You can decide the best way to secure your web services. CICS® supports a number of options,
including a configurable security message handler and a separate Trust
client interface.
About this task
CICS implements Web
Services Security (WS-Security or WSS) at a pipeline level, rather
than for each web service. Answer the following questions to decide
how best to implement security.
Procedure
- Is the performance of your pipeline processing important?
The use of WSS to secure your web services incurs a significant
performance impact.
The main advantage of implementing WSS is that,
by encrypting part of a SOAP message, you can send the message through
a chain of intermediate nodes, all of which might have legitimate
reasons to look at the SOAP header to make routing or processing decisions,
but are not allowed to view the content of the message. By encrypting
only those sections that need to be confidential, you derive the following
benefits:
- You do not incur the overhead of encrypting and decrypting at
every node in a chain of intermediate processes.
- You can route a confidential message over a public network of
untrusted nodes, where only the ultimate recipient of the data can
understand it.
As an alternative to using WSS, you can use SSL to encrypt
the whole data stream.
- If you want to use WSS, what level of security do you want?
The options range from basic authentication, where the message
header includes a user name and a password, through to combining digital
signatures and encryption in the message. The options that the CICS security handler supports
are described in
Options for securing SOAP messages.
- Does the CICS-supplied security handler meet your requirements?
If you want to perform more advanced security processing, you
must write your own custom security handler. This handler must perform
the necessary authentication of messages, either directly with RACF® or using a Security Token
Service, and handle the processing of digital certificates and encrypted
elements. See
Writing a custom security handler for
details.
- Does your pipeline include an MTOM handler?
If you are planning to enable both the MTOM handler and the security handler in your pipeline
configuration file, any MIME Multipart or Related messages are processed in compatibility mode,
because the security handler cannot parse the XOP elements in the body of the message. This
processing can have a further effect on the performance of the pipeline processing.