Integration Server 10.11 | Web Services Developer’s Guide | Securing Web Services Using the WS-Security Facility | About the Integration Server WS-Security Facility | Message Security Options Supported by WS-Security Facility
 
Message Security Options Supported by WS-Security Facility
 
Token References
The following table describes the principal categories of security options available with the Integration Server WS-Security facility:
Category
Description
Signature Options
A signature is a means of authenticating a message so that the recipient is certain of the sender’s identity and the integrity of the message content. Signing a message involves encrypting a message digest with the sender’s private key. To verify a signed message, the recipient uses the public key corresponding to the sender’s private key. The signature attributes that the WS-Security facility supports include the following:
*Allow a signature with an expired certificate
*Require the SOAP message body to be signed
*Authenticate the message with the signing certificate
The WS-Security facility does not support the following signature options:
*Selecting the algorithm to use in creating the message digest
*Selective or multiple signing of an outbound message
Encryption Options
The WS-Security implementation encrypts SOAP message bodies using the recipient’s public key. The available encryption options that the WS-Security facility supports include the following:
*Select an encryption algorithm
*Select a key wrapping algorithm
*Require the SOAP body of inbound messages to be encrypted
The WS-Security facility does not support the following encryption options:
*The C14N canonicalization algorithm
*Selective or multiple encryption of an outbound message
*Encrypting outbound messages with a password
Security Timestamps
The WS-Security facility allows you to use a Timestamp element that specifies message expiration time, as well as the precision of the time measurement. This element offers protection against replay attacks, since inbound messages arriving after the expiration time can be invalidated.
Username and X.509 Certificate Tokens
The WS-Security facility allows you to use either of two WS-Security standard authentication token categories for authenticating a web service:
*Username. The web services consumer supplies a UsernameToken block to identify the requestor by “username” and a password (text) to authenticate the identity to a web services producer. Generally, you should use a Timestamp element specifying message expiration with the UsernameToken.
*X509 Certificate Authentication. A binary token type that represents either a single certificate or certificate path in X.509 certificate format.