Creating Security Policy Activity for Web Services

Web services expose crucial business information online, hence their security is critical for the business. You can secure a web service by using Security Policy activity. We recommend you to create an appropriate security policy before you publish your web service using the Web Service Provider activity. 

To create a security policy activity:

  1. Click Configure > WEB SERVICES > Security Policy.

  2. Click Create Security Policy

  3. On the Create Security Policy window, in the Standard Properties, type the name and description of the new Security Policy in the Name and Description text boxes.



  4. Select the type of security policy that you want to use in the Security Policy Type.

    If you select WS Consumer as a security policy, a new category SSL Properties gets added to the existing categories.

    Depending upon the selection of the security policy, the categories differ.

     

  5. Expand Authentication Properties and do the following:



    1. Select Authentication check box.
    2. Select the type of authentication from the Authentication Type drop-down list box.

      Following table gives you types of authentication available for security policies:

      Web Services User Type

      Authentication Type

      WS Provider
      • API Key
      • Basic 
      • Kerberos
      WS Consumer
      • Basic
      • Kerberos
      • OAuth


      API Authentication

      1. Select API Key from Authentication Type drop-down list box.



      2. Select API mode from API Key Mode. The available options are Header and Query Param
        Header: Select this option to provide API key as an Authorization Header.
        Query Param: Select this option to pass API key as a query parameter. 



      3. Type the key parameter(s) required for the authentication in the Key Parameters table. Use Add Row/Remove Row to add or remove Key Parameters.

        After you have published an API with API authentication for a consumer to access, the value of the API keys provided by the consumer is set as a context variable in the process flow. You will have to implement the mechanism to validate these values within the process flow. For example, you can write a custom code or compare the values in the database.

      Basic Authentication

      1. Select Basic from Authentication Type drop-down list box.


      2. In Authentication Mode select one of the two options:

         Single User (Default)

         If you want the credentials to get validated for a single user (Fixed User name and Password), select Single User. This option is selected by default.

        Type the username and password in the User ID and Password text boxes respectively.

        Note: You can override the UserID and Password defined in the security policy activity for authentication. To override, you need to define the following variables in the process flow context:

        • Service.entityName.userID
        • Service.entityName.password

        Here, entityName is security policy activity name that is used in the web service consumer activity of SOAP type.

         Multiple Users

        If you want to validate the credentials for all Adeptia DB Users or LDAP Users, select Multiple User from the drop down.

        In the User Store drop-down list, select either Application User (if you want to validate the credentials of all Adeptia DB Users) or LDAP Users.

        Based on the User Store selection, Select Group(s) field gets populated.

        If Application User is selected in User Store, the Select Group(s) field will get populated with all the existing groups in Adeptia Database. Else if LDAP User is selected in User Store drop down, all existing groups in LDAP Directory will be listed.

        Info: In this multi select drop down, you can chose more than one group. However, if 'All Groups' is selected, you cannot select any other option.

      3. Authenticate Preemptively feature is available only while creating Web Service Consumer activity. Select the Authenticate Preemptively check box, if you want to send the credentials to a server without any request from it.

      Kerberos Authentication

      1. Select Kerberos from Authentication Type drop-down list box.

      2. Type the name of your Kerberos Login Module. For more information, refer to Kerberos Authentication.

      OAuth Authentication

      1. Select OAuth from Authentication Type drop-down list box.

      2. Select the OAuth Account from the OAuth Account drop-down list. For more information, refer to OAuth Authentication.

  6. Expand SSL Properties and do the following:


    1. Select SSL check box.
    2. Select the truststore activity in which you have imported the certificate of the server from the Truststore Name drop-down list box. 
    3. Select the Keystore activity that contains your certificate from the Keystore Name drop-down list box. 
    4. Select the alias name of the keystore which you want to pass to the server for authentication from the Alias drop-down list box.

      If you do not select a keystore/truststore then security policy uses keystore/truststore defined at a global level within SSL Configuration.

      To view the global Level SSL Configuration properties, go to Administer tab of Adeptia Suite, Configure > Developer Studio > ProceedAdminister> Setup > Application Settings > Update System Properties > Services > SSL Configuration.

  7. Expand Outgoing Message Properties to define message level security (WS-Security) for outgoing message. 



    1. Select Signature check box to configure signatures.
    2. Select the keystore to use from the KeyStore drop-down list box. 
    3. Type the alias name in the Alias text box. This should be same as in the Alias in the Keystore.
    4. Select Include Time Stamp check box to include the time stamp.
    5. Select the identifier type from the Key Identifier Type drop-down list box. The available options are Binary Security Token, Issuer Name Serial Number, Subject Key Identifier, or X509 Certificate.
    6. Select the algorithm from the Signature Algorithm drop-down list box. This should be same as in the Key Algorithm field in the Keystore.
    7. Select the canonicalization from the Signature Canonicalization drop-down list box.
    8. Define the parts that you want to sign in the Parts table. Type the name and its namespace in the Name and Namespace text boxes respectively. The table allows you to selectively sign only subsets of the message content by specifying the name or namespace of the element (if left empty the Security Policy will sign the entire message). Select whether you want to sign the Content or Element from the Encode drop-down list box.

      In case, you do not define any part then Security Policy will sign the whole message.

    9. Select the Encryption check box to encrypt outgoing message content.
    10. Select the keystore to use along with the alias/password from the Keystore drop-down list box. While using encryption, select the keystore with RSA key algorithm only.
    11. Type the alias name in the Alias text box. This should be same as in the Alias in the Keystore.
    12. Select the identifier type from the Key Identifier Type drop-down list box. The available options are Binary Security Token, Issuer Name Serial Number, Subject Key Identifier, or X509 Certificate.
    13. Select the algorithm from the Key Encryption Algorithm drop-down list box.
    14. Define the parts you want to encrypt in the Parts table. Type the name and its namespace in the Name and Namespace text boxes respectively. Select whether you want to encrypt the Content or the Element from the Encode drop-down list box.
    15. Select User Name Token check box.
    16. Type a Username Password token to the outgoing message. Specify the username and password to use and if you want to add nonce to it. The Password Type drop-down list box gives you certain options to serialize your password in the message.
    17. Select Time Stamp check box. 
    18. To add time stamp to the outgoing message, select Time Stamp check box and set the time (in seconds) in Time To Live text box.
    19. Provide the sequence of outgoing messages in the Message Outgoing Sequence text box.

  8. Expand Incoming Message Properties to define message level security (WS-Security) for incoming message.



    1. Select Incoming Message check box to continue.
    2. Select Signature Required check box to configure signatures.
    3. Select the keystore to use from the Signature KeyStore drop-down list box. 
    4. Select Include Time Stamp check box to include the time stamp.
    5. Define the parts that you want to sign in the Parts table. Type the name and its namespace in the Name and Namespace text boxes respectively. The table allows you to selectively sign only subsets of the message content by specifying the name or namespace of the element (if left empty the Security Policy will sign the entire message). Select whether you want to sign the Content or Element from the Encode drop-down list box.
    6. Select Encryption Required check box to encrypt incoming message content.
    7. Select the keystore to use along with the alias/password from the Decryption Keystore drop-down list box. While using encryption, select the keystore with RSA key algorithm only.
    8. Define the parts you want to encrypt in the Parts table. Type the name and its namespace in the Name and Namespace text boxes respectively. Select whether you want to encrypt the Content or the Element from the Encode drop-down list box.
    9. Select User Token Required check box.
    10. Type a Username Password token to the outgoing message. Specify the username and password to use and if you want to add nonce to it. The Password Type drop-down list box gives you certain options to serialize your password in the message.
    11. Select Time Stamp Required check box. 
    12. Select the sequence of incoming messages in the Message Ingoing Sequence text box.
  9. Expand Advanced Properties and select the project from Project drop-down list.

  10. Click Save.

    If you select Incoming Message check box without specifying Signature Required and Encryption Required properties then by default, system uses SSL Configuration properties defined in the Update System Properties section.