WS-Security Authentication

WS-Security authentication includes user name token authentication, timestamp validation, and encryption of WS-Security headers. This section provides you with several examples of authentication configuration.

Enable/Disable WS-Security Authentication

WS-Security user name token configuration can be found in:

<PPM_Home>/server/<PPM_Server_Name>/deploy/itg.war/WEB-INF/conf/axis2.xml.

.

Variable

Meaning

<PPM_Home>

Represents the path where your PPM instance is installed.

For example: xyzserver/E/PPMServer.

<PPM_Server_Name>

Represents the name assigned to your PPM Server during installation. For example: xyzProduction. This corresponds to the KINTANA_SERVER_NAME

server.conf parameter value and does not necessarily reflect the actual host name of the server.

By default, WS-Security authentication is enabled.

axis2.xml

In the axis2.xml file, the following XML configuration enables WS-Security authentication. To disable WS-Security authentication, comment out all of this XML.

<module ref="rampart" />
<parameter name="InflowSecurity">
    <action>
    <items>
        UsernameToken Timestamp Encrypt
    </items>
    <passwordCallbackClass>
com.mercury.itg.ws.core.handlers.security.PasswordCallbackHandl
er
        </passwordCallbackClass>
        <decryptionPropFile>
            service.properties
        </decryptionPropFile>
     </action>
</parameter>

In the InflowSecurity section, the following three action items are defined:

  • UsernameToken: Specifies that the UsernameToken security credentials should be expected in received SOAP messages.

    The UsernameToken profile defines a set of SOAP headers to carry the username/password from the client to the server.

  • Timestamp: Specifies that the Timestamp element should be validated.

    The default clock skew tolerance is five minutes.

  • Encrypt: Specifies that encrypted messages should be decrypted.

SOAP Header Without Timestamp Data or Encryption

The following example shows a SOAP header that does not include timestamp data or encryption:

<soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/
wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
      soap:mustUnderstand="1">
      <wsse:UsernameToken
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd"
         wsu:Id="UsernameToken-25699763">
         <wsse:Username>admin</wsse:Username>
         <wsse:Password
            Type="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-username-token-profile-
1.0#PasswordText">admin</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
</soap:Header>

Refer to the Axis2 Rampart module's documentation for more information:

http://ws.apache.org/axis2/modules/rampart/1_0/security-module.html

WS-Security Timestamp

By default, PPM enables Timestamp validation.

To disable Timestamp validation on the server side, remove "Timestamp" from the action items list as shown in the following example:

<module ref="rampart" />
<parameter name="InflowSecurity">
    <action>
    <items>
       UsernameToken Encrypt
    </items>
    <passwordCallbackClass>
com.mercury.itg.ws.core.handlers.security.PasswordCallbackHandl
er
     </passwordCallbackClass>
     <decryptionPropFile>
       service.properties
     </decryptionPropFile>
    </action>
</parameter>

WS-Security Encryption

By default, PPM encrypts WS-Security user name token headers.

To disable encryption, remove "Encrypt" from the action items list as shown in the following example:

<module ref="rampart" />
<parameter name="InflowSecurity">
    <action>
    <items>
       UsernameToken Timestamp
    </items>
    <passwordCallbackClass>
com.mercury.itg.ws.core.handlers.security.PasswordCallbackHandl
er
    </passwordCallbackClass>
    <decryptionPropFile>
      service.properties
     </decryptionPropFile>
    </action>
</parameter>

The following content shows an example of the service.properties file:

org.apache.ws.security.crypto.provider=org.apache.ws.security.c
omponents.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=ppmservi
ce
org.apache.ws.security.crypto.merlin.file=service.jks

In this example, the java key store file is defined as the security properties file, and the password to the key store file is ppmservice.