Securing web services

Web services is one of the integration technologies that allow client programs to interact with the Sterling™ Order Management System Software applications.

"Web services security" can have different meanings. Generally, it refers to SSL encryption of the transport layer, authentication and authorization of the web services calls at the application server level or the underlying APIs they access, and message payload encryption.

Authentication

By default, the APIs and services will not run without a valid user token. That token is obtained when you call the login API. Once the token is obtained, you set the token as the tokenId in YFSEnvironment and then call the APIs your user has access to. The user is defined in the Applications Manager. For details about the YFSEnvironment interface, see the Javadoc.

Authorization

You can also configure user groups to control which users have access to APIs (for example, to create orders or to view orders).

Confidentiality

Finally, you should send requests to web services under SSL to protect the confidentiality of the request when it is transiting through the network.

Sterling Order Management System Software does not provide security out-of-the-box for EJB based web services

Sterling Order Management System Software does not ship encryption and therefore is not providing payload encryption functionality out-of-the-box for JAX-WS based web services

Reduction of attack surface

We recommend you do not configure web services into your deployment if you do not intend to use it. This will reduce the attack surface of the application. To further assure that web services are not configured, take the following actions:
  • Pass the -Dnowebservice=true flag into the buildear.sh. This instructs the EAR building process not to build the web services components.
  • Ensure that the namedwebservices.xml file is not defined.

Transport layer security

Transport layer security can be applied to all types of HTTP traffic including EJB based and JAX-WS based web services.

Sterling Order Management System Software does not provide any other security mechanisms or recommendations for EJB based web services.

JAX-WS handlers

Sterling Order Management System Software provides JAX-WS handlers to implement security for JAX-WS based web services.

Default handler chains are provided, but you can plug in your own customized handler chain xml and classes.

Options for securing web services client code

Sterling Order Management System Software provides a client generator for JAX-WS web services for UNIX and Linux® (the client is not supported on Windows). Client generation against the HTTPS URL for the WSDL is not supported, but you can secure clients after generation.

Sterling Order Management System Software does not provide any assistance around client generation for EJB web services. One popular pattern is to use the Axis client generation tasks for ant provide by Apache Axis. The same rules apply here. Be sure to configure the trust-store properly and set the required system properties in your code before communicating with the HTTPS port of the server.