Adding security stacks
To provide better WSDL security, you can make use of many security algorithms in the service test.
About this task
Procedure
- From the Test Navigator view or from the Request Library section of Generic Service Client, right-click the WSDL file and select Edit WSDL Security.
- In the Security Algorithms area of Algorithm Stacks tab, click Add to create a profile.
-
In the Stack Contents area, click Add and add any
of the following security algorithms:
- Custom Security Algorithm
- If you want to use a Java™ class
as a custom security algorithm, then use this stack element to apply
the custom algorithm to the service.
- Java™ Project
- If you have not implemented a custom Java™ class, select Java Project, type a name for the new project, and click Generate to create a new Java™ class with the default structure for custom security implementations.
- Implementation class
- Specify the name of the class that implements the custom security algorithm. Click Browse Class to select an existing Java™ class from the workspace.
- Properties
- Use this table to send any specific properties and associated values to the custom security algorithm.
- WS-Addressing Algorithm
- Use this block if your service uses either WS-Addressing 2004/08
or the WS-Addressing 1.0 Core standard.
- Namespace
- Specify the namespace for either WS-Addressing 2004/08 or WS-Addressing 1.0 Core.
- Action if request uses WS-Addressing
- Select the action to complete if WS-Addressing is already in the request.
- Replace anonymous address in Reply-to with:
- Select this option to generate the specified address in the Reply-to header instead of an anonymous address.
- Remove WS-Addressing from response
- Select this option to strip any WS-Addressing headers from the response.
- Encrypted Key
- This block defines an encrypted key that can be used in an XML
signature or XML encryption block. The encrypted key block must be
before a block that uses the encrypted key.
- Actor / Role name
- Specify the name of the recipient of the algorithm header element, if required.
- Must understand
- Select whether it is mandatory that the algorithm header is processed by the recipient, if required. The recipient is either the Actor name or the server.
- Key name
- Specify the name of the encrypted key.
- Identifier type
- Select the type of key identifier to be used for the key. The
following key identifiers are available, as defined in the the Web
Service Security (WSS) specification X509 profile and OASIS WSS 1.1
specification:
- ISSUER_SERIAL
- BST_DIRECT_REFERENCE
- X509_KEY_IDENTIFIER
- THUMBPRINT_IDENTIFIER
- SKI_KEY_IDENTIFIER
- Key size
- Specify the size of the key in bits.
- Key encoding algorithm name
- Specify the algorithm to be used for encoding the key.
- Keystore
- Select a keystore or click Edit Security to define a new keystore or to manage the existing keystores.
- Name
- Select a key contained in the specified keystore.
- Password
- Type the password for the selected key name.
- XML Signature
- The XML signature security algorithm specifies how the XML document is signed. For details on
security algorithms, refer to the web service security specification.
- Actor / Role name
- Specify the name of the recipient of the algorithm header element, if required.
- Must understand
- Select whether it is mandatory that the algorithm header is processed by the recipient, if required. The recipient is either the Actor name or the server.
- Security token
-
Select the type of key identifier to be used for the signature. The following key identifiers are available, as defined in the the Web Service Security (WSS) specification X509 profile and OASIS WSS 1.1 specification:
- ISSUER_SERIAL
- BST_DIRECT_REFERENCE
- X509_KEY_IDENTIFIER
- SKI_KEY_IDENTIFIER
- KEY_VALUE
- USER_NAME_TOKEN
- CUSTOM_SYMM_SIGNATURE
In addition, the following identifiers are available when the signature is based on a UsernameToken profile:- USER_NAME_TOKEN
- CUSTOM_SYMM_SIGNATURE
- User XPath part selection
- Specify an XPath query that describes parts of the XML document that can be the subjects of the algorithm. By default, the body is the subject. Click the XPath Helper button to build the Xpath expression.
- Key
- Select the key used for the encryption. The details of each key vary.
- x509 key: This key specifies the name and password of the x509 key and the keystore where it is located.
- User name token key: This specifies a user name and password for the signature.
- Encrypted key: This specifies a reference to an encrypted key that was previously defined in the security stack. Click Insert a new encrypted key to create a new encrypted key definition block.
- Signature algorithm name
- Specify the signature method algorithm as described in the XML Signature Syntax and Processing specification.
- Canonicalization
- Specify the canonicalization method to be used as described in the XML Signature Syntax and Processing specification.
- Digest algorithm method
- Specify which digest method to be used based on the algorithm method used on the server side.
- Inclusive namespaces
- Specify whether the canonicalization is exclusive as described in the Exclusive XML Canonicalization specification.
- XML Encryption
- The XML encryption security algorithm specifies how the XML document
is encrypted. For details on security algorithms, refer to the web
service security specification.
- Actor / Role name
- Specify the name of the recipient of the algorithm header element, if required.
- Must understand
- Select whether it is mandatory that the algorithm header is processed by the recipient, if required. The recipient is either the Actor name or the server.
- Identifier type
- Select the type of key identifier to be used for the encryption.
The following key identifiers are available, as defined in the Web
Services Security (WSS) specification X509 profile and the OASIS WSS
1.1 specification:
- ISSUER_SERIAL
- BST_DIRECT_REFERENCE
- X509_KEY_IDENTIFIER
- SKI_KEY_IDENTIFIER
- EMBEDDED_KEYNAME
- THUMBPRINT_IDENTIFIER
- ENCRYPTED_KEY_SHA1_IDENTIFIER
- User XPath part selection
- This enables you to specify an XPath query that describes parts of the XML document that can be subjects of the algorithm. By default, the body is the subject.
- Key
- Select the key used for the encryption. The details of each key
vary.
- x509 key: This specifies the name and password of the x509 key and the keystore where it is located.
- Raw key: This specifies the name and the byte value of your SecretKey in hexadecimal.
- Encrypted key: This specifies a reference to an encrypted key that was previously defined in the security stack. Click Insert a new encrypted key to create a new encrypted key definition block.
- Encoding Algorithm Name
- Specify the encryption method to be used as defined in the XML Encryption Syntax and Processing specification.
- Key Encoding Algorithm
- Specify the standard algorithm for encoding the key as defined in the XML Encryption Syntax and Processing specification.
- User name token
- The user name token security algorithm adds a user name token
to the XML document in the message. For details on security algorithms,
refer to the web service security specification.
- Actor / Role name
- Specify the name of the recipient of the algorithm header element, if required.
- Must understand
- Select whether it is mandatory that the algorithm header is processed by the recipient, if required. The recipient is either the Actor name or the server.
- Name
- Type the name of the user.
- Password
- Type the password of the user.
- Password type
- Specify the password type for the security algorithm as defined in the Web Services Security UsernameToken profile.
- Use nonce
- Select this check box to add the Nonce element to the User Name Token XML code. In most cases, the Nonce ID is required.
- Use created
- Select this check box to add current timestamp to the Created XML element in the User Name Token XML.
- Time Stamp
- The time stamp security algorithm adds time stamp information
to the XML document in the response. For details on security algorithms,
refer to the web service security specification.
- Actor / Role name
- Specify the name of the recipient of the algorithm header element, if required.
- Must understand
- Select whether it is mandatory that the algorithm header is processed by the recipient, if required. The recipient is either the Actor name or the server.
- Expiration delay
- Specify the delay after which the time stamp expires.
- Millisecond precision
- Select this option to produce a time stamp that uses millisecond precision instead of the default (1/100th second).
- SAML Assertion Block
- To use the self-signed SAML assertion security algorithm, add the SAML Assertion stack to the request or WSDL files.
- User XPath part selection
- Specify an XPath query that describes parts of the XML document that can be the subjects of the algorithm. By default, the body is the subject. Click the XPath Helper button to build the Xpath expression.
- Key
- Select the key used for the encryption. The details of each key vary.
- x509 key: This key specifies the name and password of the x509 key and the keystore where it is located.
- User name token key: This specifies a user name and password for the signature.
- Encrypted key: This specifies a reference to an encrypted key that was previously defined in the security stack. Click Insert a new encrypted key to create a new encrypted key definition block.
- Signature algorithm name
- Specify the signature method algorithm as described in the XML Signature Syntax and Processing specification.
- Canonicalization
- Specify the canonicalization method to be used as described in the XML Signature Syntax and Processing specification.
- Digest algorithm method
- Specify which digest method to be used based on the algorithm method used on the server side.
- Inclusive namespaces
- Specify whether the canonicalization is exclusive as described in the Exclusive XML Canonicalization specification.
- Signed Assertion
- Select this check box to self-sign the SAML Assertion.
- Issuer
- Specify the description of the issuer of the SAML Assertion or protocol message.
- Subject
- Specify the principal that is the subject of all of the statements in the assertion. It might contain an identifier or a series of one or more subject confirmations.
- Subject Qualifier
- Specify the Name Qualifier of the Subject
- Subject Format
- Specify the format used for the Subject.
- Subject Locality DNS
- Specify the DNS domain name for the system from which the assertion subject was authenticated.
- Subject Locality IP
- Specify the IP address for the system from which the assertion subject was authenticated.
- Statement Type
- Specify the authentication method to use for the assertion.
Authentication: The assertion subject was authenticated
Attribute: The specified subject is associated with the supplied attributes.
Authorization decision: Permission to allow a subject to access the specified resource.
- Requested Resource
- When Authorization decision option is used, specify the resource for which you need access.
- Action
- Specify what action to take to access the resource.
- Confirmation number
- Confirmation methods define the mechanism by which an entity provides evidence (proof) of the
relationship between the subject and the claims of the SAML assertions.
Sender vouches: Select this option when a server needs to share the client identity with SOAP messages on behalf of the client. This method is similar to identity assertion, but it has the added flexibility of using SAML assertions to share not only the client identity, but also client attributes.
Holder of key: Select this option when the proof of the relationship between the subject and claims is established by signing part of the SOAP message with the key specified in the SAML assertion. Because there is key material associated with a holder-of-key token, this token can be used to provide a message-level protection (signing and encryption) of the SOAP message.
Bearers: Select this option when the proof of the relationship between the subject and claims is implicit. No specific steps are taken to establish the relationship. Because there is no key material associated with a bearer token, protection of the SOAP message, if required, must be performed using a transport-level mechanism or another security token, such as an X.509 or Kerberos token, for message level protection.
- Version
- Specify the SAML version used.
- Optional:
To verify simple SAML code, use the Analyze Security from Pasted Content
option.
For more information about that option, see Creating security for WSDL profiles.