Message–Level Security (WS-Security Specification)

Enabling and Disabling Message–Level Security

PPM Web service configuration can be found in following file:

<PPM_Home>/server/<PPM_Server_Name>/deploy/itg.war/WEB-INF/conf/axis2.xml.

where

<PPM_Home>

represents the path where your PPM instance is installed. For example: xyzserver/E/PPMServer.

<PPM_Server_Name>

represents the name assigned to your PPM Server during installation. For example: xyzProduction.

This corresponds to the KINTANA_SERVER_NAME server.conf parameter value and does not necessarily reflect the actual host name of the server.

By default, WS-Security authentication is enabled.

In the axis2.xml file, the following XML section enables WS-Security.

Example: <module ref="rampart" />
<parameter name="InflowSecurity">
    <action>
        <items>
        UsernameToken Timestamp Encrypt
            </items>
            <passwordCallbackClass>
                mercury.itg.ws.core.handlers.security.
                PasswordCallbackHandler
            </passwordCallbackClass>
            <decryptionPropFile>
        service.properties
    </decryptionPropFile>
</action>
</parameter>

To disable WS-Security authentication, comment out all of this XML.

In the InflowSecurity section (of the previously described XML), the following three action items are defined:

  • UsernameToken. Specifies that the UsernameToken security credentials should be expected in received SOAP messages.

    • The UsernameToken profile defines a set of SOAP headers to carry the username/password from the client to the server.

  • Timestamp. Specifies that the Timestamp element should be validated. The default clock skew tolerance is five minutes.

  • Encrypt. Specifies that encrypted messages should be decrypted.

The following example shows a SOAP header that does not include timestamp data or encryption:

Example: <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis open.org/wss/
2004/ 01/oasis 200401 wss wssecurity secext 1.0.xsd"
soap:mustUnderstand="1">
        <wsse:UsernameToken xmlns:wsu="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-
utility-1.0.xsd" wsu:Id="UsernameToken-7433399">
            <wsse:Username>admin
            </wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/
2004/01/oasis-200401-wss-username-token-profile-
1.0#PasswordText">admin
            </wsse:Password>
        </wsse:UsernameToken>
    </wsse:Security>
</soap:Header>

Timestamp

By default, PPM enables Timestamp validation.

To disable Timestamp validation on the server side, remove the string "Timestamp" from the action items list in the InflowSecurity section, as shown in the following example:

Example: <module ref="rampart" />
<parameter name="InflowSecurity">
    <action>
        <items>
            UsernameToken Encrypt
        </items>
        <passwordCallbackClass>
            mercury.itg.ws.core.handlers.security.
            PasswordCallbackHandler
        </passwordCallbackClass>
        <decryptionPropFile>
            service.properties
        </decryptionPropFile>
    </action>
</parameter>