Operating Systems: i5/OS
Personalize the table of contents and search results
Securing Web services applications at the transport level
Transport-level security is a well-known and often used mechanism
to secure HTTP Internet and intranet communications. Transport level security
can be used to secure Web services messages. Transport-level security functionality
is independent from functionality that is provided by message-level security
(WS-Security) or HTTP basic authentication.
You can use either message-level security (WS-Security) or transport-level
security:
- Use message-level security when security is essential to the Web service
application. HTTP basic authentication uses a user name and password to authenticate
a service client to a secure endpoint. The basic authentication is encoded
in the HTTP request that carries the SOAP message. When the application server
receives the HTTP request, the user name and password are retrieved and verified
using the authentication mechanism specific to the server.
- Use transport-level security to enable basic authentication. Transport-level
security can be enabled or disabled independently from message-level security.
Transport-level security provides minimal security. You can use this configuration
when a Web service is a client to another Web service.
Overview
Transport-level security is based on Secure Sockets Layer (SSL) or
Transport Layer Security (TLS) that runs beneath HTTP. HTTP, the most used
Internet communication protocol, is currently also the most popular protocol
for Web services. HTTP is an inherently insecure protocol because all information
is sent in clear text between unauthenticated peers over an insecure network.
To secure HTTP, transport-level security can be applied.
Transport level
security can be used to secure Web services messages. However, transport-level
security functionality is independent from functionality that is provided
by WS-Security or HTTP Basic Authentication.
SSL and TLS provide security
features including authentication, data protection, and cryptographic token
support for secure HTTP connections. To run with HTTPS, the service port address
must be in the form https://. The integrity and confidentiality of
transport data, including SOAP messages and HTTP basic authentication, is
confirmed when you use SSL and TLS.
WebSphere Application Server
uses the Java Secure Sockets Extension (JSSE) package to support SSL and TLS.
This
task is one of several ways that you can configure the HTTP outbound transport
level security for a Web service acting as a client to another Web service
server. You can also configure the HTTP outbound transport level security
with an assembly tool or by using the Java properties. If you do not configure
the HTTP outbound transport level security, the Web services runtime defers
to the J2EE security runtime in the
WebSphere product for an effective Secure Sockets Layer (SSL) configuration.
If there is no SSL configuration with the J2EE security runtime in the WebSphere
product, the Java Secure Socket Extension (JSSE) system properties are used.
You
can define additional HTTP transport properties for Web services applications.
Use the additional properties to manage the connection pool for HTTP outbound
connections, configure the content encoding of the HTTP message, enable HTTP
persistent connection, and resend the HTTP request when a timeout occurs.
Procedure
- Select one of the following methods to configure HTTP outbound
transport level security. There are three ways that you can configure
HTTP outbound transport level security:
- Configure HTTP outbound transport level security by using the administrative
console.
- Configure HTTP outbound transport level security by using an assembly
tool.
- Configure HTTP outbound transport-level security by using Java properties.
- Select one of the following methods to define additional HTTP transport
properties for Web services applications.
Results
By completing these steps, you have secured Web services applications
at the transport level.
What to do next
}
HTTP transport custom properties for Web services applications
Configuring HTTP outbound transport level security with the administrative
console
Configuring HTTP outbound transport-level security using Java properties
Configuring additional HTTP transport properties using the JVM custom
property panel in the administrative console
Configuring additional HTTP transport properties with an assembly tool
Configuring HTTP outbound transport level security with an assembly
tool
Related tasks
Securing Web services for V5.x applications based on WS-Security
Securing Web services applications using JAX-RPC at the message level
Authenticating Web services clients using HTTP basic authentication
Task overview: Implementing Web services applications
Related Reference
HTTP SSL Configuration collection
Secure administration, applications, and infrastructure settings
|