Web Services Securityservices security, or or to be more precise, SOAP message security , identifies and provides solutions for general computer security threats as well as threats unique to Web services. WSO2 supports WS Security, WS-Policy and WS-Security Policy specifications. These specifications define a behavioral model for Web services. A Since a requirement for one Web service may not be valid for another. Therefore, , the Data Services Server also helps defining service-specific requirements might be necessary.Security functionality is provided by the Security Management feature which is bundled by default in the Service Management feature of the WSO2 feature repository. The Security Management feature makes it easy to secure your Web Services by providing 16 pre-definedsecurity.
It provides 16 predefined, commonly-used security scenarios. All you have to do is to apply the required security scenario into your service with a few clicks, using your service dashboard. These security features are disabled by default. You also have the option to use through the service's dashboard. You can also define a custom security policy if needed.
The following actions are available:
...
Understanding . Understanding the exact security requirements is the first step in planning to secure Web services. For example, consider Consider what security aspects are important to your service; , whether it is the integrity, confidentiality, or both. Follow the instructions below to enable a security feature.
1. Log on to the product's management console and select "List" under "Services."
2. The "Deployed Services" screen appears. Click on the service name for which you want to add security features. For example,
3. The "Service Dashboard" page appears. Click "Security" in the "Quality of Service Configuration" panel.
4. The "Security for the Service" page appears. Click "Yes" in the "Enable Security" list. This action will enable security for the service.
5. A
Configuring security features
Security features are disabled in services by default. The following steps explain how to enable and configure them.
- Log in to the management console and select Services > List under the Main menu.
- From the Deployed Services page that appears, click the service to which you want to enable security.
- The service's dashboard opens. Click Security from the Quality of Service Configuration panel.
- Enable security for the service by selecting Yes .
Enable the options you require from the list of 16 default security scenarios
...
that appears. You can
...
read more details of the scenarios by clicking the browse icon in front of them.
...
Use the 
icon to see the scenarios in detail.
...
You can read more information about each security scenario by clicking on the icon next to each. We have also given a graphical view of each scenario in the next section.In addition to the default security scenarios, you can also
...
refer to a custom security policy
...
that is stored in Configuration Registry or Governance Registry.
...
...
Clicking either the "Configuration Registry" or "Governance Registry" link will open the respective "navigation tree" from which you can select a suitable policy path.
6. Select the suitable security features from the 16 default security scenarios and/or the custom security policy. Then click "Next." The "Activate Security" page appears. You can configure the security features on this page. The configurations depend on your previous selections.
...
Click Next to open the Activate Security page, using which you can configure the security features selected previously.
If you selected a default security scenario, this page
...
shows you the user groups, key stores etc. according to the selected security scenario.
...
For example,
- In a default scenario, if you
...
- select a policy that includes Username Token, you
...
- get the User Group panel to choose the users who are allowed to access the service
...
- In a default scenario, if you have selected a policy that requires signing or encryption, the
...
- Trusted Key Stores
...
- and
...
- Private Key Store
...
- panels appear.
...
...
If you refer to a custom security policy from Registry,
...
this page shows all options on user groups and key stores from which you can select the ones relevant to your policy. Even if you select irrelevant options, they will not be used at runtime.
The default security scenarios
The topics below explain the 16 default security scenarios provided by WSO2.Table of Contents maxLevel 4 minLevel 4
1. UsernameToken
2. Non-repudiation
3. Integrity
4. Confidentiality
5. Sign and encrypt - X509 Authentication
6. Sign and Encrypt - Anonymous clients
7. Encrypt only - Username Token Authentication
8. Sign and Encrypt - Username Token Authentication
9. SecureConversation - Sign only - Service as STS - Bootstrap policy - Sign and Encrypt , X509 Authentication
10. SecureConversation - Sign Only - Service as STS - Bootstrap policy - Sign and Encrypt , Anonymous clients
11. SecureConversation - Sign and Encrypt - Service as STS - Bootstrap policy - Sign and Encrypt , X509 Authentication
12. SecureConversation - Sign Only - Service as STS - Bootstrap policy - Sign and Encrypt , Anonymous clients
13. SecureConversation - Sign and Encrypt - Service as STS - Bootstrap policy - Sign and Encrypt , Anonymous clients
14. SecureConversation - Encrypt Only - Service as STS - Bootstrap policy - Sign and Encrypt , Username Token Authentication
15. SecureConversation - Sign and Encrypt - Service as STS - Bootstrap policy - Sign and Encrypt , Username Token Authentication
16. Kerberos Token-based Security
If you are applying apply security scenario 16 (Kerberos Token-based Security), you have to must associate your service with a service principal. Security scenario 16 is only applicable if you have a " Key Distribution Center (KDC) " and an " Authentication Server " in your environment. Commonly Ideally you can find KDC and an Authentication Server in a LDAP Directory server.
Two configuration files are used to specify Kerberos related parameters as follows.
- krb5.conf - Includes KDC server details, encryption/decryption algorithms etc.
- jaas.conf - Includes information relevant to authorization.
Usually, the The above files are located at in <PRODUCT_HOME>/repository/conf/security folder.
After selecting scenario 16, you will be asked to fill information about the service principal to associate the Web service with. There you need to You must specify the service principal name and password. The service principal must be already defined in the LDAP Directory server.
Following picture depicts this behavior:
7. Click"Finish" once you are done applying security features to your Web service. You will see the message "Security Applied Successfully". Click "OK" and you will be redirected to the Service Dashboard.
...
This function is used to disable active security features for a particular service. Follow the instructions below to disable a security feature.
1. Log on to the product's management console and select "List" under "Services."
2. The "Deployed Services" screen appears. Click "Security" in the "Quality of Service Configuration" panel. For example,
3. The "Service Dashboard" page appears. Click "Security" in the "Quality of Service Configuration" panel.
4. The "Security for Service" page appears. To disable security for the service, in the "Enable Security" list, click "No."
5. Confirm your request by clicking "Yes" and click "OK" in the "Security disabled successfully" message that follows.
| Info | ||
|---|---|---|
| ||
All security scenarios are described in the wizard. |
...
| hidden | true |
|---|
...
.