Creating Security Policy Activity for Web Services

Web services expose crucial business information online, hence their security is critical for the business. You can secure a web service by using Security Policy activity. We recommend you to create an appropriate security policy before you publish your web service using the Web Service Provider activity. 

To create a security policy activity:

  1. Go to Develop > Services Web Services > Security Policy.

     

  2. Click Create New.



  3. On the New Security Policy window, in the Standard Properties, type the name and description of the new Security Policy in the Name and Description text boxes.
  4. Select the type of security policy that you want to use in the Security Policy Type.

    If you select WS Consumer and HTTP Source as a security policy, a new category SSL Properties gets added to the existing categories.

    Select HTTP Source to create a security policy that you can link while creating Web Service for Consumer and HTTP source activity.

    Depending upon the selection of the security policy, the categories differ.

     

  5. Expand Authentication Properties and do the following:

    1. Select Authentication check box.
    2. Select the type of authentication from the Authentication Type drop-down list box.

      Following table gives you types of authentication available for security policies:

      Web Services User TypeAuthentication Type
      WS Provider
      • API Key
      • Basic 
      • Keberos
      WS Consumer
      • Basic
      • Kerberos
      HTTP Source
      • Basic
      • Kerberos


      API Authentication

      1. Select API Key from Authentication Type drop-down list box.



      2. Select API mode from API Key Mode. The available options are Header and Query Param
        Header: Select this option to provide API key as an Authorization Header.
        Query Param: Select this option to pass API key as a query parameter. 

      3. Type the key parameter(s) required for the authentication in the Key Parameters table. Use Add Row/Remove Row to add or remove Key Parameters.

        After you have published an API with API authentication for a consumer to access, the value of the API keys provided by the consumer is set as a context variable in the process flow. You will have to implement the mechanism to validate these values within the process flow. For example, you can write a custom code or compare the values in the database.
        API Key authentication feature can only be used in Adeptia Suite 6.3 Maintenance Patch and onward versions. You can not use API key authentication for the web services created in any of the previous version of Adeptia Suite.

        Basic Authentication

        1. Select Basic from Authentication Type drop-down list box.


        2. In Authentication Mode select one of the two options:

           Single User (Default)

           If you want the credentials to get validated for a single user (Fixed User name and Password), select Single User. This option is selected by default.

          Type the username and password in the User ID and Password text boxes respectively.

          Note: You can override the UserID and Password defined in the security policy activity for authentication. To override, you need to define the following variables in the process flow context:

          • Service.entityName.userID
          • Service.entityName.password

          Here, entityName is security policy activity name that is used in the web service consumer activity of SOAP type.

           Multiple Users

          If you want to validate the credentials for all Adeptia DB Users or LDAP Users, select Multiple Users from the drop down.

          In the User Store Drop down, select either Application User(if you want to validate the credentials of all Adeptia DB Users) or LDAP Users.

          Based on the User Store you selected above, the Sect Group(s) multi select drop down will get populated.

          If Application User is selected in User Store, the Select Group(s) field will get populated with all the existing groups in Adeptia Database. Else if LDAP User is selected in User Store drop down, all existing groups in LDAP Directory will be listed.

          Note: In this multi select drop down, you can chose more than one group. However, if 'All Groups' is selected, you cannot select any other option.

        3. Authenticate Preemptively feature is available only while creating Web Service Consumer activity and HTTP Source only. Select the Authenticate Preemptively check box, if you want to send the credentials to a server without any request from it.

        Kerberos Authentication

        1. Select Kerberos from Authentication Type drop-down list box.

        2. Type the name of your Kerberos Login Module. For more information, refer to Kerberos Authentication.

  6. Expand SSL Properties and do the following:


    1. Select SSL check box.
    2. Select the truststore activity in which you have imported the certificate of the server from the Truststore Name drop-down list box. 
    3. Select the Keystore activity that contains your certificate from the Keystore Name drop-down list box. For more information, refer to Creating Keystore and Truststore.
    4. Select the alias name of the keystore which you want to pass to the server for authentication from the Alias drop-down list box.

      If you do not select a keystore/truststore then security policy uses keystore/truststore defined at a global level within SSL Configuration.

      To view the global Level SSL Configuration properties, go to Administer tab, Setup > Application Settings > Update System Properties > Services > SSL Configuration.

  7. Expand Outgoing Message Properties to define message level security (WS-Security) for outgoing message. 
    1. Select Signature check box to configure signatures.
    2. Select the keystore to use from the KeyStore drop-down list box. For information on how to create a Keystore, refer to Creating Keystore.
    3. Type the alias name in the Alias text box. This should be same as in the Alias in the Keystore.
    4. Select Include Time Stamp check box to include the time stamp.
    5. Select the identifier type from the Key Identifier Type drop-down list box. The available options are Binary Security Token, Issuer Name Serial Number, Subject Key Identifier, or X509 Certificate.
    6. Select the algorithm from the Signature Algorithm drop-down list box. This should be same as in the Key Algorithm field in the Keystore.
    7. Select the canonicalization from the Signature Canonicalization drop-down list box.
    8. Define the parts that you want to sign in the Parts table. Type the name and its namespace in the Name and Namespace text boxes respectively. The table allows you to selectively sign only subsets of the message content by specifying the name or namespace of the element (if left empty the Security Policy will sign the entire message). Select whether you want to sign the Content or Element from the Encode drop-down list box.

      In case, you do not define any part then Security Policy will sign the whole message.

    9. Select the Encryption check box to encrypt outgoing message content.
    10. Select the keystore to use along with the alias/password from the Keystore drop-down list box. While using encryption, select the keystore with RSA key algorithm only.
    11. Type the alias name in the Alias text box. This should be same as in the Alias in the Keystore.
    12. Select the identifier type from the Key Identifier Type drop-down list box. The available options are Binary Security Token, Issuer Name Serial Number, Subject Key Identifier, or X509 Certificate.
    13. Select the algorithm from the Key Encryption Algorithm drop-down list box.
    14. Define the parts you want to encrypt in the Parts table. Type the name and its namespace in the Name and Namespace text boxes respectively. Select whether you want to encrypt the Content or the Element from the Encode drop-down list box.
    15. Select User Name Token check box.
    16. Type a Username Password token to the outgoing message. Specify the username and password to use and if you want to add nonce to it. The Password Type drop-down list box gives you certain options to serialize your password in the message.
    17. Select Time Stamp check box. 
    18. To add time stamp to the outgoing message, select Time Stamp check box and set the time (in seconds) in Time To Live text box.
    19. Provide the sequence of outgoing messages in the Message Outgoing Sequence text box.

  8. Expand Incoming Message Properties to define message level security (WS-Security) for incoming message.
    1. Select Incoming Message check box to continue.
    2. Select Signature check box to configure signatures.
    3. Select the keystore to use from the KeyStore drop-down list box. For information on how to create a Keystore, refer to Creating Keystore.
    4. Select Include Time Stamp check box to include the time stamp.
    5. Define the parts that you want to sign in the Parts table. Type the name and its namespace in the Name and Namespace text boxes respectively. The table allows you to selectively sign only subsets of the message content by specifying the name or namespace of the element (if left empty the Security Policy will sign the entire message). Select whether you want to sign the Content or Element from the Encode drop-down list box.
    6. Select Encryption Required check box to encrypt incoming message content.
    7. Select the keystore to use along with the alias/password from the Decryption Keystore drop-down list box. While using encryption, select the keystore with RSA key algorithm only.
    8. Define the parts you want to encrypt in the Parts table. Type the name and its namespace in the Name and Namespace text boxes respectively. Select whether you want to encrypt the Content or the Element from the Encode drop-down list box.
    9. Select User Token Required check box.
    10. Type a Username Password token to the outgoing message. Specify the username and password to use and if you want to add nonce to it. The Password Type drop-down list box gives you certain options to serialize your password in the message.
    11. Select Time Stamp Required check box. 
    12. Select the sequence of incoming messages in the Message Ingoing Sequence text box.

  9. Click Save.

     

    If you select Incoming Message check box without specifying Signature Required and Encryption Required properties then by default, system uses SSL Configuration properties defined in the Update System Properties section.