Web Services Security

Web services security can be enabled in different ways depending on the run-time environment being used by the Web service.

 

Enabling security when using the WebSphere run-time environments

When creating a Web service with the Web Service Wizard using the WebSphere run-time environments, you have four security options:

• None - this will not enable security. This is the only WS-I compliant option.

• XML Digital Signature - this provides integrity against elements of a SOAP message. It allows you to digitally sign elements in the SOAP message protecting integrity.

• XML Encryption - this allows you to encrypt elements of a SOAP message and propagate the encrypted data.

• XML Digital Signature and XML Encryption - this combines the previous two options.

The security options available through the wizard are for illustration purposes only - they should never be used in a production environment. They point to keystore and certificate files in WebSphere Application Server. If you want to enable security for a Web service in a production environment, use the Assembly Toolkit to create and customize your own settings. The Web service client and Web service service must have the same setting for them to communicate with each other. For example, you cannot invoke a XML Digital Signature secured service if the client has a non-secured or XML encryption security setting.

 

Enabling security when using the IBM SOAP run-time

Rational Developer products provide you with the ability to use secure SOAP when you are using WebSphere Application Server if you select the IBM SOAP run-time environment.

When you create a Web service (using a wizard) you have the option to enable this feature by checking the "Use secure SOAP (WebSphere only)" box. By doing this, the wizard will create two keystore files (SOAPclient and SOAPserver) and one certificate (sslserver.p12) in the key directory of your Web service project. Enabling secure SOAP, tells the Web service run-time to use a SOAP signature over a Secure Socket Layer connection. The keys that are created for you are for testing purposes only and will expire after a certain time. To recreate a keystore file, you will need to install a WebSphere Application Server (stand alone version) and use the IBM Key Management tool.

Important: Once you have created a Web project with a Web service that is not secure you can not make it secure. Once you have created a Web project with a secure Web service you can not remove the use of secure SOAP.

For more information on SOAP Digital Signature security, refer to www.w3.org/TR/2001/NOTE-SOAP -dsig-20010206

For more information on secure SOAP services: http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/twbs_secureapp.html

 

Related Concepts

Tools for Web services development
Simple Object Access Protocol (SOAP)

Related Tasks
Developing Web services