Enable Web Services Security (WS-Security) for the gateway

Enable Web Services Security (WS-Security) for the gateway

Note: This page applies to WAS Version 5.0.2 and later only.

You can configure the gateway for secure transmission of SOAP messages using tokens, keys, signatures and encryption in accordance with the Web Services Security (WS-Security) draft recommendation. For more information, see Web services gateway and WS-Security.

The gateway sits between the service requester (the client) and the target Web service. You configure the gateway to act as the target service from the point of view of the client, and as the client from the point of view of the target service. So you need to get, from the owning parties, the WS-Security configurations for both the client and the Web service. This information is found in the following files on the owners systems:

Key stores (.ks and .jceks files).

Certificate stores (.cer files).

Security settings (ibm-webservicesclient-ext.xmi for the client, and ibm-webservices-ext.xmi for the Web service).

Binding information - for example the location of a keystore on the file system (ibm-webservicesclient-bnd.xmi for the client, and ibm-webservices-bnd.xmi forthe Web service).

Note: If the client is hosted on WAS, and the Web service security settings were created using IBM Web services tooling (for example WebSphere Studio Application Developer), then the files that contain the security settings and binding information have the exact file names (*.xmi) given above. For clients and Web services from other vendors, these files have different names.

You need to copy the key store and certificate store files to the gateway file system, and to enter and configure for the gateway the security settings that are contained in the .xmi files. The security settings are entered and configured manually using the gateway administrative user interface. There are tools available (for example WebSphere Studio Application Developer) that can parse the .xmi files for you.

You use the Gateway --> Security option to configure the security bindings (the tokens, keys, signatures and encryption methods) that are available to the gateway, as described in Configure the gateway security bindings.

You then configure the level of security that applies at each stage of the transmission (and note that different levels of security, including no security, can be applied to each stage):

From the service requester to the gateway.

From the gateway to the target service.

From the target service back to the gateway.

From the gateway back to the service requester.

For information on how to do this, see the following topics:

Edit the service security configuration - how to configure secure communication for this gateway service between the service requester (the client) and the gateway.

Edit the target service security configuration - how to configure secure communication between the gateway and the target service.

Note: If you change an existing security configuration for a Web service in the gateway, then for the changes to take effect restart the application server on which the gateway is running.