Customize the security

This task describes how to how to configure special cases common to Web Service security.

By default, Web Services adds all of the defined X.509 tokens to the SOAP envelope and references them as binary tokens. It is also possible to exclude the tokens from the message and reference them with a SKI (Subject Key Identifier). This is common with tokens that are used for encryption.

  1. Add a token as described in the Add security to a Web Service script.

  2. In the script, change the value for Add to false:

    SECURITY_TOKEN, "Type=X509","LogicalName=myToken", "StoreName=My", "IDType=SubjectName", "IDValue=CN=myCert", "StoreLocation=CurrentUser", "Add=False",

  3. If necessary, set the useRFC3280 settings as described in useRFC3280 below.

  1. Locate the web_service_set_security function in the script.

  2. Add the attributes and their values according to this chart:

    Name
    Meaning
    Possible values
    IsNonceIncluded
    Include a nonce with the token.
    True (default) or False
    TimestampFormat
    The timestamp format to use with the token.

    • None. no timestamp

    • Full. a <timestamp> element with <created> and <expired> inner elements

    • Created. (default) only a <created> element

    For example:

    web_service_set_security(
        SECURITY_TOKEN, "Type=USERNAME","LogicalName=myToken", "UserName=John", "Password=1234",  "PasswordOptions=SendPlainText", "IsNonceIncluded=true", "TimestampFormat=Full", "Add=True",        
        LAST);

You customize encryption by indicating whether to encrypt the whole element or only its content. This is common when encrypting tokens such as a user name. By default, only the content is encrypted. The following steps describe how to encrypt the entire token.

  1. Locate the web_service_set_security function in the script.

  2. Add the EncryptionType attribute with the value Element.

    web_service_set_security(
...
ENCRYPTED_DATA, "UseToken=myToken", "TargetToken=myOtherToken", 
"EncryptionType=Element",
LAST);

  3. To return to the default, remove the EncryptionType attribute or set it to Content.

To change the algorithm Web Services uses for encryption, or to modify some other low-level security details.

  1. To change either of these items, open the %LR_PATH%/bin/mmdrv.exe.config file in a text editor.

  2. If this file does not contain the <microsoft.web.services2> element, add it as shown below.

    <configuration>
...
  <microsoft.web.services2>
    <security>
      <x509 storeLocation="CurrentUser" allowTestRoot="true" useRFC3280="true" />           
      <binarySecurityTokenManager valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
        <sessionKeyAlgorithm name="TripleDES" />
        <keyAlgorithm name="RSA15" />
      </binarySecurityTokenManager>          
      </security>
  </microsoft.web.services2>
...
<configuration>

  3. Set the element values as required:

    4. Name Meaning Possible values
    verifyTrusy
    Check sent/received x.509 certificate's validity.

    • True (default)

    • False
    sessionKeyAlgorithm
    The algorithm the session symmetric key should use to encrypt the message.

    • AES128

    • AES192

    • AES256

    • TripleDES
    keyAlgorithm
    The algorithm to use by the public key to encrypt the session key.

    • RSA15

    • RSAOAEP
    useRFC3280
    Generate subject key identifiers that are interoperable and not Windows specific.

    • True

    • False (default)

Back to top