Message-level security is the cornerstone of enterprise-class SOA. Using SOAP encryption and SOAP signatures, confidentiality and integrity remain "always on" by being independent of transport protocols. With security now living within the SOAP messages, it does not matter if the transport pipe – HTTP, FTP, JMS – between Web service consumers, producers, or intermediaries is SSL enabled.
This tutorial will show how to set up SOAP message-level encryption. You will learn how to enable message-level confidentiality starting with enabling selected key stores, turning on message-level encryption, and sending X.509 certificates in a SOAP header. You will see how to diagnose the security policies for functional completeness, performance, and interoperability by sending SOAP messages from a .NET based client. Along the way you will discover that BEA WebLogic Server 9.2 (WLS) provides a mature platform with significant message-level security capabilities for advanced SOA deployments.
Web services – a common foundation for modern Service Oriented Architecture (SOA) – has blurred the boundaries between network devices, applications, ESBs, application servers, databases, and other IT assets within an enterprise. Almost every IT asset now advertises its interface as a Web Services Definition Language (WSDL) interface ready for SOAP/XML messaging. Web service interfaces provide unprecedented flexibility in integrating IT assets across internal and external corporate domains. However, it is this flexibility that in turn mandates greater security control across such domains. To ensure that the messages are secured while jumping domains, both protocol and message-based security techniques are widely deployed.
WebLogic Server 9.2 provides a variety of protocol-level and message-level mechanisms for securing SOAP/XML message exchanges across IT assets. WebLogic Server extends the classic SSL transport-level security by providing message-level security provisions with the following additional advantages:
WebLogic Server provides message-level security through its comprehensive support of the WS-Security 1.0 specification approved by OASIS as a formal standard in March 2004. This specification covers SOAP message-level encryption, decryption, and a number of token profiles for exchanging identity tokens such as user name tokens, X.509 certificates, SAML assertions, and Kerberos tickets embedded within a SOAP header.
To start using message-level encryption in WebLogic Server, it is essential to understand fundamentals of public and private key usage. A practical description of essential PKI concepts is provided in " What is PKI?" by Entrust. Here is a summary of some concepts:
Let's take a look at how to use these cryptographic components to enable message-level encryption in WebLogic Server.
To illustrate message-level encryption, a sample Web service with a single operation
getCreditScore(int ssn) is created using the Workshop for WebLogic Platform. This operation is subsequently used to set up message-level encryption.
The following components are required to illustrate message-level encryption: