Software AG Infrasructure 10.7 | Working with Web Services | Configuring Web Service Security | Setting Up Message-Level Security | Configuring the Server Side | Specifying Settings in the axis2.xml or services.xml File
 
Specifying Settings in the axis2.xml or services.xml File
1. Go to the Software AG_directory /profiles/CTP/workspace/wsstack/reposiroty/conf directory and open the axis2.xml file in a text editor.
2. You can enable keystore caching at the global level in this file by setting the cacheCryptoInstances parameter to true. Since the keystore configuration can be different for each message, the caching is executed per message. When a service is undeployed or stopped, cached keystores are removed.
3. When the sp:RequiredElements and sp:RequiredParts assertions are available in the security policy, they may not be resolved and validated properly. By default, when XPath expressions are handled in sp:RequiredElements assertion, the expressions are validated against the soap:Envelope element, instead of the soap:Header element. You can enable the change on the entire runtime in this file. Add these parameters:
<parameter name="enableRequiredElementsXPathCompatibility">true</parameter>
<parameter name="enableRequiredPartsValidation">true</parameter>
4. Open the services.xml file in a text editor.
5. You can enable keystore caching at the service, service group, or specific operation level in this file by setting the cacheCryptoInstances parameter to true. Since the keystore configuration can be different for each message, the caching is executed per message. When a service is undeployed or stopped, cached keystores are removed.
6. You can enable caching of initialized password callback handler classes to improve performance by setting the cachePasswordCallbackHandler parameter to true. The callback handler instance is always cached on the service instance and will be lost if the service is undeployed.
7. Depending on the security policy, the client may be required to send the token used for encryption signature within the message itself. In this case the server side does not need to have client certificates. However, Rampart still verifies whether the certificates are trustworthy, and it requires that at least the certificate of the issuer be present in the truststore. Therefore, you must instruct Rampart/WSS4J to use the client’s certificate. Set the encryptionUser parameter to useReqSigCert.
useReqSigCert is a special fictional encryption user recognized by the security module. In this case, the certificate that is used to verify your signature is also used for the encryption of the response. Therefore, it is possible to have only one configured encryption user for all clients that access the service.
8. When the sp:RequiredElements and sp:RequiredParts assertions are available in the security policy, they may not be resolved and validated properly. By default, when XPath expressions are handled in sp:RequiredElements assertion, the expressions are validated against the soap:Envelope element, instead of the soap:Header element. You can enable the change on a specific web service in this file. Add these parameters:
<parameter name="enableRequiredElementsXPathCompatibility">true</parameter>
<parameter name="enableRequiredPartsValidation">true</parameter>
9. You can enable or disable the WS-I Basic Profile compliance mode for your web services by setting the wsiBSPCompliant parameter to true (default) or false. For more information about the usage of the WS-I Basic Security Profile compliance mode, see WS-I Basic Profile.