You can configure the gateway for secure transmission of SOAP messages using tokens, keys, signatures and encryption in accordance with the emerging Web Services Security (WS-Security) specification.
In a normal (non gateway) WS-Security scenario, the message flows are as shown in the following figure:
The client generates a request that is handled by the client Web services engine. This engine reads the client security configuration and applies the security defined in the ibm-webservicesclient-ext.xmi file to the SOAP message. It gets additional binding information from the ibm-webservicesclient-bnd.xmi file (for instance, the location of a keystore on the file system).
On receipt of a SOAP message, the Web services engine on the server refers to the *.xmi files for the called Web service. In this case, the ibm-webservices-ext.xmi file tells the engine what security the incoming message must have (for example, that the body of the message must be signed). If the message does not comply, then it is rejected. The Web services engine verifies any security information, then passes the message on to the Web service that is called.
On the response from server to client, the process is reversed. The Web service *.xmi files tell the Web services engine what security to apply to the response message, and the client *.xmi files tell the client engine what security to require in the response message.
When the gateway is introduced, the scenario is more complex. You can think of this scenario as two separate request and response invocations, client to gateway and gateway to target service, as shown in the following figure:
In this scenario, the client application and the Web service are unchanged, and still have the same security settings in their *.xmi files. However, the gateway is unsecured. Secure SOAP messages cannot travel through the gateway unchanged, and must be processed on receipt. The gateway therefore needs to act as the target service from the point of view of the client, and as the client from the point of view of the target service. In this scenario the security settings for the Web service need to be configured for the view of the service that the gateway presents to the client, and the security settings for the associated gateway target services (remember that there might be multiple target services deployed for a single gateway service) need to be configured with the security settings for the client.
WS-Security settings for the gateway are configured manually using the gateway administrative user interface.