Security for SOAP web services

With the support provided by CICS® Transaction Server for z/OS®, you can either secure your SOAP messages with transport security (used for either SOAP or JSON messages) or SOAP message security (for SOAP messages only). For information about the architecture of SOAP web services, see CICS and SOAP web services.

Transport-based security

Transport-based security relies on technologies that are available as part of the TCP/IP and HTTP protocols. For example, TLS and HTTP basic authentication can be used to secure CICS web services. For information on TCP/IP and HTTP security options, see Security for TCP/IP clients and Security for CICS web support.

Figure 1. Transport-based security for SOAP messages
Transport-based security for SOAP messages

SOAP message security

When you use transport-based security (as illustrated in Figure 1), if the service requester identifies itself to an intermediate gateway, then the intermediate gateway identifies itself to the service provider, the target service normally runs with the identity of the intermediate gateway rather than the service requester. The Web Services Security (WSS): SOAP Message Security 1.0 specification (WS-Security) addresses this problem by allowing security credentials to be passed within the SOAP message itself, so that the credentials of the service requester can be passed through an intermediate gateway, and can still be used to identify the requester to the service provider.
Figure 2. SOAP message security
SOAP message security

For more information about SOAP message security, see How it works: SOAP message security .

You can use a combination of transport-based security and SOAP message security to secure CICS web services. To decide which type, or which combination of capabilities, is best for you, see Designing security for CICS web service providers and Designing security for CICS web service requesters.