Set Message Security
This task describes how to configure settings for the default message security modes.
Note:
- This task is part of a higher-level task. For details, see Set Security.
- To learn more about OpenText Service Virtualization security, see Virtual service security.
In the Virtual Service Editor, under Security Settings, configure one of the following security modes for your virtual service.
Configure CertificateOverTransport mode
Certificate over transport mode uses an endorsing supporting binary token over HTTPS:
-
Transport security binding
- Algorithm suite: Basic256
-
Layout: Strict
-
Endorsing supporting token
- X509Token (WssX509V3Token10) always included to recipient
- Inclusion type: MustSupportRefThumbprint / RequireThumbprintReference
To configure CertificateOverTransport mode:
-
Prerequisites:
- You must have created a virtual service.
- The OpenText Service Virtualization Credential Store must contain an identity with each used client certificate.
- Certificates must contain a private key.
- In the Virtual Service Editor, expand Security Settings. Under Message Security, select Enabled.
-
In the Mode drop-down box, select CertificateOverTransport.
Note: Do not configure Real Service Identity or Virtual Service Identity
-
Click Advanced Settings to open the Advanced Message Security Settings dialog box, and configure as follows:
- Protection Level. This setting has no effect because encryption and signing are provided by the transport level (HTTPS).
- Message Protection Order. This setting has no effect because encryption and signing are provided by the transport level (HTTPS).
- Message Security Version. Only WS-Security 1.1 is supported because this configuration mode requires thumbprint token inclusion mode which is not supported in WS-Security 1.0.
- Require Derived Keys. This setting should not be changed.
- Include Timestamp. This setting must be checked because the endorsing supporting token passed in the request must sign the timestamp header.
- Allow Serialized Signing Token on Reply. This setting has no effect.
Configure UserNameOverTransport mode
User name over transport mode uses a signed supporting user name token over HTTPS:
-
Transport security binding
- Algorithm suite: Basic256
-
Layout depends on WS-Security version configured in Advanced settings:
-
WS-Security 1.0: Lax
- WS-Security 1.1: Strict
-
-
Endorsing supporting token
-
UserNameToken (WssUsernameToken10) always included to recipient.
Only PasswordText token type is supported.
-
To configure UserNameOverTransport mode:
-
Prerequisites:
- You must have created a virtual service.
- The OpenText Service Virtualization Credential Store must contain an identity with each user and password used for authentication to the real service.
- In the Virtual Service Editor, expand Security Settings. Under Message Security, select Enabled.
-
In the Mode drop-down box, select UserNameOverTransport.
Note: Do not configure Real Service Identity or Virtual Service Identity
-
Click Advanced Settings to open the Advanced Message Security Settings dialog box, and configure as follows:
- Protection Level. This setting has no effect because encryption and signing are provided by the transport level (HTTPS).
- Message Protection Order. This setting has no effect because encryption and signing are provided by the transport level (HTTPS).
-
Message Security Version. Layout used for security header:
- Message security versions using WS-Security 1.0 use Lax layout for security header.
- Message security versions using WS-Security 1.1 use Strict layout for security header.
- Require Derived Keys. This setting has no effect.
- Include Timestamp. This setting controls if requests and responses must contain a security timestamp.
- Allow Serialized Signing Token on Reply. This setting has no effect.