WS Security

WS Security is a standard for securing the SOAP message and does not rely on the Secure Socket Layer Protocol. By using WS Security, SOAP messages passed between the Web service provider and the Web service client are protected by XML digital signatures, XML encryption, timestamps, and security tokens.

At the time of writing, the standardization of WS Security was still in progress. For current information see SAP Note 688983.

WS Security can only be applied to SOAP messages. It is not supported for the HTTP Get profile, HTTP Post or SOAP with attachments. WS Security is only supported by deployable proxies.

XML Signatures

Digital signatures are added to a SOAP document to ensure the integrity and the authenticity of the message. If parts of the message are changed during transport, the signature becomes invalid and the message is rejected by the receiving party. Signatures may be added to client request and the server response. Signatures are always used in combination with a timestamp to prevent replays of the message (both the SOAP:Envelope/SOAP:Body element and the SOAP:Envelope/SOAP:Header/wsse:Security/wsu:Timestamp are signed).

XML Encryption

Encryption is used to protect elements that are sent as part of the SOAP message. For decryption the key is retrieved from the keystore view WebServiceSecurity.

There is limited support for XML encryption. Decryption of encrypted SOAP documents and encryption of the Username security token is supported.

Security Tokens

Besides XML signatures, other credentials used to authenticate the Web service client may be included in the message. The SAP Web AS implementation of WS Security supports the Username security token and the X.509 security token.

To proof the possession of the X.509 certificates used in the X.509 security token, an XML signature using the corresponding private key is required.

Using WS Security

Configuring a Web service to use WS Security settings requires three steps:

...

       1.      For each operation in the Web service, select the WS Security template for request and response from the list in the SAP Netweaver Developer Studio. A WS Security Template describes the security (i.e. XML Signature) used to protect the message.

       2.      For each of the used WS Security templates specified at design time, a profile with runtime configuration settings, such as X.509 certificate data, is required.

       3.      After creating the WS Security profiles, the profiles need to be assigned to the operations. One profile may be assigned to multiple operations - that is, when the same certificate is to be used for an XML Signature, or different profiles of the same template are used for operations with different XML Signatures.

WS Security Profiles

The following WS Security templates for inbound/outbound messages are available.

Outbound messages (client request, server response):

Security Template:

Effect:

Configuration Parameters:

Signature

Adds a wsu:Timestamp to the message and signs the elements SOAP:Envelope/SOAP:Header/wsse:Security/wsu:Timestamp and SOAP:Envelope/SOAP:Body.

keystore view, keystore alias for signing key

Username

Adds a SOAP:Envelope/SOAP:Header/wsse:Security/wsse:Username element to the message containing a timestamp, a username and a password.

The password is stored encrypted provided the SAP Java Cryptographic Toolkit is installed. 

 

username, password

Username + Encryption

Adds a SOAP:Envelope/SOAP:Header/wsse:Security/wsse:Username element to the message containing a timestamp, a username and a password and encrypts the wsse:Username element.

 

username, password, keystore view and alias of the X.509 certificate (used for XML Encryption)

None

Does not add any security to the message

None

 

Inbound messages (client response, server request):

Security Template:

Effect:

Configuration Parameters:

Signature

Verifies the signature over SOAP:Envelope/SOAP:Body and SOAP:Envelope/SOAP:Header/wsse:Security/wsu:Timestamp and checks the validity of the timestamp.

 

keystore view with the certificates of the trusted certificate authorities.

For authentication, the user mapping between X.509 certificate and user provided in the service Security Provider is used.

Username

Authenticates the sender using the SOAP:Envelope/SOAP:Header/wsse:Security/wsse:Username element to the message containing a timestamp, a username and a password.

None

Username + Encryption

Decrypts the SOAP:Envelope/SOAP:Header/wsse:Security/wsse:Username element to the message containing a timestamp, a username and a password and encrypts the wsse:Username element.

 

For decryption the Key XMLEncryption in the keystore view WebServiceSecurity is used.

None

Does not add any security to the message

None

 

See also:

Configuring Document Authentication