Inbound WS-Security configuration settings
WS-Security configuration for an inbound request. This defines WS-Security requirements for the request consumed from the client and the response generated. The objects created may be applied to one or more inbound ports.
Console path:
Service integration -> Web services -> WS-Security configurations -> v1-inbound-config_name.
We can configure the service integration bus for secure transmission of SOAP messages using tokens, keys, signatures and encryption in accordance with the Web Services Security (WS-Security) 1.0 specification.
Alternatively, we can configure the bus in accordance with the previous WS-Security specification, WS-Security Draft 13 (Web Services Security Core Specification). Use of the WS-Security Draft 13 specification is deprecated, and should only be used to allow continued use of an existing web services client application written to the WS-Security Draft 13 specification.
We use an inbound configuration to secure the SOAP messages that pass between a service requester (client) and an inbound service (which acts as a target web service). The configuration specifies the level of security that you require (for example "The body must be signed"). This level of security is then implemented through the run-time information contained in the following types of WS-Security binding:
For WS-Security Version 1.0:
- request consumer, for use when consuming requests from a client to an inbound service.
- response generator, for use when generating responses from an inbound service to a client.
For WS-Security Draft 13:
- request receiver, for use when receiving requests from a client to an inbound service.
- response sender, for use when sending responses from an inbound service to a client.
WS-Security configurations are administered independently from any web service that uses them, so we can create an inbound configuration then apply it to many inbound services.
Configuration tab
The Configuration tab shows configuration properties for this object. These property values are preserved even if the runtime environment is stopped then restarted.
General Properties
WS-Security version
Identifies the version of the WS-Security specification this configuration uses.
Information Value Required No Data type String
Service type
The type of service the WS-Security configuration applies to.
Information Value Required No Data type String
Name
The name of the inbound WS-Security configuration.
This name must be unique across both WS-Security Version 1.0 and Draft 13 Inbound configurations, and it must obey the following syntax rules:
- It must not start with "." (a period).
- It must not start or end with a space.
- It must not contain any of the following characters: \ /, # $ @ : ; " * ? < > | = + & % '
Information Value Required Yes Data type String
Actor URI
WS-Security headers within the consumed request message will only be processed if they have the specified Actor URI.
Information Value Required No Data type String
Request consumer
- Required integrity
- The integrity constraints consumed messages must meet. This includes specifying which message parts within the incoming message must be digitally signed, and the message parts to which attached digitally signed Nonce and time stamp elements are expected.
- Required confidentiality
- Confidentiality constraints consumed messages must meet. This includes specifying which message parts within the incoming message must be encrypted, and the message parts to which attached encrypted Nonce and time stamp elements are expected.
- Required security token
- Specifies accepted stand-alone security tokens within a consumed message. Stand-alone security tokens are those not already used for signature or encryption. Defining a required security token means that messages containing a token of that type will be processed according to the usage assertion. The security token will not be used for authentication unless it is also specified within a caller.
- Caller
- Security token, signed part or encrypted part used for authentication. If a signed or encrypted part is used, the value of the part attribute must be the name of a defined required integrity or required confidentiality constraint. If a stand-alone security token is used for authentication, then the URI and local name attributes must define the type of security token used for authentication.
- Add time stamp
- When add time stamp is specified for a consumer, a time stamp is added indicating when the message was consumed. For a generator, a time stamp is added indicating when the message was generated.
- Properties
- General properties for the inbound WS-Security configuration.
Response generator
- Actor
- Defines the Actor URI to be included in WS-Security headers of generated response.
- Integrity
- The integrity constraints applied to generated messages. This includes specifying which message parts within the generated message must be digitally signed, and the message parts to attach digitally signed Nonce and time stamp elements to.
- Confidentiality
- Confidentiality constraints applied to generated messages. This includes specifying which message parts within the generated message must be encrypted, and the message parts to attach encrypted Nonce and time stamp elements to.
- Security Token
- Specifies stand-alone security tokens to insert into the generated message. Stand-alone security tokens are those not already used for signature or encryption. Standard and custom security tokens may be defined by URI and local name.
- Add time stamp
- When add time stamp is specified for a consumer, a time stamp is added indicating when the message was consumed. For a generator, a time stamp is added indicating when the message was generated.
- Properties
- General properties for the inbound WS-Security configuration.
Administrative console buttons Administrative console preference settings