Share this page
This topic describes how to how to configure special cases common to Web Service security.
Reference a token with a SubjectKeyIdentifier
By default, Web Services adds all of the defined X.509 tokens to the SOAP envelope and references them as binary tokens. It is also possible to exclude the tokens from the message and reference them with an SKI (Subject Key Identifier). This is common with tokens that are used for encryption.
To reference a token with an SKI:
-
Add a token as described in the Add security to a Web Service script.
-
In the script, change the value for Add to false:
SECURITY_TOKEN, "Type=X509","LogicalName=myToken", "StoreName=My", "IDType=SubjectName", "IDValue=CN=myCert", "StoreLocation=CurrentUser", "Add=False",
-
If necessary, set the useRFC3280 settings as described in useRFC3280 below.
Customize the UserName token
You can customize the UserName token with a nonce and timestamp.
To customize the UserName token:
-
Locate the web_service_set_security function in the script.
-
Add the attributes and their values according to this chart:
NameMeaningPossible valuesIsNonceIncluded Include a nonce with the token.True (default) or FalseTimestampFormat The timestamp format to use with the token.-
None. no timestamp
-
Full. a <timestamp> element with <created> and <expired> inner elements
-
Created. (default) only a <created> element
For example:
web_service_set_security( SECURITY_TOKEN, "Type=USERNAME","LogicalName=myToken", "UserName=John", "Password=1234", "PasswordOptions=SendPlainText", "IsNonceIncluded=true", "TimestampFormat=Full", "Add=True", LAST);
-
You can customize encryption by indicating whether to encrypt the whole element or only its content. This is common when encrypting tokens such as a user name. By default, only the content is encrypted.
To encrypt the entire token:
-
Locate the web_service_set_security function in the script.
-
Add the EncryptionType attribute with the value Element.
web_service_set_security( ... ENCRYPTED_DATA, "UseToken=myToken", "TargetToken=myOtherToken", "EncryptionType=Element", LAST);
-
To return to the default, remove the EncryptionType attribute or set it to Content.
To change the algorithm Web Services uses for encryption, or to modify some other low-level security details.
To customize WS-Security:
-
To change either of these items, open the <installdir>/bin/mmdrv.exe.config file in a text editor.
-
If this file does not contain the <microsoft.web.services2> element, add it as shown below.
<configuration> ... <microsoft.web.services2> <security> <x509 storeLocation="CurrentUser" allowTestRoot="true" useRFC3280="true" /> <binarySecurityTokenManager valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"> <sessionKeyAlgorithm name="TripleDES" /> <keyAlgorithm name="RSA15" /> </binarySecurityTokenManager> </security> </microsoft.web.services2> ... <configuration> -
Set the element values as required:
