Setting up WS-Security in WSO2 SOA Enablement Server Locate
WSO2 SOA Enablement Server incorporates WS-Security as one of its security providers. The name of the WS-Security security provider is WS-Security. To protect a service with WS-Security, the service must have WS-Security in its list of accepting providers. On the client side, to send messages protected by WS-Security, the client must have WS-Security as its initiating provider. Set the configuration on the service and its clients as described below.
Configuration Basis Locate
Due to the complexity of the WS-Security configuration, WSO2 SOA Enablement Server does not allow all parameters of WS-Security and underlying technologies to be set by the user. However, the most important features can be configured in WSO2 SOA Enablement Server to allow wide usage and interoperability.
WSO2 SOA Enablement Server provides two APIs, low-level and high-level, to configure WS-Security. The high level API provides easier configuration but with less scope. The low-level API is more complex but lets you manage all WS-Security properties individually.
![[Important]](images/important.gif) | Important |
|---|---|
The high-level API can only be used for runtime configuration. The low-level API can be used for either runtime or persistent configuration. | |
Areas of configuration are:
Sender
A sender is any party that sends a message. When it sends a request, it is a client, and when it sends a response, it is a service. Its configuration describes the outgoing messages that will be protected by WS-Security. Either the high-level or the low-level API can be used to configure the sender.
Receiver
A receiver is any party that receives a message. It is a client when it is waiting for a response, and it is a service when it is waiting for a request. The receiver configuration contains a Java class that validates the WS-Security of incoming messages. When an incoming message is processed by WSO2 SOA Enablement Server's WS-Security, the structure of the message is used to create the configuration and this configuration is afterward passed to the validating Java class provided by the user. Either the high-level or the low-level API can be used to configure the receiver.
Global WS-Security Configuration
To provide interoperability with different implementations of WS-Security and to fine-tune the configuration of WS-Security, it is necessary to configure certain parameters such as namespaces. As this configuration is persistent, only the low-level API can be used for it. This configuration can be set through the Server Preferences tab of the Administration Console. See Server Preferences Management for details.
Protected Store Locate
When using WS-Security, it is usually necessary to employ the users and identities stored in the protected store. They must follow these rules:
The user is given by name. The password property must be set.
Identity is given by X.509 certificate. You may also need to set the corresponding key in some cases, decryption, for example. The key is protected by password.
User name must be the same as identity alias.
If the identity has a private key, then the user's password must be the same as the identity private key's password.
To create a user, to create/import a certificate and its key, and to set trust, you can use either WSO2 SOA Enablement Server tools such as UserStoreTool or the WSO2 SOA Enablement Server Administration Console. For details on using the Administration Console, please see Server Security Management for UserStore and Server Preferences Management for PStore, in the Administrators' Guide.