SOAP Gatewaysupports both server authentication and client
authentication and web-services security (WS-Security) for the web service provider scenario.
SOAP Gateway clients
can secure data exchanges with SOAP Gateway through
HTTPS requests by using the SSL/TLS security protocol. Similarly,
SSL/TLS connections are supported between SOAP Gateway and IMS Connect.
Figure 1. SOAP Gateway as
the web service server and the SSL/TLS client
You can use the IBM®
z/OS® Communications Server Application Transparent Transport Layer
Security (AT-TLS) feature and SAF to secure the connection. You can also take advantage of the
additional security features in AT-TLS or Quality of Service (QoS). For example, you can use
security-connection refresh settings, maximum connection settings, and revocation of certificates.
Important:For NIST SP800-131a,
you must use System SSL between SOAP Gateway and IMS Connect. You must apply the following fix,
depending on the IMS version.
IMS V13 APAR PM96825
IMS V12 APAR PM98017
The following figure shows the process flow of the client
authentication security scheme. With client authentication, both the
server that hosts the web service and the client that requests the
service require authentication from the other before data is exchanged.Figure 2. Client authentication for the web service
provider scenario
The web service client initiates an HTTPS call.
The web service server (SOAP Gateway) returns
its certificate that is stored in its server keystore.
The client verifies the server certificate with the certificates
that are stored in the truststore on the client.
The client sends the server its certificate that is stored in
the client keystore.
The server verifies the client certificate with the certificates
that are stored in the truststore on the server.
After the transmission is secured, the client is authenticated
and allowed to access protected services.
