Share this page
WS-Security Authentication
WS-Security authentication includes user name token authentication, timestamp validation, and encryption of WS-Security headers. This section provides you with several examples of authentication configuration.
Enable/Disable WS-Security Authentication
WS-Security user name token configuration can be found in:
<PPM_Home>/server/<PPM_Server_Name>/deploy/itg.war/WEB-INF/conf/axis2.xml.
Variable | Meaning |
|---|---|
<PPM_Home> | Represents the path where your PPM instance is installed. For example: xyzserver/E/PPMServer. |
<PPM_Server_Name> | Represents the name assigned to your PPM Server during installation. For example: xyzProduction. This corresponds to the KINTANA_SERVER_NAME server.conf parameter value and does not necessarily reflect the actual host name of the server. |
By default, WS-Security authentication is enabled.
In the axis2.xml file, the following XML configuration enables WS-Security authentication. To disable WS-Security authentication, comment out all of this XML.
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>
UsernameToken Timestamp Encrypt
</items>
<passwordCallbackClass>
com.mercury.itg.ws.core.handlers.security.PasswordCallbackHandl
er
</passwordCallbackClass>
<decryptionPropFile>
service.properties
</decryptionPropFile>
</action>
</parameter>
In the InflowSecurity section, the following three action items are defined:
-
UsernameToken: Specifies that the UsernameToken security credentials should be expected in received SOAP messages.
The UsernameToken profile defines a set of SOAP headers to carry the username/password from the client to the server.
-
Timestamp: Specifies that the Timestamp element should be validated.
-
Encrypt: Specifies that encrypted messages should be decrypted.
SOAP Header Without Timestamp Data or Encryption
The following example shows a SOAP header that does not include timestamp data or encryption:
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/
wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-25699763">
<wsse:Username>admin</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-username-token-profile-
1.0#PasswordText">admin</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
Refer to the Axis2 Rampart module's documentation for more information:
http://ws.apache.org/axis2/modules/rampart/1_0/security-module.html
WS-Security Timestamp
By default, PPM enables Timestamp validation.
To disable Timestamp validation on the server side, remove "Timestamp" from the action items list as shown in the following example:
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>
UsernameToken Encrypt
</items>
<passwordCallbackClass>
com.mercury.itg.ws.core.handlers.security.PasswordCallbackHandl
er
</passwordCallbackClass>
<decryptionPropFile>
service.properties
</decryptionPropFile>
</action>
</parameter>
WS-Security Encryption
By default, PPM encrypts WS-Security user name token headers.
To disable encryption, remove "Encrypt" from the action items list as shown in the following example:
<module ref="rampart" />
<parameter name="InflowSecurity">
<action>
<items>
UsernameToken Timestamp
</items>
<passwordCallbackClass>
com.mercury.itg.ws.core.handlers.security.PasswordCallbackHandl
er
</passwordCallbackClass>
<decryptionPropFile>
service.properties
</decryptionPropFile>
</action>
</parameter>
The following content shows an example of the service.properties file:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=ppmservi ce org.apache.ws.security.crypto.merlin.file=service.jks
In this example, the java key store file is defined as the security properties file, and the password to the key store file is ppmservice.
