAX-RPC web services with an assembly tool
Authenticate web services clients using HTTP basic authentication
Associate an SSL configuration dynamically with an outbound protocol and remote secure endpoint
HTTP SSL Configuration page
Global security settings