+

Search Tips   |   Advanced Search

Secure Web services applications at the transport level


 

Overview

Transport-level security is based on SSL or TLS that runs beneath HTTP, and can be used to secure Web services messages

Transport-level security functionality is independent from functionality provided by...

HTTP basic authentication uses a user name and password to authenticate a service client to a secure endpoint. The basic authentication is encoded in the HTTP request that carries the SOAP message. When the appserver receives the HTTP request, the user name and password are retrieved and verified using the authentication mechanism specific to the server.

Use transport-level security to enable basic authentication. Transport-level security can be enabled or disabled independently from message-level security. Transport-level security provides minimal security.

Transport-level security is based on SSL or TLS that runs beneath HTTP. HTTP, the most used Internet communication protocol, is currently also the most popular protocol for Web services. HTTP is an inherently insecure protocol because all information is sent in clear text between unauthenticated peers over an insecure network. To secure HTTP, transport-level security can be applied.

Transport level security can be used to secure Web services messages. However, transport-level security functionality is independent from functionality that is provided by WS-Security or HTTP Basic Authentication.

SSL and TLS provide security features including authentication, data protection, and cryptographic token support for secure HTTP connections. To run with HTTPS, the service port address must be in the form https: //. The integrity and confidentiality of transport data, including SOAP messages and HTTP basic authentication, is confirmed when you use SSL and TLS.

Web services applications can also use FIPS approved ciphers for TLS connections.

WAS uses JSSE to support SSL and TLS.

Configure the HTTP outbound TLS for a Web service acting as a client to another Web service server.

If we do not configure the HTTP outbound TLS using the admin console, the Web services runtime defers to the Java EE security runtime for SSL configuration. If there is no SSL configuration with the Java EE security runtime, JSSE system properties are used.

We can define additional HTTP transport properties for Web services applications to...

 

Secure Web services applications at the transport level

There are three ways that we can configure HTTP outbound TLS:

Set additional HTTP transport properties for Web services applications...

 

Related tasks

HTTP transport custom properties for Web services applications
Set additional HTTP transport properties using the wsadmin command-line tool
Secure Web services for V5.x applications based on WS-Security
Authenticate Web services clients using HTTP basic authentication
Secure Web services applications using message level security
Associating a SSL configuration dynamically with an outbound protocol and remote secure endpoint
Task overview: Implement Web services applications
HTTP SSL Configuration collection
Global security settings