Securing Web services applications at the transport level

Transport-level security is a well-known and often used mechanism to secure HTTP Internet and intranet communications. Transport level security can be used to secure Web services messages. Transport-level security functionality is independent from functionality that is provided by message-level security (WS-Security) or HTTP basic authentication. You can use either message-level security (WS-Security) or transport-level security:

• Use message-level security when security is essential to the Web service application. HTTP basic authentication uses a user name and password to authenticate a service client to a secure endpoint. The basic authentication is encoded in the HTTP request that carries the SOAP message. When the application server receives the HTTP request, the user name and password are retrieved and verified using the authentication mechanism specific to the server.

• Use transport-level security to enable basic authentication. Transport-level security can be enabled or disabled independently from message-level security. Transport-level security provides minimal security. You can use this configuration when a Web service is a client to another Web service.

Overview

Transport level security can be used to secure Web services messages. However, transport-level security functionality is independent from functionality that is provided by WS-Security or HTTP Basic Authentication.

SSL and TLS provide security features including authentication, data protection, and cryptographic token support for secure HTTP connections. To run with HTTPS, the service port address must be in the form https://. The integrity and confidentiality of transport data, including SOAP messages and HTTP basic authentication, is confirmed when you use SSL and TLS.

WebSphere Application Server uses the Java Secure Sockets Extension (JSSE) package to support SSL and TLS.

This task is one of several ways that you can configure the HTTP outbound transport level security for a Web service acting as a client to another Web service server. You can also configure the HTTP outbound transport level security with an assembly tool or by using the Java properties. If you do not configure the HTTP outbound transport level security, the Web services runtime defers to the J2EE security runtime in the WebSphere product for an effective Secure Sockets Layer (SSL) configuration. If there is no SSL configuration with the J2EE security runtime in the WebSphere product, the Java Secure Socket Extension (JSSE) system properties are used.

You can define additional HTTP transport properties for Web services applications. Use the additional properties to manage the connection pool for HTTP outbound connections, configure the content encoding of the HTTP message, enable HTTP persistent connection, and resend the HTTP request when a timeout occurs.

Procedure

• Select one of the following methods to configure HTTP outbound transport level security. There are three ways that you can configure HTTP outbound transport level security:

  • Configure HTTP outbound transport level security by using the administrative console.

  • Configure HTTP outbound transport level security by using an assembly tool.

  • Configure HTTP outbound transport-level security by using Java properties.

• Select one of the following methods to define additional HTTP transport properties for Web services applications.

  • Configure additional HTTP transport properties by using the JVM custom property panel in the administrative console.

  • Configure additional HTTP transport properties by using an assembly tool.

Results

What to do next

Related tasks

Related Reference