Virtual service security

This section describes how security is handled by Service Virtualization. Service Virtualization supports virtualization of secured services using either HTTP transport level security or a subset of SOAP message level security.

Security components


The data is encrypted. Only an ultimate recipient can read the data.

Service Virtualization must be able to decrypt the message passed to the virtual service in order to learn the service. It must also be able to encrypt messages passed to the real service.


The data is signed. A recipient can validate that the data has not been modified during transmissions.

Service Virtualization must be able to validate signatures in messages received from clients and from the real service. It must also be able to sign messages sent to clients and the real service.


The identity of a client is transferred with the message.

Service Virtualization does not validate received client credentials. In some scenarios, incoming credentials are secured and are not directly readable. Therefore, the virtual service must have these credentials (certificates with private keys or user names with passwords) defined in Service Virtualization's Credential Store, to be able to compute the secured value and pass it to the real service.


The service validates that an authenticated client can execute the required operation.

Service Virtualization does not handle authorization. Authorization logic is left for the real service.

Back to top

Security levels

Transport Security

Transport level security is point-to-point. Security is ensured only on the transport level connection between two machines. Transport level integrity and confidentiality is ensured through SSL / TLS (HTTP(s) Proxy agent or the HTTPS Gateway agent) and transport level authentication is ensured with HTTP authentication mechanisms.

Transport authentication in service virtualization is used only in Stand-By and Learning modes to access the real service. It is transparently managed by the HTTP Gateway or HTTP(S) proxy agents. Transport authentication only requires that correctly configured credentials are available in Service Virtualization's Credential Store.

Message Security

Message level security is end-to-end. Security is ensured on the message level – security is part of message data which can be passed through many intermediaries (many connections) without revealing unsecured message content.

Message security in Service Virtualization is used for Stand-By, Learning, and Simulation modes.

Mixed Security Mixed security uses transport security to ensure confidentiality and integrity and message security to pass client credentials (authentication). This security configuration requires the use of the HTTPS agent and message security modes with names ending with OverTransport.

Back to top

See also: