To sign a message, verify a signature of a signed message, encrypt a message, or decrypt a message, Integration Server requires access to the appropriate certificates and keys. For more information, see Certificate and Key Requirements for WS-Security.

In a SOAP conversation, there is no mechanism to automatically exchange public keys (unlike SSL). The consumer and provider web services have access to or possess copies of the keys needed to authenticate message requests and responses.

Integration Server searches for the certificates and keys in a certain order, called the resolution order. As a result, you need to place the certificates/keys in the proper locations, based on the resolution order, so that Integration Server uses the certificate/keys that you want when performing WS-Security functions, for example, signing a message.

Integration Server determines the certificates and keys that it uses to enforce a policy assertion both by considering how WS-Security is applied to the web service provider or consumer and the run-time resolution orders of certificates and keys for policy selections.

When an outbound message is sent or an inbound message received, and a policy assertion invoked, a search for a certificate or key is initiated. The search follows a fixed sequence based on the type of policy assertion, whether the web service is a provider or consumer, and a number of other factors.

After the certificate or key is found, the search ends. The resolved key or certificate loads and is used for the policy assertion. The process is repeated for each policy assertion/attribute/value setting within a message that requires certificate or key resolution. When the next message is sent or received, the process begins again and repeats for each outgoing or incoming message.