Certificate over transport mode uses an endorsing supporting binary token over HTTPS:

• Transport security binding

  • Algorithm suite: Basic256

  • Layout: Strict

• Endorsing supporting token

  • X509Token (WssX509V3Token10) always included to recipient
  • Inclusion type: MustSupportRefThumbprint / RequireThumbprintReference

To configure CertificateOverTransport mode:

1. Prerequisites:

   1. You must have created a virtual service.
   2. The Service Virtualization Credential Store must contain an identity with each used client certificate.
   3. Certificates must contain a private key.
2. In the Virtual Service Editor, expand Security Settings. Under Message Security, select Enabled.

3. In the Mode drop-down box, select CertificateOverTransport.

   Note: Do not configure Real Service Identity or Virtual Service Identity

4. Click Advanced Settings to open the Advanced Message Security Settings dialog box, and configure as follows:

   • Protection Level. This setting has no effect because encryption and signing are provided by the transport level (HTTPS).
   • Message Protection Order. This setting has no effect because encryption and signing are provided by the transport level (HTTPS).
   • Message Security Version. Only WS-Security 1.1 is supported because this configuration mode requires thumbprint token inclusion mode which is not supported in WS-Security 1.0.
   • Require Derived Keys. This setting should not be changed.
   • Include Timestamp. This setting must be checked because the endorsing supporting token passed in the request must sign the timestamp header.
   • Allow Serialized Signing Token on Reply. This setting has no effect.

Requires a username security token within the request message and forwards the token into the outgoing request to a real service during Learning and Standby modes. It ignores the response message, leaving any token (if present) to be learned as part of the response. During simulation, learned response tokens are used.

Example of the request security header containing the username token:

Example:  

<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:UsernameToken wsu:Id="uuid-c7f6a73a-6da9-479c-8383-f9ae4766e1a3-26" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsse:Username>requestSample</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">opF+QBL2BzrO9+H7CPcp3XF1uro=</wsse:Password>
        <wsse:Nonce>aLtQ7CsnEdssRz+PrqN4Vw==</wsse:Nonce>
        <wsu:Created>2015-05-25T11:38:21Z</wsu:Created>
      </wsse:UsernameToken>
    </o:Security>

To configure DigestPasswordAndUserNameOverTransport mode:

1. Prerequisites:

   1. You must have created a virtual service.
   2. The Service Virtualization Credential Store must contain an identity with each used client certificate.
   3. Certificates must contain a private key.
2. In the Virtual Service Editor, expand Security Settings. Under Message Security, select Enabled.

3. In the Mode drop-down box, select DigestPasswordAndUserNameOverTransport.

MutualCertificate is a mode with asymmetric security binding (WS-Security 1.0) which uses both client and server certificates to secure messages over unsecured transport (HTTP):

• Asymmetric security binding

  • Initiator token: X509Token (WssX509V3Token10) always included to recipient.
  • Recipient token: X509Token (WssX509V3Token10) never included.
  • Algorithm suite: Basic256
  • Layout: Strict

  • Token inclusion type:

    • MustSupportRefKeyIdentifier
    • MustSupportRefIssueSerial

To configure MutualCertificate mode:

1. Prerequisites:

   1. You must have created a virtual service.

   2. The Service Virtualization Credential Store must contain an identity with a real service certificate.

      If the certificate does not contain a private key, the Credential Store must also contain an identity for the virtual service, with a certificate containing a private key.

   3. The Credential Store must contain an identity with each used client certificate.
   4. Client certificates must contain a private key.
2. In the Virtual Service Editor, expand Security Settings. Under Message Security, select Enabled.

3. In the Mode drop-down box, select MutualCertificate.

4. In the Real Service Identity drop-down box, select an identity configured in the Credential Store.

   If the identity for the real service does not contain a certificate with a private key, or if you want to use separate identity for the virtual service, select an identity configured in the Credential Store for Virtual Service Identity. This identity must contain a certificate with a private key.

5. Click Advanced Settings to open the Advanced Message Security Settings dialog box, and configure as follows:

   • Protection Level. Configures the level of security applied to each message.
   • Message Protection Order. Configures the order of protection operations used to secure messages.

   • Message Security Version. Use only WS-Security 1.0.

   • Require Derived Keys. This setting should not be changed.
   • Include Timestamp. This setting controls if requests and responses must contain a security timestamp.
   • Allow Serialized Signing Token on Reply. This setting has no effect.

MutualCertificateDuplex mode with asymmetric security binding (WS-Security 1.0 and 1.1) uses both client and server certificates to secure messages over unsecured transport (HTTP). The difference between MutualCertificate and MutualCertificateDuplex is that MutualCertificateDuplex security mode also sends the recipient’s signing token back to the initiator.

• Asymmetric security binding

  • Initiator token: X509Token (WssX509V3Token10) always included to recipient.

  • Recipient token: X509Token (WssX509V3Token10) always included to initiator.

  • Algorithm suite: Basic256

  • Layout: Strict

  • Token inclusion type depends on WS-Security version configured in Advanced settings::

    • WS-Security 1.0

      • MustSupportRefKeyIdentifier
      • MustSupportRefIssueSerial

    • WS-Security 1.1

      • MustSupportRefThumbprint / RequireThumbprintReference

To configure MutualCertificateDuplex mode:

1. Prerequisites:

   1. You must have created a virtual service.

   2. The Service Virtualization Credential Store must contain an identity with a real service certificate.

      If the certificate does not contain a private key, the Credential Store must also contain an identity for the virtual service, with a certificate containing a private key.

   3. The Credential Store must contain an identity with each used client certificate.
   4. Client certificates must contain a private key.
2. In the Virtual Service Editor, expand Security Settings. Under Message Security, select Enabled.

3. In the Mode drop-down box, select MutualCertificateDuplex.

4. In the Real Service Identity drop-down box, select an identity configured in the Credential Store.

   If the identity for the real service does not contain a certificate with a private key, or if you want to use separate identity for the virtual service, select an identity configured in the Credential Store for Virtual Service Identity. This identity must contain a certificate with a private key.

5. Click Advanced Settings to open the Advanced Message Security Settings dialog box, and configure as follows:

   • Protection Level. Configures the level of security applied to each message.
   • Message Protection Order. Configures the order of protection operations used to secure messages.

   • Message Security Version. this setting defines how the binary token is referenced in the request message.

     • Message security versions using WS-Security 1.0 requires either issuer serial number or key identifier of the certificate.
     • Message security versions using WS-Security 1.1 requires thumbprint of the certificate.
   • Require Derived Keys. This setting should not be changed.
   • Include Timestamp. This setting controls if requests and responses must contain a security timestamp.
   • Allow Serialized Signing Token on Reply. You must select this setting because the recipient’s signing token is always send back to an initiator.

Requires a message body signature, optionally signed headers, and an X509 security token within the incoming request or response message. Adds a body and SOAP headers signature and an X509 security token into the generated request and response messages.

1. Prerequisites:

   1. You must have created a virtual service.
   2. The Service Virtualization Credential Store must contain an identity with each used client certificate.
   3. Certificates must contain a private key.
2. In the Virtual Service Editor, expand Security Settings. Under Message Security, select Enabled.

3. In the Mode drop-down box, select SignOnlyWithMutualCertificate.

4. In the Virtual Service Identity drop-down box, select an identity configured in the Credential Store. The certificate within the request message must match the certificate of the identity.

5. In the Security Applied To drop-down box, select which message parts to apply the security to - request, response, or both.

This configuration implements WS-Security encryption of the body element and the Username Token security header.

Messages are always encrypted by the public key of the recipient certificate, as follows:

• A request from the client to the virtual service is encrypted by the virtual service's certificate.
• A request from the virtual service to the real service is encrypted by the real service's certificate.
• A response from the real service to the virtual service is encrypted by the virtual service's certificate.
• A response from the virtual service to the client is encrypted by the client's certificate. The client is identified by the UsernameToken security header in the initial request. Mapping the client’s certificate to its user name in the Service Virtualization credential store enables Service Virtualization to choose the correct client certificate for encrypting the response.

Set security for an encrypted request and response

1. In the Virtual Service Editor, expand Security Settings.

2. Click Edit Credential Store, and create identities as follows:

   • Client certificate: Username must match the username in the UsernameToken of the request.
   • Virtual service certificate with private key.

   • Real service certificate with public key.

     Note: If you have the real service certificate's private key, you can use it as the Virtual Service Identity and do not need an additional certificate for the virtual service.

   Example:  

   

3. Under Message Security, fill in the relevant fields.

   Example:  

   

Set security for an encrypted request only

The settings are the same as above, with two exceptions:

• The client username and certificate are not required in the credential store.
• Under Message Security, set the Security Applied To field to Request only.

• Example:  

  

  

Supporting certificate over transport mode uses a supporting binary token over HTTPS:

• Transport security binding

  • Algorithm suite: Basic256

  • Layout: Strict

• Endorsing supporting token

  • X509Token (WssX509V3Token10) always included to recipient

  • Inclusion type: MustSupportRefThumbprint / RequireThumbprintReference

To configureSupportingCertificateOverTransport mode:

1. Prerequisites:

   1. You must have created a virtual service.
   2. The Service Virtualization Credential Store must contain an identity with each used client certificate.
2. In the Virtual Service Editor, expand Security Settings. Under Message Security, select Enabled.

3. In the Mode drop-down box, select SupportingCertificateOverTransport.

   Note:  

   • Do not configure Real Service Identity or Virtual Service Identity.
   • This mode does not support advanced configuration.

User name over transport mode uses a signed supporting user name token over HTTPS:

• Transport security binding

  • Algorithm suite: Basic256

  • Layout depends on WS-Security version configured in Advanced settings:

    • WS-Security 1.0: Lax

    • WS-Security 1.1: Strict

• Endorsing supporting token

  • UserNameToken (WssUsernameToken10) always included to recipient.

    Only PasswordText token type is supported.

To configure UserNameOverTransport mode:

1. Prerequisites:

   1. You must have created a virtual service.
   2. The Service Virtualization Credential Store must contain an identity with each user and password used for authentication to the real service.
2. In the Virtual Service Editor, expand Security Settings. Under Message Security, select Enabled.

3. In the Mode drop-down box, select UserNameOverTransport.

   Note: Do not configure Real Service Identity or Virtual Service Identity

4. Click Advanced Settings to open the Advanced Message Security Settings dialog box, and configure as follows:

   • Protection Level. This setting has no effect because encryption and signing are provided by the transport level (HTTPS).
   • Message Protection Order. This setting has no effect because encryption and signing are provided by the transport level (HTTPS).

   • Message Security Version. Layout used for security header:

     • Message security versions using WS-Security 1.0 use Lax layout for security header.
     • Message security versions using WS-Security 1.1 use Strict layout for security header.
   • Require Derived Keys. This setting has no effect.
   • Include Timestamp. This setting controls if requests and responses must contain a security timestamp.
   • Allow Serialized Signing Token on Reply. This setting has no effect.