WS Mailbox: Security Tab

Web Services Security (WS-Security) is a flexible and feature-rich extension to SOAP to apply security to Web services. The protocol specifies how integrity and confidentiality can be enforced on messages and allows communication of various security token formats. Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security. Visit http://www.oasis-open.org/specs/index.php#wssv1.0 for more information.

Use the mailbox Security tab to specify SSL (TCP sub-tab) and WS-Security options (Request and Certificates sub-tabs).

TCP

Use the TCP tab to specify an optional client certificate for TLS over secure TCP/IP. This certificate only needs to be specified for those servers that require that a client certificate be presented during SSL negotiations.

Request

WS-Security options are specified using an XML policy file. Use of a WS-Security policy file allows a wide variety of security options. The most common options have been incorporated into VersaLex as the default policy. The security elements that you are required to provide are most often dictated by the service being connected to. Check with an administrator for required security elements.

If you have your own policy file to use, you can clear Use default policy and enter the location of your policy file in the Custom Policy field. Otherwise, select Use default policy.

The custom policy is loaded into VersaLex when the settings are saved. To force VersaLex to reload the policy (for example, if changes to the policy have been made), click Reload.

Note: If you are supplying your own policy but still want to use VersaLex as your certificate store and supplier of passwords, select Use VersaLex certs and passwords in custom policy. VersaLex will automatically replace entries in your custom policy to utilize VersaLex resources.

The timestamp token includes a timestamp for the time the request is created and expires. To include this token in the request, select Send timestamp with requests.
The username token includes a username and non-encrypted password. To include a username token with the request, enter a username in the username field. A password must also be specified if a username is specified.

Certificates

The Certificates tab is for specifying the signing and encryption certificates. If a signing certificate is specified, then the request is signed. If an encryption certificate is specified, then the request is encrypted. In the VersaLex implementation, if the request is encrypted, it must also be signed.

The Trading Partner's Certificates are those provided by the trading partner.

The Signing Certificate is used to verify a signature from a request's signed response.
The Encryption Certificate is used to encrypt the outgoing request. If the encryption certificate is the same as the signing certificate, select Use signing certificate.
Clicking Browse next to the field will bring up the Select Certificate dialog box. In this dialog box, you can locate the trading partner certificate from the local certificate store.

The My Certificates section is used for specifying your certificates.

The Signing Certificate Alias refers to the certificate used to sign the outgoing request. You must also specify the password associated with this certificate.
The Encryption Certificate Alias is used for decrypting the incoming encrypted request's response. If the encryption certificate is the same as the signing certificate, selecct Use signing certificate.

If you need more assistance with WS-Security, see the following resources:

http://www.ibm.com/developerworks/webservices/tutorials/ws-understand-web-services4/index.html

http://www.ibm.com/developerworks/java/library/j-jws4/

http://thilinamb.wordpress.com/2009/08/19/ws-security-policy-assymetric-binding-explained/