Configuring Endpoint Aliases for Web Services

About Web Service Endpoint Aliases

A web service endpoint alias represents the network address and, optionally, any security credentials to be used with web services. You can use the network address properties to enable dynamic addressing for web services. The security credentials can be used to control both transport-level and message-level security for web services.

In web service descriptors, an endpoint alias is associated with a binder. Integration Server uses a binder to collect the definitions for addresses, communication protocols, and data formats for a particular port type in one container. For more information about associating an endpoint alias with a binder, see webMethods Service Development Help .

For a consumer web service descriptor and its associated web service connectors (WSC), the alias information (including the addressing information and any security credentials), is used at run time to generate a request and invoke an operation of the web service.

For provider web service descriptors, the endpoint alias is used to construct the "location=" attribute of the address element (which is contained within the port element) when a WSDL file is requested from the web service. The security credentials might be used when constructing a response to a web service request.

When you create a provider web service descriptor, you can specify an existing endpoint alias, which will be displayed (and can be changed) from the default binder of the web service descriptors.

Integration Server uses message addressing endpoint aliases to send responses to endpoints other than the one that initiated or sent the request. That is, when WS-Addressing is enabled and the request SOAP message contains a non-anonymous ReplyTo or FaultTo endpoint, Integration Server uses the message addressing endpoint alias to determine the authentication details to be used to send a response to the ReplyTo and FaultTo endpoints.

An endpoint alias is usually created for one or more of the following reasons:

  • Dynamic endpoint addressing. Because the actual value of the endpoint is looked up at run time, using an endpoint alias saves you from having to specify or change the server information each time you use the web service.
  • WS-ReliableMessaging. Reliable messaging properties ensure the reliable delivery of the message between the two endpoints (web service and client or reliable messaging source and destination). You can configure reliable messaging properties specific to a web service endpoint or at a global level for all web service endpoints defined in the Integration Server.

When you create web service endpoint aliases, keep the following points in mind:

  • Alias names must be unique within the specified usage (provider or consumer) and protocol. This can result in multiple endpoint aliases with the same name. For example, you can have a provider alias named "aliasOne" for the HTTP protocol. You could also have a consumer alias named "aliasOne" for the HTTP protocol and a provider alias named "aliasOne" for the HTTPS protocol.
  • Integration Server saves web service endpoint aliases at the following location: Integration Server_directory \instances\instance_name\config\endpoints
  • The host name and port are required for a provider HTTP/S web service endpoint alias, but are optional for a consumer HTTP/S web service endpoint alias.
  • If the Integration Server on which a consumer web service descriptors resides sits behind a firewall and the web service request needs to be routed through a proxy server, you can assign a proxy alias to the consumer web service endpoint alias.
  • You can identify default provider web service endpoint aliases for HTTP and HTTPS. If a provider web service descriptor contains a binder set to the default alias, Integration Server uses the information in the default alias when constructing the WSDL for the descriptor.

Creating an Endpoint Alias for a Provider Web Service Descriptor for Use with HTTP/S

About this task

When creating a web service endpoint alias for provider web service descriptor that uses an HTTP/S binder, you need to supply information that falls into the following categories:

  • Web Service Endpoint Alias. Endpoint name, description, and transport type.
  • HTTP/S Transport Properties. Server on which the web service resides.

  • WS Security Properties. Information the SOAP processor needs to decrypt and verify the inbound SOAP request and/or encrypt and sign the outbound SOAP response and the details for adding the timestamp information.

    Note: WS-Security credentials such as private keys and public keys do not always need to be provided in a web service endpoint alias. If this information is not provided in the alias, Integration Server can obtain the information from other locations. For more information about usage and resolution order of certificates and keys for WS-Security, see the Web Services Developer’s Guide .
  • Message Addressing Properties. WS-Addressing information that Integration Server uses to generate the WS-Addressing headers of the SOAP requests and responses. This includes the destination address of a message or fault and the authentication credentials required to send a response to a different address than the one from which request was received.
  • Reliable Messaging Properties. Reliable messaging information specific to the web service endpoint. By default, Integration Server applies the reliable messaging configuration defined on the Settings > Web services > Reliable messaging > Edit configuration page to all web service providers and consumers. If you want to override the server-level reliable messaging configuration for a specific web service provider or consumer, define reliable messaging properties for the associated web service endpoint alias.

To create a WS provider web service endpoint alias for use with HTTP/S

Procedure

  1. Open Integration Server Administrator if it is not already open.
  2. Go to Settings > Web services.
  3. Click Create Web Service Endpoint Alias.
  4. Under Web Service Endpoint Alias Properties, provide the following information:
    In this field Specify
    Alias

    A name for the provider web service endpoint alias.

    The alias name cannot include the following illegal characters:

    # ©\ & @ ^ ! % * : $ . / \ \ ` ; , ~ + = ) ( | } { ] [ > < "

    Description A description for the endpoint alias.
    Type Provider
    Transport Type

    Specify the transport protocol used to access the web service. Select one of the following:

    • HTTP
    • HTTPS
  5. Under TransportType Transport Properties, provide the following information:
    In this field Specify
    Host Name or IP Address

    Host name or IP address of the Integration Server for which you are creating an alias.

    If the host Integration Server is fronted by a proxy, specify the host name or IP address of the proxy server.

    Port

    An active HTTP or HTTPS listener port defined on the Integration Server specified in the Host Name or IP Address field.

    If the host Integration Server is fronted by a proxy, specify the port for the proxy server.

  6. Under WS Security Properties, if the inbound SOAP request must be decrypted and/or the outbound SOAP request must be signed, do the following:
    In this field Specify
    Keystore Alias

    Alias of the keystore containing the private key used to decrypt the inbound SOAP request or sign the outbound SOAP response.

    Important: The provider must have already given the consumer the corresponding public key.
    Key Alias Alias of the private key used to decrypt the request or sign the response. The key must be in the keystore specified in Keystore Alias.
  7. Under WS Security Properties, if the signing certificate chain of an inbound signed SOAP message has to be validated, specify the following:
    In this field Specify
    Truststore Alias The alias for the truststore that contains the list of CA certificates that Integration Server uses to validate the trust relationship.
  8. Under WS Security Properties, set the timestamp properties that Integration Server uses when working with timestamps.
    In this field Specify
    Timestamp Precision Whether the timestamp is precise to the second or millisecond. If you set the precision to milliseconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss:SSS'Z'. If you set the precision to seconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss'Z'.

    If you do not select a precision value, Integration Server will use the value specified for the watt.server.ws.security.timestampPrecisionInMilliseconds parameter.

    Timestamp Time to Live The time-to-live value for the outbound message in seconds. Integration Server uses the Timestamp Time to Live value to set the expiry time in the Timestamp element of outbound messages. The time-to-live value must be an integer greater than 0.

    If you do not specify a Timestamp Time to Live value, Integration Server will use the value specified for the watt.server.ws.security.timestampTimeToLive parameter.

    Timestamp Maximum Skew The maximum number of seconds that the web services client and host clocks can differ and still allow timestamp expiry validation to succeed. Specify a positive integer or zero.

    Integration Server uses the timestamp maximum skew value only when you implement WS-Security via a WS-Policy. Integration Server validates the inbound SOAP message only when the creation timestamp of the message is less than the sum of the timestamp maximum skew value and the current system clock time.

    If you do not specify a timestamp maximum skew value, Integration Server will use the value specified for the watt.server.ws.security.timestampMaximumSkew parameter.

    Username Token TTL

    This is the permitted time difference, in seconds, between the time when the UsernameToken was created (as provided in the wsu:Created element) and the time when it reaches the server. Requests that exceed this limit are rejected by the server. The default value is 300.

    Username Token Future TTL It is possible that the wsu:Created element has a timestamp that is in the future. The server considers such requests as valid If the time at which the request was created does not exceed the time at which it reaches the server by the value (in seconds) given in this setting. The default value is 60.
    Note: The Username Token TTL and Username Token Future TTL configurations can also be set at the global level using the watt.server.ws.security.usernameTokenTTL and the watt.server.ws.security.usernameTokenFutureTTL server configuration properties. However, if there is a configuration setting at the web services endpoint level, the server will ignore the global property. For more information about the global properties, see watt.server..

    For more information about timestamps in the WS-Security header, see Timestamps in the WS-Security Header.

  9. Under Kerberos Properties, provide the following Kerberos-related details that will be used for all providers that use this endpoint alias.
    Note: These fields are available only for provider endpoint aliases using the HTTPS transport type.
    In this field Specify  
    JAAS Context The custom JAAS context used for Kerberos authentication.

    In the following example, JAAS Context is WS_KERBEROS_INBOUND: 

    WS_KERBEROS_INBOUND {
    com.sun.security.auth.module.Krb5LoginModule required
    refreshKrb5Config=true storeKey=true isInitiator=false debug=true;
    };

    The is_jaas.cnf file distributed with Integration Server includes a JAAS context named IS_KERBEROS_INBOUND that can be used with inbound requests.

    Principal The name of the principal to use for Kerberos authentication.
    Principal Password The password for the principal that is used to authenticate the principal to the KDC. Specify the principal password if you do not want to use the keytab file that contains the principals and their passwords for authorization. The passwords may be encrypted using different encryption algorithms. If the JAAS login context contains useKeyTab=false, you must specify the principal password.
    Retype Principal Password The above principal password.
    Service Principal Name Format Select the format in which you want to specify the principal name of the service that is registered with the principal database.
      Select To
      host-based Represent the principal name using the service name and the hostname, where hostname is the host computer.

    This is the default.

      username Represent the principal name as a named user defined in the LDAP or central user directory used for authentication to the KDC.
    Service Principal Name

    The name of the principal for the service that the Kerberos client wants to access. This can be obtained from the WSDL document published by the provider of the Kerberos service. Specify the Service Principal Name in the following format: 

    principal-name.instance-name@realm-name
  10. Under Message Addressing Properties, provide the following addressing information relating to the delivery of the message. The message addressing properties define the addressing information that can be attached to the SOAP message.
    In this field Specify
    To URI of the destination of the SOAP message.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the message is addressed. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters.

    You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    Response Map Address to which the provider will send the reply or fault message and the corresponding message addressing alias. Integration Server retrieves the authentication details needed to send the response from the message addressing alias mapped to the address.

    In the Address field, specify the URI to which the provider will send the reply or the fault message.

    From the Message Addressing Alias list, select the message addressing endpoint alias from which Integration Server will retrieve the authentication details. Integration Server uses the authentication details to send the response to the ReplyTo or FaultTo endpoints.

    Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

  11. Under Reliable Messaging Properties, check Enable to provide reliable messaging information specific to the endpoint alias you are creating.
  12. Provide the following reliable-messaging information to ensure reliable delivery of the message between a reliable messaging source and destination.
    In this field Specify
    Retransmission Interval The time interval (in milliseconds) for which a reliable messaging source waits for an acknowledgment from the reliable messaging destination before retransmitting the SOAP message. The default is 6000 milliseconds.
    Acknowledgement Interval The time interval (in milliseconds) for which the reliable messaging destination waits before sending an acknowledgment for a message sequence. Messages of the same sequence received within the specified acknowledgment interval are acknowledged in one batch. If there are no other messages to be sent to the acknowledgment endpoint within the time specified as the acknowledgment interval, the acknowledgment is sent as a stand-alone message.

    The default is 3000 milliseconds.

    Exponential Backoff Whether to use the exponential backoff algorithm to adjust the retransmission interval of unacknowledged messages. Adjusting the time interval between retransmission attempts ensures that a reliable messaging destination does not get flooded with a large number of retransmitted messages.
      Select To
      true Increase the successive retransmission intervals exponentially, based on the specified retransmission interval. For example, if the specified retransmission interval is 2 seconds, and the exponential backoff value is set to true, successive retransmission intervals will be 2, 4, 8, 16, 32, and so on if messages continue to be unacknowledged. This is the default.
      false Use the same time interval specified in the Retransmission Interval field for all retransmissions.
    Maximum Retransmission Count The number of times the reliable messaging source must retransmit a message if an acknowledgement is not received from the reliable messaging destination. To specify that there is no limit to the number of retransmission attempts, set the value of Maximum Retransmission Count to -1. The default is 10.
  13. Click Save Changes.

Setting a Default Endpoint Alias for Provider Web Service Descriptors

About this task

For the HTTP and HTTPS protocols, you can identify a provider web service endpoint alias as the default provider endpoint alias for each protocol. When the default provider endpoint alias is assigned to a binder in a provider web service descriptor, Integration Server uses the information in the alias when constructing the WSDL for the descriptor and during run-time processing. Simply changing the default provider endpoint alias for a protocol changes the information used to generate the WSDL and the information used for run-time processing. You do not need to edit the binder in the web service descriptor to specify a different alias.

Integration Server uses the default provider endpoint alias in the following situations:

  • When constructing the WSDL for the a provider web service descriptor that contains a binder with a Port alias property set to DEFAULT(aliasName) or binder that does not explicitly set an alias for the Port alias property.
  • During run-time processing for provider web service descriptor that contains a binder with a Port alias property set to DEFAULT(aliasName) or a binder that does not explicitly set an alias for the Port alias property.
  • As an available alias when creating the endpoint for a service first provider web service
  • As an available alias when setting the endpoint for a binder.
  • When creating the binders for a WSDL first provider web service descriptor generated from a WSDL document with an HTTP or HTTPS binding. Integration Server assigns the default provider endpoint alias of the transport protocol to the binder. Integration Server uses the information from the alias during WSDL generation and run-time processing.
Note: If the binder in a provider web service descriptor does not specify a value for the Port alias property and there is not a default provider endpoint alias for the protocol used by the binder, when Integration Server generates the WSDL document for the web service descriptor, Integration Server sets the “location=” attribute of the soap:address element to localhost:primaryPort.

Keep the following points in mind when setting a default provider endpoint alias for use with provider web service descriptors:

  • You can set a default provider endpoint alias for provider web services only.
  • You can set a default provider endpoint alias for the HTTP and HTTPS protocols. You cannot set a default endpoint alias for JMS.
  • Integration Server does not require that a default provider endpoint alias be set. If there is no default alias for a protocol, the Port alias property for a binder in a provider web service descriptor lists a blank row as a possible value. If you select the blank row and later specify a default alias for the protocol used by the binder, Integration Server uses the information in the default provider endpoint alias when generating the WSDL document and during run-time processing for the web service descriptor. That is, once a default provider endpoint alias is set for a protocol, any previously blank Port alias properties are effectively set to DEFAULT(aliasName) for binders that use that protocol.
  • You cannot delete a web service endpoint alias used as a default alias.

To set a default endpoint alias for provider web service descriptors

Procedure

  1. Open Integration Server Administrator if it is not already open.
  2. Go to Settings > Web services.
  3. Click Set Default Provider Endpoint Alias.
  4. Under Select Default Provider Endpoint Aliases, do one or more of the following:
    • In the HTTP list, select the alias to use as the default endpoint alias for the HTTP protocol. If you do not want to set a default endpoint alias for HTTP, select the blank row.
    • In the HTTPS list, select the alias to use as the default endpoint alias for the HTTPS protocol. If you do not want to set a default endpoint alias for HTTPS, select the blank row.
  5. Click Update.

    Integration Server updates the WSDL document for any provider web service descriptor with a binder that uses the default provider endpoint alias.

    Note: After changing the default provider endpoint alias, consumers should refresh any existing web service clients generated from a WSDL document for a web service descriptor that uses the default provider endpoint alias. Refreshing the web service client using the updated WSDL document enables the client to make use of the changed endpoint information.

Creating an Endpoint Alias for a Consumer Web Service Descriptor for Use with HTTP/S

About this task

When you create an HTTP/S web service endpoint alias for use with consumer web service descriptors, you need to supply information that falls into the following categories:

  • Web Service Endpoint Alias. Endpoint name, description, and transport type.
  • HTTP/S Transport Properties.Optional. The host and port used to build the endpoint URL. If the web service provider requires transport-based authentication, these properties specify the authentication credentials to be added to the HTTP/S header. For HTTPS transport, these properties specify the keystore alias and key alias of the private key used for SSL communication with the web service provider. If the web service request must be routed through a proxy server, these properties specify the proxy server alias for the proxy server through which Integration Server routes the HTTP/S request.
  • WS Security Properties. Information for the WS-Security header as determined by the security policy for the web service. A web service security policy can require that:
    • SOAP message requests include a UserName token.
    • SOAP message responses be decrypted.
    • SOAP message requests be signed.
    • X.509 authentication be supported.
    • A Timestamp element be added to the security header.
    Note: WS-Security credentials such as private keys and public keys do not always need to be provided in a web service endpoint alias. If this information is not provided in the alias, Integration Server can obtain the information from other locations. For more information about usage and resolution order of certificates and keys for WS-Security, see the Web Services Developer’s Guide .
  • Message Addressing Properties. Addressing information about the response delivery. This information includes the reply endpoint where the replies should be sent, the fault endpoint that specifies where the faults should be sent, and optional metadata (such as WSDL or WS-Policy) about the service. This also includes additional parameters, called Reference Parameters, that Integration Server uses to route the message to the destination.
  • Reliable Messaging Properties. Provides reliable messaging information specific to the web service endpoint. By default, Integration Server applies the reliable messaging configuration defined on the Settings > Web services > Reliable messaging > Edit configuration page to all web service providers and consumers. If you want to override the server-level reliable messaging configuration for a specific web service provider or consumer, define reliable messaging properties for the associated web service endpoint alias.

To create a consumer web service endpoint alias for use with HTTP/S

Procedure

  1. Open Integration Server Administrator if it is not already open.
  2. Go to Settings > Web services.
  3. Click Create Web Service Endpoint Alias.
  4. Under Web Service Endpoint Alias Properties, provide the following information:
    In this field Specify
    Alias

    A name for the provider web service endpoint alias.

    The alias name cannot include the following illegal characters:

    # ©\ & @ ^ ! % * : $ . / \ \ ` ; , ~ + = ) ( | } { ] [ > < "

    Description A description for the endpoint alias.
    Type Consumer
    Transport Type

    Specify the transport protocol used to access the web service. Select one of the following:

    • HTTP
    • HTTPS
    Execute ACL ACL that governs which user groups on your server can use this web service endpoint alias. Select an ACL from the drop down list. By default, only members of groups governed by the Internal ACL can use this alias.

    Integration Server performs the ACL check only if the specific endpoint alias is used as the value of the endpointAlias input parameter in a web service connector or the pub.client:soapClient service. Integration Server does not perform the ACL check when the consumer web service endpoint alias is assigned to a binder used by the web service connector.

  5. Under TransportType Transport Properties, provide the following information if you want to overwrite the host and/or port information in the WSDL with the host and/or port information in the web service endpoint alias. For more information about how Integration Server builds the endpoint URL, see webMethods Service Development Help .
    In this field Specify
    Host Name or IP Address Host name or IP address of the server on which the web service resides.
    Port Number An active HTTP or HTTPS type listener port defined on the host server specified in the Host Name or IP Address field.
    Authentication Type Specify the type of authentication you want to use to authenticate the consumer.
      Select... To...
      Basic Use basic authentication (user name and password) to authenticate the consumer.
      Digest Use password digest to authenticate the consumer.
      NTLM Use NTLM authentication so that clients that are already logged into a domain can be authenticated using their existing credentials.
    Kerberos Use Kerberos authentication for the web service at the transport level. When you select this option an additional section Kerberos Transport Properties is added to this page.
  6. If you are configuring the web service endpoint for transport-based authentication such as HTTPS, specify all or a combination of the following optional fields:
    In this field Specify
    User Name User name used to authenticate the consumer at the HTTP or HTTPS transport level on the host server.
    Password The password used to authenticate the consumer on the host server.
    Retype Password Re-enter the above password.
    Keystore Alias

    Alias to the keystore that contains the private key used to connect to the web service host securely.

    This field applies to the HTTPS transport type only.

    Key Alias

    Alias to the key in the keystore that contains the private key used to connect to the web service host securely. The key must be in the keystore specified in Keystore Alias.

    This field applies to the HTTPS transport type only.

  7. If web service requests must be sent through a proxy server, in the Proxy Alias field, do one of the following to specify which proxy server Integration Server uses:
    • If you want Integration Server to use a particular proxy server, select the alias for that proxy server. Integration Server lists all the configured HTTP/S and SOCKS proxy aliases in the Proxy Alias field.
    • If you want Integration Server to use the default proxy server, leave this field blank.

    For more information about how Integration Server uses proxy servers when sending requests, see How Integration Server Uses Proxy Servers.

  8. The Kerberos Transport Properties section enables you to configure Kerberos authentication at the transport-level. You can provide Kerberos-related details that will be used for all web service requests by providers that use this endpoint alias.
    Note: Kerberos authentication is available at the transport level or message level for HTTPS, but only at the transport level for HTTP.

    The following fields are available for consumer endpoint aliases when you select Kerberos as the HTTP transport Authentication Type.

    Field Description
    JAAS Context Specify the custom JAAS context used for Kerberos authentication.
    In the following example, JAAS Context is KerberosClient: 
    KerberosClient {
    com.sun.security.auth.module.Krb5LoginModule required 
useKeyTab=true keyTab=alice.keytab;
    };
    Principal Specify the name of the principal to use for Kerberos authentication.
    Principal Password Specify the password for the principal that is used to authenticate the principal to the KDC. Specify the principal password if you do not want to use the keytab file that contains the principals and their passwords for authorization. The passwords may be encrypted using different encryption algorithms.

    If the JAAS login context contains useKeyTab=false, you must specify the principal password.

    Retype Principal Password Re-enter the above principal password.
    Service Principal Name Format Select the format in which you want to specify the principal name of the service that is registered with the principal database.
      Select... To...
      host-based Represent the principal name using the service name and the host name, where host name is the host computer.
    Note: Currently, this option is disabled. Integration Server supports only username.
      username Represent the principal name as a named user defined in the LDAP or central user directory used for authentication to the KDC.
    Service Principal Name Specify the service that the Kerberos client wants to access. This can be obtained from the WSDL document published by the provider of Kerberos service. Specify the Service Principal Name in the following format:

    principal-name.instance-name@realm-name

  9. Under WS Security Properties, provide the following information if the WS-Security policy for this consumer web service descriptor requires that SOAP message requests include a UsernameToken, enter values for the following fields:
    In this field Specify
    User Name The user name to include with the UsernameToken.
    Password The password to include with the UsernameToken (must be plain text).
    Retype Password Re-enter the above password.
  10. If the security policy (or policies) that will be used by this web service requires its requests to be signed, requires an X.509 authentication token to be included, or requires that SOAP message responses be encrypted, specify the following:
    In this field Specify
    Keystore Alias

    Alias to the keystore that contains the private key used to:

    • Sign outbound SOAP requests
    • Include an X.509 authentication token for outbound SOAP requests

    • Decrypt inbound SOAP responses

    Important: To verify messages from this consumer, the web services provider must have a copy of the corresponding public key.
    Key Alias Alias to the private key used to sign and/or include X.509 authentication token for outbound SOAP messages and/or decrypt inbound SOAP responses. The key must be in the keystore specified in Keystore Alias.
  11. Under WS Security Properties, specify the provider's certificate file. This certificate is used to encrypt the outbound SOAP request and/or verify the inbound SOAP response.
    In this field Specify
    Partner's Certificate The path and file name of the provider's certificate, which contains its public key.
  12. Under WS Security Properties, if the security policy (or policies) that will be used by this web services consumer requires that responses be validated by a trusted authority, specify the following:
    In this field Specify
    Partner's Certificate Path and file name of the file containing the provider's certificate.
    Truststore Alias The alias for the truststore that contains the list of CA certificates that Integration Server uses to validate the trust relationship.
  13. Under WS Security Properties, configure how Integration Server handles timestamps in the security headers.
    In this field Specify
    Timestamp Precision Whether the timestamp is precise to the second or millisecond. If you set the precision to milliseconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss:SSS'Z'. If you set the precision to seconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss'Z'.

    If you do not select a precision value, Integration Server will use the value specified for the watt.server.ws.security.timestampPrecisionInMilliseconds parameter.

    Timestamp Time to Live The time-to-live value for the outbound message in seconds. Integration Server uses the Timestamp Time to Live value to set the expiry time in the Timestamp element of outbound messages. The Timestamp Time to Live value must be an integer greater than 0.

    If you do not specify a time-to-live value, Integration Server will use the value specified for the watt.server.ws.security.timestampTimeToLive parameter.

    Timestamp Maximum Skew The maximum number of seconds that the web services client and host clocks can differ and still allow timestamp expiry validation to succeed. Specify a positive integer or zero.

    Integration Server uses the timestamp maximum skew value only when you implement WS-Security via a WS-Policy. Integration Server validates the inbound SOAP message only when the creation timestamp of the message is less than the sum of the timestamp maximum skew value and the current system clock time.

    If you do not specify a timestamp maximum skew value, Integration Server will use the value specified for the watt.server.ws.security.timestampMaximumSkew parameter.

    Username Token TTL

    This is the permitted time difference, in seconds, between the time when the UsernameToken was created (as provided in the wsu:Created element) and the time when it reaches the server. Requests that exceed this limit are rejected by the server. The default value is 300.

    Username Token Future TTL It is possible that the wsu:Created element has a timestamp that is in the future. The server considers such requests as valid If the time at which the request was created does not exceed the time at which it reaches the server by the value (in seconds) given in this setting. The default value is 60.
    Note: The Username Token TTL and Username Token Future TTL configurations can also be set at the global level using the watt.server.ws.security.usernameTokenTTL and the watt.server.ws.security.usernameTokenFutureTTL server configuration properties. However, if there is a configuration setting at the web services endpoint level, the server will ignore the global property. For more information about the global properties, see watt.server..

    For more information about timestamps in the WS-Security header, see Timestamps in the WS-Security Header.

  14. Under Kerberos Properties, provide the following Kerberos-related details that will be used for all web service requests that use this endpoint alias.
    Note: These fields are available only for consumer endpoint aliases using HTTPS transport type.
    In this field Specify
    JAAS Context The custom JAAS context used for Kerberos authentication.

    In the following example, JAAS Context is KerberosClient: 

    KerberosClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true keyTab=alice.keytab;
    };

    The is_jaas.cnf file distributed with Integration Server includes a JAAS context named IS_KERBEROS_OUTBOUND that can be used with inbound requests.

    Principal The name of the principal to use for Kerberos authentication.
    Principal Password The password for the principal that is used to authenticate the principal to the KDC. Specify the principal password if you do not want to use the keytab file that contains the principals and their passwords for authorization. The passwords may be encrypted using different encryption algorithms. If the JAAS login context contains useKeyTab=false, you must specify the principal password.
    Retype Principal Password The above principal password.
    Service Principal Name Format Select the format in which you want to specify the principal name of the service that is registered with the principal database.
      Select To
      host-based Represent the principal name using the service name and the hostname, where hostname is the host computer.

    This is the default.

      username Represent the principal name as a named user defined in the LDAP or central user directory used for authentication to the KDC.
    Service Principal Name The name of the principal for the service that the Kerberos client wants to access. This can be obtained from the WSDL document published by the provider of the Kerberos service. Specify the Service Principal Name in the following format: 
    principal-name.instance-name@realm-name
  15. Under Message Addressing Properties, provide the following addressing information relating to the delivery of a message to a web service. The message addressing properties define the addressing information that can be attached to the SOAP message.
    In this field Specify
    Must Understand Whether the recipients (the actor or role to which the header is targeted) are required to process the WS-Addressing headers. Recipients that cannot process a mandatory WS-Addressing header reject the message and return a SOAP fault.

    Must Understand determines the mustUnderstand attribute of the WS-Addressing headers.

      Select To
      True Indicate that processing the WS-Addressing headers is required by the recipients.

    If you select True for Must Understand and the SOAP node receives a header that it does not understand or cannot process, it returns a fault.

      False Indicate that processing the WS-Addressing headers is optional. This is the default.
     
    Note: In SOAP 1.1, the values of the mustUnderstand attribute were 0 and 1 instead of True and False; however, Integration Server processes both sets of values the same way and performs any necessary conversions.

    For more information about the mustUnderstand and actor attributes in SOAP 1.1, see the Simple Object Access Protocol (SOAP) 1.1 - W3C Note 08 May 2000 specification.

    For more information about the mustUnderstand and role attributes in SOAP 1.2, see the Simple Object Access Protocol (SOAP) 1.2 specification.

    Role Target of the WS-Addressing headers in the SOAP message. Role determines the value of the role attribute for the WS-Addressing headers. The actor or role attribute specifies a URI for the recipient of WS-Addressing header entries.
    Note: In SOAP 1.1, the role attribute is named actor; however, Integration Server processes both names the same and performs any necessary conversions.
      Select To
      Ultimate Receiver

    Indicate that the recipient is the ultimate destination of the SOAP message. This is the default.

      Next Specify the following URI for the role attribute:
    • For SOAP 1.2: "http://www.w3.org/2003/05/soap-envelope/role/next"
    • For SOAP 1.1: "http://schemas.xmlsoap.org/soap/actor/next"
      None Specify the following URI for the role attribute:
    • For SOAP 1.2: "http://www.w3.org/2003/05/soap-envelope/role/none"
    • For SOAP 1.1: "http://www.w3.org/2003/05/soap-envelope/role/none"
      Other Specify the target of the header. Typically, this will be a URI.
    To URI of the destination of the SOAP message.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the request is addressed. You can specify more than one reference parameter. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    From URI of the source of the SOAP message. Enter the URI in the Address field.

    Optionally, in the Reference Parameters field, specify any additional parameters that are necessary to route the message to the destination. You can also specify optional metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can specify more than one reference parameter and metadata element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    ReplyTo URI of the destination to which the web service sends a response (reply) message. This property is optional.
    If this value is not specified, the default values for this URI depends on the WS-Addressing policy attached to the web service descriptor. For a consumer endpoint alias, it defaults to:

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the response message is addressed. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters.

    You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    FaultTo URI to which the SOAP fault messages are to be routed. This property is optional.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the fault message is addressed. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters. You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

  16. Under Reliable Messaging Properties, check Enable to provide reliable messaging information specific to the endpoint alias you are creating.
  17. Provide the following reliable-messaging information to ensure reliable delivery of the message between a reliable messaging source and destination.
    In this field Specify
    Retransmission Interval The time interval (in milliseconds) for which a reliable messaging source waits for an acknowledgement from the reliable messaging destination before retransmitting the SOAP message. The default is 6000 milliseconds.
    Acknowledgement Interval The time interval (in milliseconds) for which the reliable messaging destination waits before sending an acknowledgement for a message sequence. Messages of the same sequence received within the specified acknowledgement interval are acknowledged in one batch. If there are no other messages to be sent to the acknowledgement endpoint within the time specified as the acknowledgement interval, the acknowledgement is sent as a stand-alone message.

    The default is 3000 milliseconds.

    Exponential Backoff Whether to use the exponential backoff algorithm to adjust the retransmission interval of unacknowledged messages. Adjusting the time interval between retransmission attempts ensures that a reliable messaging destination does not get flooded with a large number of retransmitted messages.
      Select To
      true Increase the successive retransmission intervals exponentially, based on the specified retransmission interval. For example, if the specified retransmission interval is 2 seconds, and the exponential backoff value is set to true, successive retransmission intervals will be 2, 4, 8, 16, 32, and so on if messages continue to be unacknowledged. This is the default.
      false Use the same time interval specified in the Retransmission Interval field for all retransmissions.
    Maximum Retransmission Count The number of times the reliable messaging source must retransmit a message if an acknowledgement is not received from the reliable messaging destination. To specify that there is no limit to the number of retransmission attempts, set the value of Maximum Retransmission Count to -1. The default is 10.
  18. Click Save Changes.

Creating an Endpoint Alias for Message Addressing for Use with HTTP/S

About this task

When creating an HTTP/S web service endpoint alias for message addressing, the information you need to supply falls into the following categories:
  • Web Service Endpoint Alias. Identifies the endpoint name, description, and transport type.
  • HTTP/S Transport Properties. Specifies the authentication details that Integration Server uses to send responses. For HTTPS transport, also specifies the keystore alias and key alias of the private key used for SSL communication with the receiver of the SOAP response.

    If the web service response must be routed through a proxy server, specify the proxy server alias for the proxy server through which Integration Server routes the HTTP/S message.

  • WS Security Properties. Provides information for the WS-Security header as determined by the security policy for the web service.

    Note: WS-Security credentials such as private keys and public keys do not always need to be provided in a web service endpoint alias. If this information is not provided in the alias, Integration Server can obtain the information from other locations. For more information about usage and resolution order of certificates and keys for WS-Security, see the WS-Security Certificate and Key Requirements .
  • Message Addressing Properties. Provides addressing information relating to the delivery of the response message. This includes the reply endpoint where the replies should be sent, the fault endpoint that specifies where the faults should be sent, and optional metadata (such as WSDL or WS-Policy) about the service. This also includes additional parameters, called Reference Parameters, that Integration Server uses to route the message to the destination.
Note: You cannot delete a message addressing endpoint alias if a web service endpoint alias for provider web service descriptor is using the message addressing endpoint alias as a part of its response map.

To create a message addressing web service endpoint alias for use with HTTP/S

Procedure

  1. Open Integration Server Administrator if it is not already open.
  2. Go to Settings > Web services.
  3. Click Create Web Service Endpoint Alias.
  4. Under Web Service Endpoint Alias Properties, provide the following information:
    In this field Specify
    Alias A name for the message addressing web service endpoint alias.

    The alias name cannot include the following illegal characters:

    # ©\ & @ ^ ! % * : $ . / \ \ ` ; , ~ + = ) ( | } { ] [ > < "

    Description A description for the endpoint alias.
    Type Message Addressing
    Transport Type Specify the transport protocol used to access the web service.

    Select one of the following:

    • HTTP
    • HTTPS
  5. If you are configuring the web service endpoint for transport-based authentication such as HTTPS, specify all or a combination of the following optional fields under TransportType Transport Properties:
    In this field Specify
    Authentication Type Specify the type of authentication you want to use to authenticate the consumer.
      Select To
      Basic Use basic authentication (user name and password) to authenticate the consumer.
      Digest Use password digest to authenticate the consumer.
      NTLM Use NTLM authentication so that clients that are already logged into a domain can be authenticated using their existing credentials.
    User Name User name used to authenticate the provider at the HTTP or HTTPS transport level on the host server.
    Password The password used to authenticate the provider on the host server.
    Retype Password Re-enter the above password.
    Keystore Alias Alias to the keystore that contains the private key used to connect to the web service host securely.

    This field applies to the HTTPS transport type only.

    Key Alias Alias to the key in the keystore that contains the private key used to connect to the web service host securely. The key must be in the keystore specified in Keystore Alias.

    This field applies to the HTTPS transport type only.

  6. If web service responses must be sent through a proxy server, in the Proxy Alias field, do one of the following to specify which proxy server Integration Server uses:
    • If you want Integration Server to use a particular proxy server, specify the alias for that proxy server. Integration Server lists all the configured HTTP/S and SOCKS proxy aliases in the Proxy Alias field.
    • If you want Integration Server to use the default proxy server, leave this field blank.

    For more information about how Integration Server uses proxy servers when sending responses, see How Integration Server Uses Proxy Servers.

  7. Under WS Security Properties, specify the certificate file of the receiver of the SOAP response. This certificate is used to encrypt the outbound SOAP response and/or verify the inbound SOAP response.
    In this field Specify
    Partner's Certificate The path and file name of the certificate of the receiver of the SOAP response, which contains its public key.
  8. Under WS Security Properties, specify the following if the security policy (or policies) that will be used by this web service requires its responses to be signed, requires an X.509 authentication token to be included, or requires that SOAP message responses be encrypted:
    In this field Specify
    Keystore Alias

    Alias to the keystore that contains the private key used to:

    • Sign outbound SOAP responses
    • Include an X.509 authentication token for outbound SOAP responses
    Important: To verify response messages from this web service, the receiver must have the corresponding public key.
    Key Alias Alias to the private key used to sign and/or include X.509 authentication token for outbound SOAP messages. The key must be in the keystore specified in Keystore Alias.
  9. Under WS Security Properties, configure how Integration Server handles timestamps in the security headers.
    In this field Specify
    Timestamp Precision Whether the timestamp is precise to the second or millisecond. If you set the precision to milliseconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss:SSS'Z'. If you set the precision to seconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss'Z'.

    If you do not select a precision value, Integration Server will use the value specified for the watt.server.ws.security.timestampPrecisionInMilliseconds parameter.

    Timestamp Time to Live The time-to-live value for the outbound message in seconds. Integration Server uses the Timestamp Time to Live value to set the expiry time in the Timestamp element of outbound messages. The Timestamp Time to Live value must be an integer greater than 0.

    If you do not specify a time-to-live value, Integration Server will use the value specified for the watt.server.ws.security.timestampTimeToLive parameter.

    Timestamp Maximum Skew The maximum number of seconds that the web services client and host clocks can differ and still allow timestamp expiry validation to succeed. Specify a positive integer or zero.

    Integration Server uses the timestamp maximum skew value only when you implement WS-Security via a WS-Policy. Integration Server validates the inbound SOAP message only when the creation timestamp of the message is less than the sum of the timestamp maximum skew value and the current system clock time.

    If you do not specify a timestamp maximum skew value, Integration Server will use the value specified for the watt.server.ws.security.timestampMaximumSkew parameter.

    For more information about timestamps in the WS-Security header, see Timestamps in the WS-Security Header.

  10. Under Message Addressing Properties, provide the following addressing information relating to the delivery of a SOAP response to the receiver. The message addressing properties define the addressing information that can be attached to the SOAP message.
    In this field Specify
    Must Understand Whether the recipients (the actor or role to which the header is targeted) are required to process the WS-Addressing headers. Recipients that cannot process a mandatory WS-Addressing header reject the message and return a SOAP fault.

    Must Understand determines the mustUnderstand attribute of the WS-Addressing headers.

      Select To
      True Indicate that processing the WS-Addressing headers is required by the recipients.

    If you select True for Must Understand and the SOAP node receives a header that it does not understand or cannot process, it returns a fault.

      False Indicate that processing the WS-Addressing headers is optional. This is the default.
     
    Note: In SOAP 1.1, the values of the mustUnderstand attribute were 0 and 1 instead of True and False; however, Integration Server processes both sets of values the same way and performs any necessary conversions.

    For more information about the mustUnderstand and actor attributes in SOAP 1.1, see the Simple Object Access Protocol (SOAP) 1.1 - W3C Note 08 May 2000 .

    For more information about the mustUnderstand and role attributes in SOAP 1.2, see the Simple Object Access Protocol (SOAP) 1.2 specification.

    Role Target of the WS-Addressing headers in the SOAP message. Role determines the value of the role attribute for the WS-Addressing headers. The actor or role attribute specifies a URI for the recipient of WS-Addressing header entries.
    Note: In SOAP 1.1, the role attribute is named actor; however, Integration Server processes both names the same and performs any necessary conversions.
      Select To
      Ultimate Receiver

    Indicate that the recipient is the ultimate destination of the SOAP message. This is the default.

      Next Specify the following URI for the role attribute:
    • For SOAP 1.2: "http://www.w3.org/2003/05/soap-envelope/role/next"
    • For SOAP 1.1: "http://schemas.xmlsoap.org/soap/actor/next"
      None Specify the following URI for the role attribute:
    • For SOAP 1.2: "http://www.w3.org/2003/05/soap-envelope/role/none"
    • For SOAP 1.1: "http://www.w3.org/2003/05/soap-envelope/role/none"
      Other Specify the target of the header. Typically, this will be a URI.
    From URI of the source of the SOAP response.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters. You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    ReplyTo URI to which the response (reply) messages are to be routed. This property is optional.

    If this value is not specified, the default values for this URI depends on the WS-Addressing policy attached to the web service descriptor.

    • For the Final version of WS-Addressing, ReplyTo defaults to http://www.w3.org/2005/08/addressing/anonymous.
    • For the Submission version of WS-Addressing, ReplyTo defaults to http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the response message is addressed. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters.

    You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    FaultTo URI to which the SOAP fault messages are to be routed. This property is optional.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the fault message is addressed. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters. You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

  11. Click Save Changes.

Creating an Endpoint Alias for a Provider Web Service Descriptor for Use with JMS

About this task

If a provider web service descriptor binder specifies the JMS transport, you must assign a web service endpoint alias to the binder. For a web service descriptor that uses SOAP over JMS, the provider web service endpoint alias provides the following information:
  • JMS message header information for the request message, such as delivery mode, time to live, and the destination for replies. Integration Server uses this information to populate the binding elements in the WSDL generated for the web service descriptor.
  • The SOAP-JMS trigger that listens for SOAP over JMS messages for the web service descriptor. The SOAP-JMS trigger also provides the JMS connection information needed to create a connection on the JMS provider. Integration Server uses the information provided by the SOAP-JMS trigger to construct most of the JMS URI (the web service descriptor determines the targetService). The JMS URI appears in the WSDL document as the value of the "location=" attribute for the address element within the port element.

  • WS Security Properties that specify the information needed by the SOAP processor to decrypt and verify the inbound SOAP request and/or encrypt and sign the outbound SOAP response and the details for adding the timestamp information.

    Note: WS-Security credentials such as private keys and public keys do not always need to be provided in a web service endpoint alias. If this information is not provided in the alias, Integration Server can obtain the information from other locations. For more information about usage and resolution order of certificates and keys for WS-Security, see the Web Services Developer’s Guide .
  • Message addressing properties that provides addressing information relating to the delivery of a message to a web service. This includes the destination address of a message or fault and the authentication credentials required to send a response to a different address than the one from which the request was received.

Keep the following information in mind when creating a web service endpoint alias for a JMS binder in a provider web service descriptor:

  • You can associate the web service endpoint alias with:
    • A SOAP-JMS trigger that already exists.
    • A WS endpoint trigger that you create at the same time you create the endpoint alias.
  • If you use a SOAP-JMS trigger in the web service endpoint alias and subsequently assign the alias to a JMS binder in a provider web service descriptor, the web service descriptor has a dependency on the SOAP-JMS trigger. Consequently, at start up or when reloading the package containing the web service descriptor, Integration Server must load the SOAP-JMS trigger before loading the web service descriptor. If the SOAP-JMS trigger and web service descriptor are not in the same package, you need to create a package dependency for the package that contains the web service descriptor on the package that contains the SOAP-JMS trigger.
  • If you rename the SOAP-JMS trigger assigned to an alias, you need to update the alias to use the renamed trigger.
  • The following properties are optional.
    • Delivery Mode
    • Time to Live
    • Priority
    • Reply To Name
    • Reply To Type
    If you do not specify values for one of the listed properties (or specify an invalid value), Integration Server will not include information for the property in the WSDL document generated for a provider web service descriptor that uses the web service endpoint alias. The absence of the property from the WSDL document instructs the web service consumer to use the default value for the property as indicated in the Java Message Service standard.

To create a provider web service endpoint alias for use with JMS

Procedure

  1. Open Integration Server Administrator if it is not already open.
  2. Go to Settings > Web services.
  3. Click Create Web Service Endpoint Alias.
  4. Under Web Service Endpoint Alias Properties, provide the following information:
    In this field Specify
    Alias

    A name for the JMS provider web service endpoint alias.

    The alias name cannot include the following illegal characters:

    # ©\ & @ ^ ! % * : $ . / \ \ ` ; , ~ + = ) ( | } { ] [ > < "

    Description A description for the endpoint alias.
    Type Provider
    Transport Type JMS
  5. Under JMS Transport Properties, provide the following information:
    In this field Specify
    JMS Trigger Name The name of the SOAP-JMS trigger used to
    • Receive JMS messages.
    • Supply JMS connection properties to any web service descriptors using this web service endpoint alias.

    If you want to use a WS endpoint trigger, select WS Endpoint Trigger. For more information about WS endpoint triggers, see About WS Endpoint Triggers.

    Delivery Mode The message delivery mode for the request message. This is the delivery mode that web service clients must specify in the JMS message that serves as the request message for the web service.
      Select To
      PERSISTENT Indicate the request message should be persistent. The message will not be lost if the JMS provider fails.
      NON_PERSISTENT Indicate the request message is not persistent. The message might be lost if the JMS provider fails.
    Time to Live The number of milliseconds that can elapse before the request message expires on the JMS provider. A value of 0 indicates that the message does not expire.
    Priority Specifies the message priority. The JMS standard defines priority levels from 0 to 9, with 0 as the lowest priority and 9 as the highest.
    Reply To Name Name or lookup name of the destination to which the web service sends a response (reply) message. Specify a name if the JMS connection alias used by the SOAP-JMS trigger connects to the webMethods Broker natively. Specify a lookup name if the JMS connection alias uses JNDI to retrieve a connection factory that is then used to connect to the JMS provider.
    Reply To Type Type of destination to which the web service sends the response (reply) message. Specify the destination type if the following are true:
    • The web service descriptor to which the endpoint alias is assigned use the In-Out message exchange pattern.
    • The JMS connection alias specified by the SOAP-JMS trigger connects to the webMethods Broker natively. On the webMethods Broker, a queue and topic can have the same name. You must specify Reply To Type to indicate to which destination the reply will be sent.
      Select To
      QUEUE Indicate that the web service sends the response message to a particular queue.
      TOPIC Indicate that the web service sends the request message to a particular topic.
  6. Under JMS WSDL Options, provide the following information:
    Select To
    Include Connection Factory Name Include the connection factory name in the JMS URI.
    Include JNDI Parameters Include the JNDI parameters in the JMS URI.
    Note: The JMS URI appears in the WSDL document as the location attribute value for the address element contained within the port element.
  7. Under WS Security Properties, if the inbound SOAP request must be decrypted and/or the outbound SOAP response must be signed, do the following:
    In this field Specify
    Keystore Alias

    Alias of the keystore containing the private key used to decrypt the inbound SOAP request or sign the outbound SOAP response.

    Important: The provider must have already given the consumer the corresponding public key.
    Key Alias Alias of the private key used to decrypt the request or sign the response. The key must be in the keystore specified in Keystore Alias.
  8. Under WS Security Properties, if the signing certificate chain of an inbound signed SOAP message has to be verified, specify the following:
    In this field Specify
    Truststore Alias The alias for the truststore that contains the list of CA certificates that Integration Server uses to validate the trust relationship.
  9. Under WS Security Properties, configure how Integration Server handles timestamps in the security header.
    In this field Specify
    Timestamp Precision Whether the timestamp is precise to the second or millisecond. If you set the precision to milliseconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss:SSS'Z'. If you set the precision to seconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss'Z'.

    If you do not select a precision value, Integration Server will use the value specified for the watt.server.ws.security.timestampPrecisionInMilliseconds parameter.

    Timestamp Time to Live The time-to-live value for the outbound message in seconds. Integration Server uses the time-to-live value to set the expiry time in the Timestamp element of outbound messages. The Timestamp Time to Live value must be an integer greater than 0.

    If you do not specify a Timestamp Time to Live value, Integration Server will use the value specified for the watt.server.ws.security.timestampTimeToLive parameter.

    Note: The Timestamp Time to Live value should be greater than the Time to Live value specified under JMS Transport Properties.
    Timestamp Maximum Skew The maximum number of seconds that the web services client and host clocks can differ and still allow timestamp expiry validation to succeed. Specify a positive integer or zero.

    Integration Server uses the timestamp maximum skew value only when you implement WS-Security via a WS-Policy. Integration Server validates the inbound SOAP message only when the creation timestamp of the message is less than the sum of the timestamp maximum skew value and the current system clock time.

    If you do not specify a timestamp maximum skew value, Integration Server will use the value specified for the watt.server.ws.security.timestampMaximumSkew parameter.

  10. Under Message Addressing Properties, provide the following addressing information relating to the delivery of the message. The message addressing properties define the addressing information that can be attached to the SOAP message.
    In this field Specify
    To RI of the destination of the SOAP message.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the message is addressed. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters.

    You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    Response Map Address to which the provider will send the reply or fault message and the corresponding message addressing alias. Integration Server retrieves the authentication details needed to send the response from the message addressing alias mapped to the address.

    In the Address field, specify the URI to which the provider will send the reply or the fault message.

    From the Message Addressing Alias list, select the Message Addressing endpoint alias from which Integration Server will retrieve the authentication details. Integration Server uses the authentication details to send the response to the ReplyTo or FaultTo endpoints.

    Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

  11. Click Save Changes.

Results

If you selected WS endpoint trigger for JMS Trigger Name, saving the alias creates the WS endpoint trigger. Before the WS endpoint trigger is usable, you will need to specify a destination and enable it. You can also change the values of some message processing properties. For more information about editing a WS endpoint trigger, see Editing WS Endpoint Triggers.
Note: If a provider web service endpoint alias for use with JMS specifies a WS endpoint trigger, deleting the alias also deletes the WS endpoint trigger.

Creating an Endpoint Alias for a Consumer Web Service Descriptor for Use with JMS

About this task

A web service endpoint alias for use with a consumer web service descriptor that has a JMS binder specifies how and where Integration Server sends a request message when executing a web service descriptor.

When creating a consumer web service descriptor, Integration Server extracts the JMS information from the WSDL document and saves it with the binder information in the web service descriptor. However, as indicated in the SOAP over Java Message Service standard, the only JMS information required in the WSDL is the lookup variant and the destination name. Consequently, it is possible that some information necessary to connect to the JMS provider is absent from the WSDL. Integration Server uses the information in a JMS consumer web service endpoint alias to replace or supplement the JMS information specified in the WSDL document.

When creating a consumer web service descriptor, the message addressing properties define the WS-addressing headers information that can be attached to the SOAP message.

Keep the following points in mind when creating a web service endpoint alias for use with a consumer web service descriptor with a SOAP over JMS binding:

  • A JMS consumer web service endpoint alias can specify one of the following options to connect to a JMS provider:

    • JNDI provider alias and a connection factory.
    • JMS connection alias.

    Only specify a JNDI provider alias and connection factory, or JMS connection alias, if information for connecting to the JMS provider was not included in the WSDL document used to create the consumer web service descriptor or if you want to overwrite the connection information included in the WSDL document.

    Note: Using a JMS connection alias to connect to the JMS provider might offer better performance. Keep in mind that a JMS connection alias can connect to the JMS provider by using JNDI to retrieve a connection factory and then establishing a connection or by connecting natively to the webMethods Broker.
  • If you want to use the client side queue with the web service descriptor to which the alias is assigned, you must specify a JMS connection alias as the way to connect to the JMS provider.
  • Information in the JMS consumer web service endpoint alias can supplement or replace the JMS URI information obtained from a WSDL.
  • You can use the endpoint alias to provide information for the WS-Security header as determined by the security policy for the web service. A web service security policy can require that:
    • SOAP message requests include a UserName token.
    • SOAP message response be decrypted.
    • SOAP message requests to be signed.
    • X.509 authentication.
    • A Timestamp element be added to the security header.
    Note: WS-Security credentials such as private keys and public keys do not always need to be provided in a web service endpoint alias. If this information is not provided in the alias, Integration Server can obtain the information from other locations. For more information about usage and resolution order of certificates and keys for WS-Security, see the WS-Security Certificate and Key Requirements .

To create a consumer web service endpoint alias for use with JMS

Procedure

  1. Open Integration Server Administrator if it is not already open.
  2. Go to Settings > Web services.
  3. Click Create Web Service Endpoint Alias.
  4. Under Web Service Endpoint Alias Properties, provide the following information:
    In this field Specify
    Alias

    A name for the JMS consumer web service endpoint alias.

    The alias name cannot include the following illegal characters:

    # ©\ & @ ^ ! % * : $ . / \ \ ` ; , ~ + = ) ( | } { ] [ > < "

    Description A description for the endpoint alias.
    Type Consumer
    Transport Type JMS
    Execute ACL ACL that governs which user groups on your server can use this web service endpoint alias. Select an ACL from the drop down list. By default, only members of groups governed by the Internal ACL can use this alias.
  5. Under JMS Transport Properties, do the following if you want to connect to the JMS provider using a connection factory:
    In this field Specify
    Connect Using JNDI Properties
    JNDI Provider Alias The alias for the JNDI provider that Integration Server uses to look up administered objects. For information about creating a JNDI provider alias, see Creating a JNDI Provider Alias.
    Connection Factory Name The lookup name for the connection factory to use to create a connection to the JMS provider.
    Note: You need to specify a connection factory only if the WSDL document used to create the consumer web service descriptor did not specify a connection factory or you want to overwrite the connection factory.
  6. Under JMS Transport Properties, do the following if you want to connect to the JMS provider using a JMS connection alias:
    In this field Specify
    Connect Using JMS Connection Alias
    JMS Connection Alias The name of the JMS connection alias that you want Integration Server to use to connect to the JMS provider. For information about creating a JMS connection alias, see Creating a JMS Connection Alias.
  7. Under WS Security Properties, provide the following information if the WS-Security policy for this consumer web service descriptor requires that SOAP message requests include a UsernameToken.
    In this field Specify
    User Name The user name to include with the UsernameToken.
    Password The password to include with the UsernameToken (must be plain text).
    Retype Password Re-enter the above password.
  8. If the security policy (or policies) that will be used by this web service requires its requests to be signed, requires an X.509 authentication token to be included, or requires that SOAP message responses be encrypted, specify the following:
    In this field Specify
    Keystore Alias

    Alias to the keystore that contains the private key used to:

    • Sign outbound SOAP requests
    • Include an X.509 authentication token for outbound SOAP requests

    • Decrypt inbound SOAP responses

    Important: To verify messages from this consumer, the web services provider must have a copy of the corresponding public key.
    Key Alias Alias to the private key used to sign and/or include X.509 authentication token for outbound SOAP messages and/or decrypt inbound SOAP responses. The key must be in the keystore specified in Keystore Alias.
  9. Under WS Security Properties, specify the provider's certificate file. This certificate is used to encrypt the outbound SOAP request and/or verify the inbound SOAP response.
    In this field Specify
    Partner's Certificate The path and file name of the provider's certificate, which contains its public key.
  10. Under WS Security Properties, if the security policy (or policies) that will be used by this web services consumer requires that responses be verified by a trusted authority, specify the following:
    In this field Specify
    Partner's Certificate Path and file name of the file containing the provider's certificate.
    Truststore Alias The alias for the truststore that contains the list of CA certificates that Integration Server uses to validate the trust relationship.
  11. Under WS Security Properties, configure how Integration Server handles timestamps in the security headers.
    In this field Specify
    Timestamp Precision Whether the timestamp is precise to the second or millisecond. If you set the precision to milliseconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss:SSS'Z'. If you set the precision to seconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss'Z'.

    If you do not select a precision value, Integration Server will use the value specified for the watt.server.ws.security.timestampPrecisionInMilliseconds parameter.

    Timestamp Time to Live The time-to-live value for the outbound message in seconds. Integration Server uses the Timestamp Time to Live value to set the expiry time in the Timestamp element of outbound messages. The Timestamp Time to Live value must be an integer greater than 0.

    If you do not specify a time-to-live value, Integration Server will use the value specified for the watt.server.ws.security.timestampTimeToLive parameter.

    Timestamp Maximum Skew The maximum number of seconds that the web services client and host clocks can differ and still allow timestamp expiry validation to succeed. Specify a positive integer or zero.

    Integration Server uses the timestamp maximum skew value only when you implement WS-Security via a WS-Policy. Integration Server validates the inbound SOAP message only when the creation timestamp of the message is less than the sum of the timestamp maximum skew value and the current system clock time.

    If you do not specify a timestamp maximum skew value, Integration Server will use the value specified for the watt.server.ws.security.timestampMaximumSkew parameter.

    For more information about timestamps in the WS-Security header, see Timestamps in the WS-Security Header.

  12. Under Message Addressing Properties, provide the following addressing information relating to the delivery of a message to a web service.
    In this field Specify
    Must Understand Whether the recipients (the actor or role to which the header is targeted) are required to process the WS-Addressing headers. Recipients that cannot process a mandatory WS-Addressing header reject the message and return a SOAP fault.

    Must Understand determines the mustUnderstand attribute of the WS-Addressing headers.

      Select To
      True Indicate that processing the WS-Addressing headers is required by the recipients (the actor or role to which the header is targeted).

    If you select True for Must Understand and the SOAP node receives a header that it does not understand or cannot process, it returns a fault.

      False Indicate that processing the WS-Addressing headers is optional. This is the default.
     
    Note: In SOAP 1.1, the values of the mustUnderstand attribute were 0 and 1 instead of True and False; however, Integration Server processes both sets of values the same and performs any necessary conversions.

    For more information about the mustUnderstand and actor attributes in SOAP 1.1, see the Simple Object Access Protocol (SOAP) 1.1 - W3C Note 08 May 2000 .

    For more information about the mustUnderstand and role attributes in SOAP 1.2, see the Simple Object Access Protocol (SOAP) 1.2 specification.

    Role Target of the WS-Addressing headers in the SOAP message. Role determines the value of the role attribute for the WS-Addressing headers. The actor or role attribute specifies a URI for the recipient of WS-Addressing header entries.
    Note: In SOAP 1.1, the role attribute is named actor; however, Integration Server processes both names the same and performs any necessary conversions.
      Select To
      Ultimate Receiver

    Indicate that the recipient is the ultimate destination of the SOAP message. This is the default.

      Next Specify the following URI for the role attribute:
    • For SOAP 1.2: "http://www.w3.org/2003/05/soap-envelope/role/next"
    • For SOAP 1.1: "http://schemas.xmlsoap.org/soap/actor/next"
      None Specify the following URI for the role attribute:
    • For SOAP 1.2: "http://www.w3.org/2003/05/soap-envelope/role/none"
    • For SOAP 1.1: "http://www.w3.org/2003/05/soap-envelope/role/none"
      Other Specify the target of the header. Typically, this will be a URI.
    To URI of the destination of the SOAP request.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the request is addressed. You can specify more than one reference parameter. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    From URI of the source of the SOAP message.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters. You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    ReplyTo URI to which the response (reply) messages are to be routed. This property is optional.

    If this value is not specified, the default values for this URI depends on the WS-Addressing policy attached to the web service descriptor.

    • For the Final version of WS-Addressing, ReplyTo defaults to http://www.w3.org/2005/08/addressing/anonymous.
    • For the Submission version of WS-Addressing, ReplyTo defaults to http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the response message is addressed. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters.

    You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    FaultTo URI to which the SOAP fault messages are to be routed. This property is optional.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the fault message is addressed. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters. You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

  13. Click Save Changes.

Creating an Endpoint Alias for Message Addressing for Use with JMS

About this task

A web service endpoint alias for message addressing for use with a web service descriptor that has a JMS binder specifies the addressing information relating to the delivery of a SOAP response to the receiver.

Keep the following points in mind when creating a web service endpoint alias for message addressing for use with a web service descriptor with a SOAP over JMS binding:

  • A JMS message addressing web service endpoint alias can specify one of the following options to connect to a JMS provider:

    • JNDI provider alias and a connection factory.
    • JMS connection alias.

    Only specify a JNDI provider alias and connection factory, or JMS connection alias, if information for connecting to the JMS provider was not included in the WSDL document used to create the consumer web service descriptor or if you want to overwrite the connection information included in the WSDL document.

    Note: Using a JMS connection alias to connect to the JMS provider might offer better performance. Keep in mind that a JMS connection alias can connect to the JMS provider by using JNDI to retrieve a connection factory and then establishing a connection or by connecting natively to the webMethods Broker.
  • You can use the endpoint alias to provide information for the WS-Security header as determined by the security policy for the web service.
    Note: WS-Security credentials such as private keys and public keys do not always need to be provided in a message addressing web service endpoint alias. If this information is not provided in the alias, Integration Server can obtain the information from other locations. For more information about usage and resolution order of certificates and keys for WS-Security, see the Web Services Developer’s Guide .
  • If you want to use the client side queue with the web service descriptor to which the alias is assigned, you must specify a JMS connection alias as the way to connect to the JMS provider.
Note: You cannot delete a message addressing endpoint alias if a web service endpoint alias for provider web service descriptor is using the message addressing endpoint alias as a part of its response map.

To create a message addressing web service endpoint alias for use with JMS

Procedure

  1. Open Integration Server Administrator if it is not already open.
  2. Go to Settings > Web services.
  3. Click Create Web Service Endpoint Alias.
  4. Under Web Service Endpoint Alias Properties, provide the following information:
    In this field Specify
    Alias

    A name for the JMS message addressing web service endpoint alias.

    The alias name cannot include the following illegal characters:

    # ©\ & @ ^ ! % * : $ . / \ \ ` ; , ~ + = ) ( | } { ] [ > < "

    Description A description for the endpoint alias.
    Type Message Addressing
    Transport Type JMS
  5. Under JMS Transport Properties, do the following if you want to connect to the JMS provider using a connection factory:
    In this field Specify
    Connect Using JNDI Properties
    JNDI Provider Alias The alias for the JNDI provider that Integration Server uses to look up administered objects. For information about creating a JNDI provider alias, see Creating a JNDI Provider Alias.
    Connection Factory Name The lookup name for the connection factory to use to create a connection to the JMS provider.
  6. Under JMS Transport Properties, do the following if you want to connect to the JMS provider using a JMS connection alias:
    In this field Specify
    Connect Using JMS Connection Alias
    JMS Connection Alias The name of the JMS connection alias that you want Integration Server to use to connect to the JMS provider. For information about creating a JMS connection alias, see Creating a JMS Connection Alias.
  7. Under WS Security Properties, specify the certificate file of the receiver of the SOAP response. This certificate is used to encrypt the outbound SOAP response.
    In this field Specify
    Partner's Certificate The path and file name of the certificate file of the receiver of the SOAP response, which contains its public key.
  8. Under WS Security Properties, specify the following if the security policy (or policies) that will be used by this web service requires its responses to be signed, requires an X.509 authentication token to be included, or requires that SOAP message responses be encrypted.
    In this field Specify
    Keystore Alias

    Alias to the keystore that contains the private key used to:

    • Sign outbound SOAP responses
    • Include an X.509 authentication token for outbound SOAP responses
    Important: To verify response messages from this web service, the receiver must have the corresponding public key.
    Key Alias Alias to the private key used to sign and/or include X.509 authentication token for outbound SOAP messages. The key must be in the keystore specified in Keystore Alias.
  9. Under WS Security Properties, configure how Integration Server handles timestamps in the security headers.
    In this field Specify
    Timestamp Precision Whether the timestamp is precise to the second or millisecond. If you set the precision to milliseconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss:SSS'Z'. If you set the precision to seconds, Integration Server uses the timestamp format yyyy-MM-dd'T'HH:mm:ss'Z'.

    If you do not select a precision value, Integration Server will use the value specified for the watt.server.ws.security.timestampPrecisionInMilliseconds parameter.

    Timestamp Time to Live The time-to-live value for the outbound message in seconds. Integration Server uses the Timestamp Time to Live value to set the expiry time in the Timestamp element of outbound messages. The Timestamp Time to Live value must be an integer greater than 0.

    If you do not specify a time-to-live value, Integration Server will use the value specified for the watt.server.ws.security.timestampTimeToLive parameter.

    Timestamp Maximum Skew The maximum number of seconds that the web services client and host clocks can differ and still allow timestamp expiry validation to succeed. Specify a positive integer or zero.

    Integration Server uses the timestamp maximum skew value only when you implement WS-Security via a WS-Policy. Integration Server validates the inbound SOAP message only when the creation timestamp of the message is less than the sum of the timestamp maximum skew value and the current system clock time.

    If you do not specify a timestamp maximum skew value, Integration Server will use the value specified for the watt.server.ws.security.timestampMaximumSkew parameter.

    For more information about timestamps in the WS-Security header, see Timestamps in the WS-Security Header.

  10. Under Message Addressing Properties, provide the following addressing information relating to the delivery of a response SOAP message to the receiver. The message addressing properties define the addressing information that can be attached to the SOAP message.
    In this field Specify
    Must Understand Whether the recipients (the actor or role to which the header is targeted) are required to process the WS-Addressing headers. Recipients that cannot process a mandatory WS-Addressing header reject the message and return a SOAP fault.

    Must Understand determines the mustUnderstand attribute of the WS-Addressing headers.

      Select To
      True Indicate that processing the WS-Addressing headers is required by the recipients.

    If you select True for Must Understand and the SOAP node receives a header that it does not understand or cannot process, it returns a fault.

      False Indicate that processing the WS-Addressing headers is optional. This is the default.
     
    Note: In SOAP 1.1, the values of the mustUnderstand attribute were 0 and 1 instead of True and False; however, Integration Server processes both sets of values the same way and performs any necessary conversions.

    For more information about the mustUnderstand and actor attributes in SOAP 1.1, see the Simple Object Access Protocol (SOAP) 1.1 - W3C Note 08 May 2000 .

    For more information about the mustUnderstand and role attributes in SOAP 1.2, see the Simple Object Access Protocol (SOAP) 1.2 specification.

    Role Target of the WS-Addressing headers in the SOAP message. Role determines the value of the role attribute for the WS-Addressing headers. The actor or role attribute specifies a URI for the recipient of WS-Addressing header entries.
    Note: In SOAP 1.1, the role attribute is named actor; however, Integration Server processes both names the same and performs any necessary conversions.
      Select To
      Ultimate Receiver

    Indicate that the recipient is the ultimate destination of the SOAP message. This is the default.

      Next Specify the following URI for the role attribute:
    • For SOAP 1.2: "http://www.w3.org/2003/05/soap-envelope/role/next"
    • For SOAP 1.1: "http://schemas.xmlsoap.org/soap/actor/next"
      None Specify the following URI for the role attribute:
    • For SOAP 1.2: "http://www.w3.org/2003/05/soap-envelope/role/none"
    • For SOAP 1.1: "http://www.w3.org/2003/05/soap-envelope/role/none"
      Other Specify the target of the header. Typically, this will be a URI.
    From URI of the source of the SOAP response.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters. You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    ReplyTo URI to which the response (reply) messages are to be routed. This property is optional.

    If this value is not specified, the default values for this URI depends on the WS-Addressing policy attached to the web service descriptor.

    • For the Final version of WS-Addressing, ReplyTo defaults to http://www.w3.org/2005/08/addressing/anonymous.
    • For the Submission version of WS-Addressing, ReplyTo defaults to http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the response message is addressed. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters.

    You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    FaultTo URI to which the SOAP fault messages are to be routed. This property is optional.

    In the Reference Parameters field, specify additional parameters, if any, that correspond to <wsa:ReferenceParameters> properties of the endpoint reference to which the fault message is addressed. Optionally, you can specify metadata (such as WSDL or WS-Policy) about the service in the Metadata Elements field. You can also specify Extensible Elements, which are elements other than those specified as part of the Metadata and Reference Parameters. You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

    You can specify more than one reference parameter, metadata element, or extensible element. Click the ‘+’ icon to add more rows and the ‘x’ icon to delete the rows.

  11. Click Save Changes.

Timestamps in the WS-Security Header

The WS-Security header can contain Timestamp elements and tokens. Integration Server uses the timestamp to specify or detect whether an outbound or inbound message expires, specifically:

  • For outbound messages, if the WS-Security policy attached to the web service descriptor includes the <sp:IncludeTimestamp/> assertion, Integration Server adds a Timestamp element, which includes the creation and expiry time, to the security header.
  • For inbound messages, if the message has a Timestamp token, based on the Timestamp token, Integration Server verifies that the message has not arrived after the expiration time.

In the web service endpoint alias, you can specify the precision of the message timestamp, the message time to live, and whether to account for any difference in the clocks on the sending and receiving machines.