Planning to secure SOAP web services

You can decide the best way to secure your web services. CICS® supports a number of options, including a configurable security message handler and a separate Trust client interface.

About this task

CICS implements Web Services Security (WS-Security or WSS) at a pipeline level, rather than for each web service. Answer the following questions to decide how best to implement security.

Procedure

  1. Is the performance of your pipeline processing important?
    The use of WSS to secure your web services incurs a significant performance impact.

    The main advantage of implementing WSS is that, by encrypting part of a SOAP message, you can send the message through a chain of intermediate nodes, all of which might have legitimate reasons to look at the SOAP header to make routing or processing decisions, but are not allowed to view the content of the message. By encrypting only those sections that need to be confidential, you derive the following benefits:

    • You do not incur the overhead of encrypting and decrypting at every node in a chain of intermediate processes.
    • You can route a confidential message over a public network of untrusted nodes, where only the ultimate recipient of the data can understand it.

    As an alternative to using WSS, you can use SSL to encrypt the whole data stream.

  2. If you want to use WSS, what level of security do you want?
    The options range from basic authentication, where the message header includes a user name and a password, through to combining digital signatures and encryption in the message. The options that the CICS security handler supports are described in Options for securing SOAP messages.
  3. Does the CICS-supplied security handler meet your requirements?
    If you want to perform more advanced security processing, you must write your own custom security handler. This handler must perform the necessary authentication of messages, either directly with RACF® or using a Security Token Service, and handle the processing of digital certificates and encrypted elements. See Writing a custom security handler for details.
  4. Does your pipeline include an MTOM handler?
    If you are planning to enable both the MTOM handler and the security handler in your pipeline configuration file, any MIME Multipart or Related messages are processed in compatibility mode, because the security handler cannot parse the XOP elements in the body of the message. This processing can have a further effect on the performance of the pipeline processing.