Support for securing web services
CICS® Transaction Server for z/OS® provides support for a number of related technologies that you can use to secure SOAP and JSON messages.
Some of these technologies are available as part of the HTTP protocol, and are equally applicable to both SOAP and JSON. Some use the Web Services Security (WSS): SOAP Message Security 1.0 specification, and are only available for SOAP. For information on the shared TCP/IP and HTTP security options, see Security for TCP/IP clients and Security for CICS web support.
For information about using SAML assertions, see Overview of SAML support.
SOAP web services security
Web Services Security (WSS): SOAP Message Security 1.0 describes the use of security tokens and digital signatures to protect and authenticate SOAP messages. For more information, see the WSS: Soap Message Security 1.0 specification.
Web Services Security protects the privacy and integrity of SOAP messages by, respectively, protecting messages from unauthorized disclosure and preventing unauthorized and undetected modification. WSS provides this protection by digitally signing and encrypting XML elements in the message. The elements that can be protected are the body or any elements in the body or the header. You can give different levels of protection to different elements in the SOAP message.
The Web Services Trust Language specification enhances Web Services Security further by providing a framework for requesting and issuing security tokens, and managing trust relationships between web service requesters and providers. This extension to the authentication of SOAP messages enables web services to validate and exchange security tokens of different types byusing a trusted third party. This third party is called a Security Token Service (STS). For more information about the Web Services Trust Language, see the WS-Trust Language specification.
- For outbound messages, CICS provides support for digital signing and encryption of the entire SOAP body. CICS can also exchange a username token for a security token of a different type with an STS.
- For inbound messages, CICS supports messages in which the body, or elements of the body and header, are encrypted or digitally signed. CICS can also exchange and validate security tokens with an STS.
CICS also provides a separate Trust client interface so that you can interact with an STS without using the CICS security handler.