SOA Outbound Security Service
The SOA Outbound Security service adds security headers to a SOAP envelope as configured in the Graphical Process Modeler (GPM).
The following table provides an overview of the SOA Outbound Security service:
| Category | Description |
|---|---|
| System Name | SOA Outbound Security Service |
| Graphical Process Modeler (GPM) categories | All Services |
| Description | This service adds security headers to a SOAP envelope as configured in GPM. |
| Business usage | The primary business usage of this service will be to enable Web services Security in any outbound SOAP message. A user will be able to add WS-Security-related headers to any SOAP message. WS-Encryption, Signature, and other features provided by this service will enable the user to make use of message-level security features for SOAP messages. |
| Usage example | This service would be used mainly in a business process which has a SOAP envelope as a primary document. The SOAP envelope will have additional SOAP headers (WS-Security headers) and possibly modified SOAP body (encryption) after being processed by this service. |
| Preconfigured? | Yes. SOAOutboundSecurityService_Instance |
| Requires third-party files? | The WS-Security features depend upon wssj4 1.5.1 and xmlSecurity 1.3 which are open source modules. These are shipped with the application so that the user doesn't have to add this explicitly. |
| Platform availability | All supported application platforms |
| Related services | Generally used before the SOA Outbound Message Processing service, which adds required HTTP Headers to the SOAP message, which can then be processed by HTTP adapters. |
| Application requirements | The certificates used for encrypting and signing have to be either obtained from the other party or generated in the application. The obtained certificates need to be checked into the application as trusted certificates before configuring this service in GPM. Also, it is assumed that the Primary Document passed to this service is a properly formatted SOAP envelope. |
| Initiates business processes? | No |
| Invocation | Can be invoked by putting in any business process. Configure the parameters in GPM and pass a proper SOAP envelope to this service. |
| Business process context considerations | None |
| Returned status values | Returned status values:
|
| Restrictions | All required parameters have to be entered in GPM (depending upon what headers are needed). |
| Persistence level | System default |
| Testing considerations | See Business usage, usage Example and Application Requirements. |
Implementing the SOA Outbound Security Service
To implement the SOA Outbound
Security service, complete the following tasks:
- Create a configuration of the SOA Outbound Security service. See Managing Services and Adapters. For information about the fields specific to this service, see Configuring the SOA Outbound Security Service.
- Specify field settings for the service configuration in the application Admin Console and in the GPM as necessary.
Configuring the SOA Outbound Security Service
You must specify field settings in the application, using the Admin Console, and in the GPM.
Creating or Setting Up a Service Configuration in the Admin Console
Use the field definitions in the following table to create a new configuration of the SOA Outbound Security service, or to set up the configuration provided with the application. Some fields are available in both the Admin Console and in the GPM. For the fields that are available in both, the GPM field name is shown in parentheses in the table below.
| Field | Description |
|---|---|
| Name | Unique and meaningful name for the service configuration. Required. |
| Description | Meaningful description for the service configuration, for reference purposes. Required. |
| Select a Group | Select one of the options:
Note: See Managing Services and Adapters.
|
Setting Up the Service in the GPM
Use the field definitions in the following table to set up the service configuration in the GPM:
| Field | Description |
|---|---|
| Config | Select the name of the service configuration from the list. |
GPM Parameters
Following are the parameters that can be configured in SOA Outbound Security Service for adding various Security headers to the SOAP message. For detailed information about values for these parameters, please refer to the WS-Security specification.
| Parameter | Description |
|---|---|
| SIGNING_CERTIFICATE | This is the Private key used for signing SOAP message. This will be a System Certificate ID. A list will be displayed to the user in GPM. |
| SIGNING_ALGO | This is the signature algorithm to be used for signing the SOAP message. |
| SIGNING_KEY_IDENTIFIER_TYPE | The identifier type to refer the signing key as, in the signature info in the wsse:Security header. |
| CANONICALIZATION_ALGO | The canonicalization (formatting) to be applied to the SOAP message before signing it so that signature value is interoperable. |
| ENCRYPTION_CERTIFICATE | The Public key to be used for encryption. This will be a trusted certificate checked into your application. A list will be displayed to the user in GPM. |
| KEY_ENCODING_ALGO | The "Asymmetric" key algorithm used to encode the keys used in symmetric key encryption (which is the actual algorithm used for encryption of the SOAP message). This algorithm is used to only encode the keys and not the SOAP message. |
| SYMMETRIC_KEY_ALGO | The Symmetric Key Algorithm used to encrypt the SOAP message. |
| ENCRYPT_KEY_IDENTIFIER_TYPE | The identifier type to refer the encryption key as, in the wsse:Security header. |
| SIGNATURE_ENCRYPTION_ORDER | Specifies whether to Encrypt First or Sign First. |
| INSERT_USER_NAME_TOKEN | Specifies whether a user name token should be added to the security header. |
| USER_NAME_TOKEN_NAME | The user name token to be used for the security header. For this drop-down to be populated, at least one Security token must be configured for Web services (Deployment->Web Services->Security Token). |
| INSERT_TIME_STAMPS | Specified whether a timestamp security header needs to be inserted. |
| TIME_TO_LIVE | The time interval value used in the timestamp header specified above. |
| SECURITY_HEADER_ACTOR | Value of the Actor attribute that can be set in the wsse:Security header element. |
| INSERT_MUSTUNDERSTAND | Specifies whether to add the mustUnderstand=1 attribute to the wsse:security header. If this is set, processing of the security header will be made mandatory for the receiving party. |
Parameters Passed From Service to Business Process
The following table contains the parameters passed from the SOA Outbound Security service to the business process:
| Parameter | Description |
|---|---|
| SOAPEnvNSPrefix | The prefix used for SOAP envelope element |
| SOAPEnvNSURI | The Namespace URI for the above prefix |
Business Process Example
The following business process uses a dynamic service created in the application for sending a SOAP message through HTTP to an endpoint configured in the application itself (the application is the consumer as well as provider). The parameters in the business process in SOA Outbound Security Service can be configured using GPM.
<process name="Dynamic_Service_SOAP_BP">
<sequence>
<operation name="File System Adapter">
<participant name="test_fsa"/>
<output message="FileSystemInputMessage">
<assign to="Action">FS_COLLECT</assign>
<assign to="attachFile">soapMessage.txt</assign>
<assign to="deleteAfterCollect">false</assign>
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<assign to="LightweightJDBCAdapterQuery" from="//PrimaryDocument/@SCIObjectID">
</assign>
<operation name="File System Adapter">
<participant name="test_fsa"/>
<output message="FileSystemInputMessage">
<assign to="Action">FS_COLLECT</assign>
<assign to="attachFile">mesaAuth.txt</assign>
<assign to="deleteAfterCollect">false</assign>
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<assign to="mesaAuth" from="//PrimaryDocument/@SCIObjectID"></assign>
<operation name="executeLightweightJDBCAdapterQuery">
<participant name="DS_MYTEST5_HTTPS_PORT1_OPE1_Instance"/>
<output message="DS_MYTEST5_HTTPS_PORT1_OPE1InputMessage">
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="SOAOutboundSecurityService">
<participant name="outbsec_11sec"/>
<output message="SOAOutboundSecurityServiceInputMessage">
<assign to="CANONICALIZATION_ALGO">http://www.w3.org/2001/10/xml-exc-c14n#
</assign>
<assign to="ENCRYPT_KEY_IDENTIFIER_TYPE">2</assign>
<assign to="ENCRYPTION_CERTIFICATE">blrgislin29:10.11.23.53:114f8acc4f3:13
</assign>
<assign to="INSERT_MUSTUNDERSTAND">0</assign>
<assign to="INSERT_TIME_STAMPS">1</assign>
<assign to="INSERT_USER_NAME_TOKEN">1</assign>
<assign to="KEY_ENCODING_ALGO">http://www.w3.org/2001/04/xmlenc#rsa-1_5
</assign>
<assign to="SECURITY_HEADER_ACTOR">actor1</assign>
<assign to="SIGNATURE_ENCRYPTION_ORDER">0</assign>
<assign to="SIGNING_ALGO">http://www.w3.org/2000/09/xmldsig#rsa-sha1
</assign>
<assign to="SIGNING_CERTIFICATE">blrgislin29:10.11.23.53:114cef6bda9:1363
</assign>
<assign to="SIGNING_KEY_IDENTIFIER_TYPE">1</assign>
<assign to="SYMMETRIC_KEY_ALGO">http://www.w3.org/2001/04/xmlenc#aes128-cbc
</assign>
<assign to="TIME_TO_LIVE">0</assign>
<assign to="USER_NAME_TOKEN_NAME">admin</assign>
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="SOA Outbound Message Processing Service">
<participant name="SOAOutboundMsgProcessingService_Instance"/>
<output message="SOAOutboundMsgProcessingTypeInputMessage">
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="HTTP Client Begin Session Service">
<participant name="HTTPClientBeginSession"/>
<output message="HTTPClientBeginSessionServiceTypeInputMessage">
<assign to="HTTPClientAdapter">HttpClientAdapter_DynamicService</assign>
<assign to="RemoteHost">10.11.23.53</assign>
<assign to="RemotePort">9541</assign>
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="HTTP Client POST Service">
<participant name="HTTPClientPost"/>
<output message="HTTPClientPostServiceTypeInputMessage">
<assign to="RawRequest">true</assign>
<assign to="RawResponse">true</assign>
<assign to="URI">/soap-new?service=Webservice_Test</assign>
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="HTTP Client End Session Service">
<participant name="HTTPClientEndSession"/>
<output message="HTTPClientEndSessionServiceTypeInputMessage">
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="SOA Inbound Message Processing Service">
<participant name="SOAInboundMsgProcessingService_Instance"/>
<output message="SOAInboundMsgProcessingServiceInputMessage">
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="SOAInboundSecurityService">
<participant name="inbsec_11sec"/>
<output message="SOAInboundSecurityServiceInputMessage">
<assign to="DECRYPTION_KEY">blrgislin29:10.11.23.53:114cef6bda9:770</assign>
<assign to="SECURITY_TOKEN_NAME">admin</assign>
<assign to="VERIFICATION_KEY">blrgislin29:10.11.23.53:114f8acc4f3:8</assign>
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
</sequence>
</process>