NonStop SOAP 4.1 User's Manual

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

271

272

273

274

275

276

277

278

279

280

4. Timestamps

Allows timestamps to be added to a message to enable the server to verify the message validity

in terms of each SOAP message.

5. Username Tokens

NonStop SOAP 4 can send and verify username tokens with Username and plaintext password

or Username and digested password.

6. Protection Orders

NonStop SOAP 4 supports encrypt before signing and sign before encrypting.

7. Extensible Modules

NonStop SOAP 4 supports password provider module and authentication module.

8. Keys Management

NonStop SOAP 4 supports X.509 token profile and Key identifiers, Thumb prints, Issuer or

Serial pairs, embedded, and direct references key management techniques.

NOTE: Fault messages cannot be secured.

Securing a NonStop SOAP 4 Service

You can use the following steps to secure a NonStop SOAP 4 service:

1. Setting up the key store

To sign or encrypt messages back and forth, both the client and the service must posses

public-private key pairs. If you are going to secure your service with XML signature or encryption

techniques, you must have the X.509 certificates. For testing your service on a development

environment, you can either create the X.509 certificate yourself by using the required tools,

such as OpenSSL or you can use the certificates that are shipped with the sample programs.

You must get the certificates from a Certification Authority when the services are secured on

the production environment.

2. Writing the password provider

The Rampart module uses a password provider library to authenticate the username tokens

and to retrieve the private key to sign SOAP messages. Each private key has a password

associated with it. To retrieve the private key, you must provide the password of the relevant

key. The sample password provider included in the sample program reads password for the

username/private key from a flat file. You can change the sample password provider to

retrieve the passwords from a database, a LDAP server or any other storage by writing the

relevant password retrieval logic.

3. Constructing the security policy

In NonStop SOAP 4, a policy based configuration approach is followed to configure the

security. You must construct a suitable security policy using WS-SecurityPolicy1.1 to define

the security requirements of the Web service. WS-SecurityPolicy1.1 is built on top of WS-Policy

framework and defines a set of policy assertions that can be used in defining individual security

requirements or constraints. The individual policy assertions can be combined by using policy

operators defined in the WS-Policy framework to create security policies that can be used to

secure messages exchanged between a Web Service and a client. You can use the security

policies defined in the sample services.xml or policy.xml as template to build your

own policies. For more information on the sample programs, see “Sample Programs” (page 279).

The complete specification of WS-SecurityPolicy can be found at http://specs.xmlsoap.org/

ws/2005/07/securitypolicy/ws-securitypolicy.pdf .

274 WS–Security in NonStop SOAP 4