WebSphere Application Server Network Deployment, Version 6.0.x   Operating Systems: AIX, HP-UX, Linux, Solaris, Windows
             [TIP: Focusing the table of contents and search results]

Securing Web services applications at the transport level

Transport-level security is a well-known and often used mechanism to secure HTTP Internet and intranet communications. Transport level security can be used to secure Web services messages. Transport-level security functionality is independent from functionality that is provided by message-level security (WS-Security) or HTTP basic authentication.

Before you begin

You can use either message-level security (WS-Security) or transport-level security:

About this task

Transport-level security is based on Secure Sockets Layer (SSL) or Transport Layer Security (TLS) that runs beneath HTTP. HTTP, the most used Internet communication protocol, is currently also the most popular protocol for Web services. HTTP is an inherently insecure protocol because all information is sent in clear text between unauthenticated peers over an insecure network. To secure HTTP, transport-level security can be applied.

Transport level security can be used to secure Web services messages. However, transport-level security functionality is independent from functionality that is provided by WS-Security or HTTP Basic Authentication.

SSL and TLS provide security features including authentication, data protection, and cryptographic token support for secure HTTP connections. To run with HTTPS, the service port address must be in the form https://. The integrity and confidentiality of transport data, including SOAP messages and HTTP basic authentication, is confirmed when you use SSL and TLS.

See Secure Sockets Layer for more information.

Web services applications can also use Federal Information Processing Standard (FIPS) approved ciphers for more secure TLS connections.

WebSphere Application Server uses the Java Secure Sockets Extension (JSSE) package to support SSL and TLS.

This task is one of several ways that you can configure the HTTP outbound transport level security for a Web service acting as a client to another Web service server. You can also configure the HTTP outbound transport level security with an assembly tool or by using the Java properties. If you do not configure the HTTP outbound transport level security, the Web services runtime defers to the Java 2 Platform, Enterprise Edition (J2EE) security runtime in the WebSphere product for an effective Secure Sockets Layer (SSL) configuration. If there is no SSL configuration with the J2EE security runtime in the WebSphere product, the Java Secure Socket Extension (JSSE) system properties are used.

You can define additional HTTP transport properties for Web services applications. Use the additional properties to manage the connection pool for HTTP outbound connections, configure the content encoding of the HTTP message, enable HTTP persistent connection, and resend the HTTP request when a timeout occurs.

Procedure

Results

By completing these steps, you have secured Web services applications at the transport level.

What to do next




Sub-topics
HTTP transport custom properties for Web services applications
Configuring HTTP outbound transport level security with the administrative console
Configuring HTTP outbound transport-level security using Java properties
Configuring additional HTTP transport properties using the JVM custom property panel in the administrative console
Configuring additional HTTP transport properties with an assembly tool
Configuring HTTP outbound transport level security with an assembly tool
Related concepts
Secure Sockets Layer
Related tasks
Securing Web services for Version 5.x applications based on WS-Security
Securing Web services applications using JAX-RPC at the message level
Authenticating Web services clients using HTTP basic authentication
Task overview: Implementing Web services applications
Related reference
HTTP SSL Configuration collection
Task topic    

Terms of Use | Feedback

Last updated: Mar 8, 2007 8:14:28 PM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/twbs_secwsaatl.html

© Copyright IBM Corporation 2006. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)