Integration Server 10.3 | Web Services Developer’s Guide | Securing Web Services Using WS-SecurityPolicy | Policies Based on WS-SecurityPolicy that Integration Server Provides | X509Authentication_Signature_Encryption
 
X509Authentication_Signature_Encryption
The X509Authentication_Signature_Encryption policy uses X509 certificates to provide client authentication, uses asymmetric binding to sign messages to ensure message integrity, uses asymmetric binding to encrypt messages to ensure message confidentiality, and includes a Timestamp token to guard against replay attacks.
When the policy is attached to:
Message type
To enforce the policy, Integration Server...
Consumer web service descriptor
outbound request
*Adds an X509 token to the security header.
*Adds a signed Timestamp token to the security header. Integration Server determines the timestamp expiration date to specify using the WS Security Properties of the endpoint alias or by using watt.server.ws.security server configuration parameters. For more information, see webMethods Integration Server Administrator’s Guide. Integration Server signs the Timestamp token using the its private key.
*Signs the SOAP body of the outbound request message its private key.
*Encrypts the SOAP body of the outbound request message using the server’s certificate.
For details about how Integration Server determines the certificate to use in the X509 token, the private key to use for signing, and the certificate to use for encrypting, see Web Service Consumer: Request (Outbound Security) Detailed Usage and Resolution Order.
inbound response
*Requires a signed Timestamp token, which Integration Server validates to ensure against replay attacks.
*Requires that the SOAP body of the inbound response be signed and verifies the signature.
*Requires that the SOAP body of the inbound response be encrypted and decrypts the message.
For details about how Integration Server determines the certificate to use for verification and the private key to use for decryption, see Web Service Consumer: Response (Inbound Security) Detailed Usage and Resolution Order.
Provider web service descriptor
inbound request
*Requires an X509 token in the security header. Integration Server authenticates the sender of the inbound request using the X.509 certificate from the security header of the inbound request.
*Requires a signed Timestamp token in the security header, which Integration Server validates to ensure against replay attacks.
*Requires that the SOAP body of the inbound request message be signed and verifies the signature.
*Requires that the SOAP body of the inbound request message be encrypted and decrypts the SOAP body.
For details about how Integration Server determines the certificate to use for verification and the private key to use for decryption, see Web Service Provider: Request (Inbound Security) Detailed Usage and Resolution Order.
outbound response
*Adds a signed Timestamp token to the security header. Integration Server determines the timestamp expiration date to specify using the WS Security Properties of the endpoint alias or by using watt.server.ws.security server configuration parameters. For more information, see webMethods Integration Server Administrator’s Guide. Integration Server signs the Timestamp token using the its private key.
*Signs the SOAP body of the outbound response message using its private key.
*Encrypts he SOAP body of the outbound response message using the server’s certificate.
For details about how Integration Server determines the private key to use for signing and the certificate to use for encryption, see Web Service Provider: Response (Outbound Security) Detailed Usage and Resolution Order.