What is WS-Security?
Web Services Security (WS-Security, WSS) is a specification of a transport-neutral mechanism or extension that allow web services to apply certain security. It is a member of the web service specifications and was published by OASIS.
Prerequisite is the SOAP web service client implementation using the concrete WSDL. In this blogpost I will be only describing the extension of the SOAP web service client implementation with WS-Security.
Please make sure that the “Trusted Certificates Folder” has been set properly and pointing towards the certificates that should be used. You can find this configuration as part of the SOAPRequestReply activity in your process.
Instead of pointing to a relative folder within the TIBCO project use a global variable called %%BW_GLOBAL_TRUSTED_CA_STORE%% which will point to an absolute path on your machine. This will give you all the flexibility on the production environment to replace the certificates in the future without having the hassle to rebuild the entire TIBCO project.
Within the TIBCO Designer the terminology “WS-Security” is however not explicitly used nor marked as a category, which can make it tricky or at least cumbersome to find a way to implement this functionality. Instead TIBCO has given it a more generic name “Security Policy”, which is of type shared configuration.
The Security Policy shared configuration resource specifies a security policy that can be used for inbound or outbound SOAP messages. The security policy can include any combination of the following characteristics:
Authentication — whether messages must be authenticated. Authentication can be performed either with usernames and passwords or by way of X.509 compliant certificates.
Integrity — whether messages must be validated with a signature to ensure the message has not been altered since its creation.
Confidentiality —whether messages should be encrypted or decrypted.
Timeout — whether messages should expire after a certain time.
For WS-Security (Oneway SSL, Password Digest) we use “Authentication” in combination with “Timeout”. Make sure to set the policy type to “Outbound” and create an identity in the TIBCO project for the credentials of the UserNameToken, which is to be used in the tab “Authentication”. Alternative is the use of X.509 compliant certificates. After that we set the “Timeout” to for example a value of 60.
We now finished the Security Policy shared configuration, this means all processes within this TIBCO project are able to apply this policy.
Now the only thing left is to associate or bind the Security Policy to a SOAPRequestReply activity within a process. Although we would expect this to be set within the actual SOAPRequestReply activity inside the process, we are not able to do this. Instead we need to create a “Policy Association”.
In this “Policy Association”, which is also of type shared configuration we can define the just created “Security Policy” and SOAPRequestReply activities to which this policy should be applied.
We now finished the Policy Association shared configuration, this means all SOAPRequestReply activities within this TIBCO project which have been binded using this Policy Association will make use of the Security Policy as defined in one of the previous steps.
We can start testing the SOAP web service client by simply invoking the SOAP web service client using a test process or test tool (like GreenHat Tester).
Add the following lines to your local designer.tra for testing and debugging purposes, this will show you the entire SOAP message including headers and namespaces. This way we can verify that the required WS-Security header and namespaces are present.
# Set debug mode for SOAP messages
If you do a test you will find out that the following header and namespaces have been added to the SOAP request:
<wsse:Security xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd” SOAP-ENV:mustUnderstand=”1″><wsse:UsernameToken> <wsse:Username>Username</wsse:Username><wsse:Password Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest”>PasswordDigest</wsse:Password><wsse:Nonce>Nonce</wsse:Nonce><wsu:Created xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>2015-03-12T10:33:56.176Z</wsu:Created></wsse:UsernameToken><wsu:Timestamp xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”><wsu:Created>2015-03-12T10:33:56.145Z</wsu:Created><wsu:Expires>2015-03-12T10:34:56.145Z</wsu:Expires></wsu:Timestamp></wsse:Security>
This was my first blogpost, I hope you all enjoyed it!