This documentation is for WSO2 ESB version 4.5.1. View documentation for the latest release.

Security for Web Services

Web Services Security, or to be more precise, SOAP message security, identifies and provides solutions for general computer security threats as well as threats unique to Web services.

WSO2 Carbon supports WS Security, WS-Policy and WS-Security Policy specifications. These specifications define a behavioral model for Web services. A requirement for one Web service may not be valid for another. Thus, defining service-specific requirements might be necessary.

The WSO2 SOA platform provides important security features to your service. By default the security features are disabled.

The following actions are available:

Enabling Security Features

Understanding the exact security requirements should be the first step you should take when planning to secure Web services. For example, consider what security aspects are important to your service, whether it is the integrity, confidentiality, or both.

Follow the instructions below to enable a security feature.

1. Sign in. Enter your user name and password to log on to the ESB Management Console.

2. Click on "Main" in the left menu to access the "Manage" menu.

3. In the "Manage" menu, click on "List" under "Web Services."

4. The "Deployed Services" screen appears.

5. Click on the service name for which you want to add security features. The "Service Dashboard" page appears.

6. Click "Security" in the "Quality of Service Configuration" panel.

7.The "Security for Service" page appears. To enable security for the service, in the "Enable Security" list, click "Yes."

8. A list of available security features is displayed.

Tip

Use the icon to see the scenarios in detail.

9. Select the suitable security features by clicking on the corresponding options, and then click "Next." The "Activate Security" page appears. You can configure the security features on this page. The configurations depend on your previous selections.

9.1. If a feature that includes "Username Token" was chosen, choose the users who are allowed to access the service in the "User Group" panel.

Select the users and click "Finish."

9.2. If a feature that requires signing or encryption was selected, the "Trusted Key Stores" panel appears. Select the "Trusted key store" (wso2carbon.jks) and the "Private key store" (currently only the wso2carbon.jks key store is available).

10. Select the key store and click "Finish."

Disabling Security Features

This function is used to disable active security features for a particular service.

Follow the instructions below to disable a security feature.

1. Sign in. Enter your user name and password to log on to the ESB Management Console.

2. Click on "Main" in the left menu to access the "Manage" menu.

3. In the "Manage" menu, click on "List" under "Web Services."

4. The "Deployed Services" screen appears.

5. Click "Security" in the "Quality of Service Configuration" panel.

6. The "Security for Service" page appears. To disable security for the service, in the "Enable Security" list, click "No."

7. Confirm your request in the "WSO2 Carbon" window.

Note

All security scenarios are described in the wizard.