Integration Server 10.3 | Web Services Developer’s Guide | Securing Web Services Using WS-SecurityPolicy | Policies Based on WS-SecurityPolicy that Integration Server Provides | Username_Signature_Encryption
 
Username_Signature_Encryption
The Username_Signature_Encryption policy uses a Username token to provide client authentication, uses symmetric binding to sign messages to ensure message integrity, uses symmetric binding to encrypt messages to ensure message confidentiality, and includes a Timestamp token to guard against replay attacks. Because this policy uses symmetric binding, the sender of an outbound message does not need a private key. Instead, the client generates a symmetric key.
When the policy is attached to:
Message type
To enforce the policy, Integration Server...
Consumer web service descriptor
outbound request
*Adds an encrypted Username token to the security header. Integration Server uses the user name provided on the endpoint alias or the one passed into the connector. Integration Server uses the symmetric key to encrypt the Username token.
*Adds a signed Timestamp token to the security header. Integration Server determines the timestamp expiration date to specify using the WS Security Properties of the endpoint alias or by using watt.server.ws.security server configuration parameters. For more information, see webMethods Integration Server Administrator’s Guide. Integration Server signs the Timestamp token using the symmetric key.
*Signs the SOAP body of the outbound request message using the symmetric key.
*Encrypts the SOAP body of the outbound request message using the symmetric key.
*Server generated and adds it to the security header.
For details about how Integration Server determines the user name to use in the Username token and the server certificate to use for encrypting the symmetric key, see Web Service Consumer: Request (Outbound Security) Detailed Usage and Resolution Order.
inbound response
*Requires a signed Timestamp token, which Integration Server validates to ensure against replay attacks.
*Requires that the SOAP body of the inbound response be signed and verifies the signature using the generated symmetric key.
*Requires that the SOAP body of the inbound response be encrypted and decrypts the SOAP body using the generated symmetric key.
Provider web service descriptor
inbound request
*Requires the symmetric key that the client generated be in the security header. The client encrypts the symmetric key using the Integration Server public key before adding it to the header.
*Requires a Username token in the security header. Integration Server authenticates the sender of the inbound request messages using the user name supplied in Username token.
*Requires a signed Timestamp token in the security header, which Integration Server validates to ensure against replay attacks.
*Requires that the SOAP body of the inbound request be signed using the symmetric key. Integration Server verifies the signature using the symmetric key.
*Requires that the SOAP body of the inbound request be encrypted using the symmetric key. Integration Server decrypts the SOAP body using the symmetric key.
To obtain the symmetric key that Integration Server uses for verifying the signature and decrypting the SOAP body, it decrypts the symmetric key in the security header using its private key. For the resolution order that Integration Server uses to determine the private key it uses to decrypt the symmetric key, see Web Service Provider: Request (Inbound Security) Detailed Usage and Resolution Order.
outbound response
*Adds a signed Timestamp token to the security header. Integration Server determines the timestamp expiration date to specify using the WS Security Properties of the endpoint alias or by using watt.server.ws.security server configuration parameters. For more information, see webMethods Integration Server Administrator’s Guide. Integration Server signs the Timestamp token using the symmetric key.
*Signs the SOAP body of the outbound response message using the symmetric key that the client generated.
*Encrypts the SOAP body of the outbound response message using the symmetric key that the client generated.