Before implementing the policies for your services make sure that you have completed the prerequisite steps described in the earlier post.

The Username Over Transport policy users a Username token to provide client authentication with transport binding and includes timestamp token to guard against replay attacks. The entire message is secured by HTTPS protocol. The policy does not enforce signature or encryption.

a. Go to the provider descriptor in the server machine. Open the policies tab and select Username over transport policy from the list. Click on Ok and save the descriptor.



b. Now if you try to invoke the connector service you will get the error as 'Invalid Security', because the provider web service expects the client to pass the necessary 'WS-Security' information in the header.

c. Attach the same policy on the consumer web service descriptor so that it will send the WS-Security information in the SOAP header while invoking the service. Make sure that you pass the 'user' and 'password' in the 'auth/message' document. This information will be used while constructing the username token.

Now when you run the service you should see a successful response.


 

Before implementing the policies for your services make sure that you have completed the prerequisite steps described in the earlier post.

The Username, Signature and Encryption policy uses a username token to provide client authentication, users symmetric binding to sign messages to ensure message integrity, uses symmetric binding to encrypt messages to ensure message confidentiality and includes a timestamp token to guard against replay attacks.

a. Go to the provider descriptor in the server machine. Open the policies tab and select Username, Signature and Encryption policy from the list. Click on Ok and save the descriptor.



b. Now if you try to invoke the connector service you will get the error as 'Invalid Security', because the provider web service expects the client to pass the necessary 'WS-Security' information in the header.

c. Attach the same policy on the consumer web service descriptor so that it will send the WS-Security information in the SOAP header while invoking the service. Make sure that you pass the 'user' and 'password' in the 'auth/message' document. This information will be used while constructing the username token.

Now when you run the service you should see a successful response.

d. Open the TCPMon screen and see the message exchange, you will notice that the timestamp has been included in the SOAP header. Also the message body itself is encrypted, so only sender and receivers are able to interpret it.

Before implementing the policies for your services make sure that you have completed the prerequisite steps described in the earlier post.

The Username_Signature policy uses a Username token to provide client authentication, uses symmetric binding to sign messages to ensure message integrity, and includes a timestamp token to guard against replay attacks. Because this policy uses symmetric binding, the sender of an outbound message does not need a private key. Instead, the client generates a symmetric key.
This policy does not enforce encryption.

a. Go to the provider descriptor in the server machine. Open the policies tab and select Username and Signature policy from the list. Click on ok and save the descriptor.



b.If you try to invoke the connector service now you will get error as 'invalid security', because the provider web service expects the client to pass the necessary WS-Security information in the header.

c. We will attach the same policy on the consumer web service descriptor so it will send the WS-Security information in the SOAP header while invoking the service.

d. Attach the Username_Signature policy on the consumer web service descriptor as explained in the step above. Save the descriptor and run the connector service. Make sure that you pass the 'user' and 'password' in the 'auth/message' document. This information will be used while constructing the username token. Make sure that you receive successful response.

e. See the message exchange on the TCPMon screen. You will notice that the timestamp has been included in the SOAP header however the message is not encrypted.