You can use assertions in the Web Services Security (WS-Security) policy defined in the WSDL file to ensure that SOAP messages are protected with the HTTPS secure transport. When used with security tokens such as UsernameTokens with clear text passwords, HTTPS can help to ensure confidentiality.
The assertions for the HTTPS transport in the WS-Security policy
do not set up the HTTPS transport between the requestor and provider.
They ensure only that the HTTPS transport is used when the web services
application with the defined policy is called. To enable the transport security for web
services, see Securing web services at the transport level.
Ensure that HTTPS is set up between the web services client and provider. To protect your SOAP messages with the HTTPS secure transport, complete the following extra steps.
<wsp:Policy xmlns:wsp="..." xmlns:sp="...">
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
</wsp:Policy>
By completing these extra steps after the HTTPS configuration, SOAP messages are required to be sent over HTTPS from a web services client to a web services provider.