SOA Inbound Security Service

The SOA Inbound Security service is used by the Web services provider and Web services consumer to process the security part of incoming SOAP message.

This can be a request as well as response for provider and consumer. The processing involves decryption, signature verification, and security token validation (although it is not necessary that all be present).

The following table provides an overview of the SOA Inbound Security service:

Category	Description
System Name	SOA Inbound Security Service
Graphical Process Modeler (GPM) categories	All Services
Description	This service is used by the Web services provider as well as Web services consumer to process the Security part of incoming SOAP message. This can be request as well as response for provider and consumer, respectively. The processing involves decryption, signature verification and security token validation, although it is not necessary that all should be present.
Business usage	In case the SOAP message coming to the application (either request or response) is a secure message, this service will be used to understand and process the message to make it compatible with the succeeding nodes/services for further processing.
Usage example	On a consumer side of Web services, the response received is a secure SOAP message. In that case, this service will be used to understand that secure response which includes decryption, signature validation and Security Token validation. On the provider side of, the request received is a secure SOAP message. In that case, this service will be used to understand that secure request which includes decryption, signature validation and Security Token validation.
Preconfigured?	Yes. SOAInboundSecurityService_Instance
Requires third-party files?	No third-party sources are required. All the required jars (wss4j and xmlSecurity 1.3) are shipped with the application install.
Platform availability	All supported application platforms
Related services	This service will be used by the SOA Inbound Message Processing Service to process the security header part of an Incoming SOAP Message.
Application requirements	Private Certificate for decryption, Public Certificate for Signature Verification, and Security Token for token validation are required. The document passed to this service must be a proper SOAP document.
Initiates business processes?	No
Invocation	This service is invoked from a business process in case of Web service consumer (must be placed after SOA Inbound Message Processing service). In case of a Web service provider, it will be invoked internally by the business process used for provider to receive and process the SOAP request.
Business process context considerations	For consumer and provider, the SOA Inbound Security service allows the user to specify the decryption certificate (private certificate), Signature Verification certificate (public certificate) and security token for processing the incoming secure SOAP message.
Returned status values	Returned status values: Success – Service is able to understand Soap message. Error – Some error occurs while processing the security header. This can be due to wrong certificate configurations.
Restrictions	There are no requirements on the usage of this service. The understanding about the security between a Web service provider and consumer will be offline and this service will come into picture if the SOAP message is a secure SOAP message.
Persistence level	System default
Testing considerations	Debug information can be found either in by observing the execution flow of the business process in the application user interface or using the wssec.log. The level of logging can be controlled through the log.properties file, just as for other log files.

Implementing the SOA Inbound Security Service

To implement the SOA Inbound Security service, complete the following tasks:

Create a configuration of the SOA Inbound Security service. See Managing Services and Adapters. For information about the fields specific to this service, see Configuring the SOA Inbound Security Service.
Specify field settings for the service configuration in the application Admin Console and in the GPM as necessary.

Configuring the SOA Inbound Security Service

You must specify field settings in the application, using the Admin Console, and in the GPM.

Creating or Setting Up a Service Configuration in the Admin Console

Use the field definitions in the following table to create a new configuration of the SOA Inbound Security service, or to set up the configuration provided with the application. Some fields are available in both the Admin Console and in the GPM. For the fields that are available in both, the GPM field name is shown in parentheses in the table below.

Field	Description
Name	Unique and meaningful name for the service configuration. Required.
Description	Meaningful description for the service configuration, for reference purposes. Required.
Select a Group	Select one of the options: None – Do not include the configuration in a service group at this time. Create New Group – Enter a unique name for a new group, which will be created with this configuration. (You can then add other services to the group as well.) Select Group – If service groups already exist for this service type, they are displayed in the list. Select a group from the list. Note: See Managing Services and Adapters.

Setting Up the Service in the GPM

Use the field definitions in the following table to set up the service configuration in the GPM:

Field	Description
Config	Select the name of the service configuration from the list.

Configuration Parameters (Consumer)

Following are the parameters that can be configured in SOA Outbound Message Processing Service for adding various Security headers to the SOAP message. For detailed information about what the possible values mean, please refer to the WS-Security specification:

Parameter	Description
Name	Name that the service will have in the application
Description	Description of service
Select a Group	Select one of the options: None – Do not include the configuration in a service group at this time. Create New Group – Enter a unique name for a new group, which will be created with this configuration. (You can then add other services to the group as well.) Select Group – If service groups already exist for this service type, they are displayed in the list. Select a group from the list.

Parameters Provided in Request Security Settings (Provider)

Parameter	Description
Decryption Certificate	The name of private certificate that will be used to decrypt the SOAP message
UserName Tokens	The name of security token checked in to the application that will be used for validating the token in the incoming SOAP message
Verification Certificate	The name of public certificate that will be used to verify the signed SOAP request

Parameters Passed From Business Process to Service

The following table contains the parameters passed from the business process to the SOA Inbound Security service:

Parameter	Description
DECRYPTION_KEY	The name of private certificate which will be used to decrypt the SOAP message (in BPML, it will be certificate ID)
SECURITY_TOKEN_NAME	The name of security token checked in the application which will be used for validating the token in the incoming SOAP message
VERIFICATION_KEY	The name of public certificate which will be used to verify the signed SOAP request. (in BPML, it will be certificate ID)

Parameters Passed From Service to Business Process

The output will be a Soap Message with the security header processed and the decrypted body in case the original SOAP message was an encrypted one.

Business Process Example

Application consumer:

<process name="WS_BP2">
  <sequence name="First Seq">
    <operation name="File System Adapter">
      <participant name="WS_FSA1"/>
     <output message="FileSystemInputMessage">
       <assign to="Action">FS_EXTRACT</assign>
       <assign to="attachFile">/ais_local/share/henry/collect/helloWorld.txt
       </assign>
       <assign to="." from="*"></assign>
     </output>
      <input message="inmsg">
       <assign to="." from="*"></assign>
     </input>
    </operation>
   <assign name="Assign" to="HelloWorld_mod" 
           from="//PrimaryDocument/@SCIObjectID"></assign>
   <operation name="File System Adapter">
     <participant name="WS_FSA1"/>
     <output message="FileSystemInputMessage">
       <assign to="Action">FS_EXTRACT</assign>
       <assign to="attachFile">/ais_local/share/henry/collect/mesaAuth.txt
       </assign>
       <assign to="." from="*"></assign>
     </output>
      <input message="inmsg">
       <assign to="." from="*"></assign>
     </input>
    </operation>
<assign name="Assign" to="mesaAuth" from="//PrimaryDocument/@SCIObjectID">
</assign>
   <operation name="executeHelloWorld_mod">
     <participant name="DS_TEST_WS4GSICLIENT_DEC_PORT1_OPE1_Instance"/>
     <output message="DS_TEST_WS4GSICLIENT_DEC_PORT1_OPE1InputMessage">
       <assign to="." from="*"></assign>
     </output>
      <input message="inmsg">
       <assign to="." from="*"></assign>
     </input>
    </operation>
   <operation name="SOA Outbound Message Processing Service">
     <participant name="SOAOutboundMsgProcessingService_Instance"/>
     <output message="SOAOutboundMsgProcessingTypeInputMessage">
       <assign to="." from="*"></assign>
     </output>
      <input message="inmsg">
       <assign to="." from="*"></assign>
     </input>
    </operation>
    <operation name="HTTP Client Begin Session Service">
     <participant name="HTTPClientBeginSession"/>
     <output message="HTTPClientBeginSessionServiceTypeInputMessage">
       <assign to="HTTPClientAdapter">HttpClientAdapter_DynamicService
       </assign>
       <assign to="RemoteHost">henry-edwin</assign>
       <assign to="RemotePort">38240</assign>
       <assign to="." from="*"></assign>
     </output>
      <input message="inmsg">
       <assign to="." from="*"></assign>
     </input>
    </operation>
   <operation name="HTTP Client POST Service">
     <participant name="HTTPClientPost"/>
     <output message="HTTPClientPostServiceTypeInputMessage">
       <assign to="RawRequest">true</assign>
       <assign to="RawResponse">true</assign>
       <assign to="ResponseTimeout">300</assign>
       <assign to="URI">/soap-new?service=WS4GISClient </assign>
       <assign to="." from="*"></assign>
     </output>
      <input message="inmsg">
       <assign to="." from="*"></assign>
     </input>
    </operation>
    <operation name="HTTP Client End Session Service">
     <participant name="HTTPClientEndSession"/>
     <output message="HTTPClientEndSessionServiceTypeInputMessage">
       <assign to="." from="*"></assign>
     </output>
      <input message="inmsg">
       <assign to="." from="*"></assign>
     </input>
    </operation>
   <operation name="SOA Inbound Message Processing Service">
     <participant name="SOAInboundMsgProcessingService_Instance"/>
     <output message="SOAInboundMsgProcessingServiceInputMessage">
       <assign to="." from="*"></assign>
     </output>
      <input message="inmsg">
       <assign to="." from="*"></assign>
     </input>
    </operation>
   <operation name="SOAInboundSecurityService">
     <participant name="SOAOutboundSecurity_dec1"/>
     <output message="SOAInboundSecurityServiceInputMessage">
       <assign to="DECRYPTION_KEY">henry:12:10.14.15</assign>
       <assign to="VERIFICATION_KEY">henry:45.66.99</assign>
       <assign to="." from="*"></assign>
     </output> 
<input message="inmsg">
       <assign to="." from="*"></assign>
     </input>
    </operation>
 </sequence> 
</process>