Security for Web Services
Web Services Security, or to be more precise, SOAP message security, identifies and provides solutions for general computer security threats as well as threats unique to Web services.
WSO2 Carbon supports WS Security, WS-Policy and WS-Security Policy specifications. These specifications define a behavioral model for Web services. A requirement for one Web service may not be valid for another. Therefore, defining service-specific requirements might be necessary.
The WSO2 Data Service Server makes it extremely easy to secure your Data Services by providing 16 pre-defined, most commonly-used security scenarios. All you have to do is to apply the required security scenario into your service with a few clicks, using your service dashboard. These security features are disabled by default. You also have the option to use a custom security policy if needed.
The following actions are available:
Enabling Security Features
Understanding the exact security requirements is the first step in planning to secure Web services. For example, consider what security aspects are important to your service; whether it is the integrity, confidentiality, or both.
Follow the instructions below to enable a security feature.
1. Log on to the Data Services Server Management Console.
2. Click on "Main" menu and select "List" under "Web Services."
3. The "Deployed Services" screen appears. Click on the service name for which you want to add security features.
4. The Service Dashboard page appears. Click Security in the Quality of Service Configuration panel.
5.The Security for the Service page appears. Click Yes in the Enable Security list. This action will enable security for the service.
6. A list of 16 default security scenarios is displayed. You can enable any one of them.
Tip
Use the icon to see the scenarios in detail.
For a graphical explanation of the default security scenarios, refer to Graphical View of the Default Security Scenarios.
In addition to the default security scenarios, you also have the option to refer to a custom security policy which is stored in Configuration Registry or Governance Registry.
Tip
Clicking either the "Configuration Registry" or "Governance Registry" link will open the respective "navigation tree" from which you can select a suitable policy path.
7. Select the suitable security features from the 16 default security scenarios and/or the custom security policy. Then click Next. The Activate Security page appears. You can configure the security features on this page. The configurations depend on your previous selections.
For example, if you have selected a default security scenario, this page will show you the user groups, key stores etc. according to the selected security scenario. But, if you have referred to a custom security policy from Registry, this page will show all the options to select user groups and key stores and you have to select those according to your policy.
- In a default scenario, if you have selected a policy that includes Username Token, you will have the User Group panel to choose the users who are allowed to access the service.
- In a default scenario, if you have selected a policy that requires signing or encryption, the "Trusted Key Stores" and "Private Key Store" panels appear. You can select the KeyStore "wso2carbon.jks" and the Private Key Store, which is populated with only the "wso2carbon.jks" keystore by default.
When you have referred to a custom policy from Registry, you will be provided with all possible options to select user groups, trusted key stores and a private key store. You can select only the needed options according to your custom policy and ignore others. Even if you select unwanted options, they will not be used at runtime.
Kerberos Token-based Security
If you are applying security scenario 16 (Kerberos Token-based Security), you have to associate your service with a service principal. Security scenario 16 is only applicable if you have a Key Distribution Center (KDC) and an Authentication Server in your environment. Commonly you can find KDC and an Authentication Server in a LDAP Directory server.
Two configuration files are used to specify Kerberos related parameters as follows.
- krb5.conf - Includes KDC server details, encryption/decryption algorithms etc.
- jaas.conf - Includes information relevant to authorization.
Usually, the above files are located at <server installation directory>/repository/conf.
After selecting scenario 16, you will be asked to fill information about the service principal to associate the Web service with. There you need to specify the service principal name and password. The service principal must be already defined in the LDAP Directory server.
Following picture depicts this behavior:
8. Click"Finish" once you are done applying security features to your Web service. You will see the message Security Applied Successfully. Click OK and you will be redirected to the Service Dashboard.
Disabling Security Features
This function is used to disable active security features for a particular service.
Follow the instructions below to disable a security feature.
1. Log on to the Data Services Server Management Console.
2. Click on "Main" menu and select "List" under "Web Services."
3. The Deployed Services screen appears. Click Security in the Quality of Service Configuration panel.
4. The Security for Service page appears. To disable security for the service, in the Enable Security list, click No.
5. Confirm your request by clicking Yes and click OK in the Security disabled successfully message that follows.
Note
All security scenarios are described in the wizard.