Security for Web Service - User Guide

Security for Web Services

Web Services security, or to be more precise, SOAP message security, identifies and provides solutions for general computer security threats as well as threats unique to Web services.

WSO2 Carbon supports WS Security, WS-Policy and WS-Security Policy specifications. These specifications define a behavioral model for Web services. A requirement for one Web service may not be valid for another. Thus defining service-specific requirements might be necessary.

The WSO2 SOA platform provides important security features to your service. By default, the security features are disabled. You should explicitly enable the security feature.

Adding Security Features

Understanding the exact security requirements should be the first step you should take when planning to secure your Web services. For an example, you may have to consider what security aspects are important to your service, whether it is the integrity, confidentiality, or both.

  1. In the navigator, under Manage/Services, click List. The Deployed Services page appears.
  2. Click on the service name for which you want to add security features. The Service Dashboard page appears.
  3. Click Security in the Quality of Service Configuration panel. The Security for the Service page appears.
  4. To enable security for the service, in the Enable Security? drop down list, click Yes.
  5. Turning on Security

    Figure 1: Enabling security

    A list of available security scenarios is displayed. In addition to that, an option is provided to select a custom security policy from Registry.

    Selecting default security scenarios

    Figure 2: Selecting Default Security Scenarios

    Referring to a policy from Registry

    Figure 3: Referring to a policy from Registry

  6. To enable security for your service, either you can select a default security scenario from the 15 existing scenarios (as shown in Figure 2) or you can refer to a custom security policy which is stored in Configuration Registry or Governance Registry (as shown in Figure 3). After selecting the suitable option, click Next. The Activate Security page appears. You can configure the security features on this page. The configurations depend on your previous selections.
    If you have selected a default security scenario, this page will show you the user groups, key stores etc. according to the selected security scenario. But if you have referred to a custom security policy from Registry, this page will show all the options to select user groups and key stores and you have to select those according to your policy.

      • In a default scenario, if you have selected a policy that includes Username Token, you will have the User Group panel to choose the users who are allowed to access the service. Activate Security - User Groups

        Figure 4: Activate security - User Groups

      • In a default scenario, if you have selected a policy that requires signing or encryption, Trusted Key Stores and Private Key Store panels appear. Select the KeyStore (wso2carbon.jks) and the Private Key Store (Only the wso2carbon.jks keystore is available by default). Activate Security - Selecting Key Stores

        Figure 5: Activate Security - Selecting Key Stores

      • If you are applying security scenario 16 (Kerberos Token based security) you have to associate your service with a service principal. Security scenario 16 is only applicable if you have a "Key Distribution Center (KDC)" and an "Authentication Server (AS)" in your environment. Commonly you can find KDC and an AS in a LDAP Directory server. 2 configuration files are used to specify Kerberos related parameters. They are,
        1. krb5.conf - Includes KDC server details, encryption/decryption algorithms etc ...
        2. jaas.conf - Includes information relevant to authorization.

        Usually above files are located at {server installation directory}/repository/conf directory.

        After selecting scenario 16, you will be asked to fill information about service principal to associate web service with. There you need to specify service principal name and service principal password. Service principal must be already defined in the LDAP Directory server.

        Following picture depicts this behavior,

        Activate Security - Kerberos security policy

        Figure 6: Activate Security - Kerberos security policy

      • When you have referred to a custom policy from Registry, you will be provided with all possible options to select user groups, trusted key stores and private key store. You can select only the needed options according to your custom policy and ignore others. Even if you select unwanted stuff, those will not be used at runtime. Activate Security - Custom policies

        Figure 7: Activate Security - Custom policies

  7. Click Finish. You will see the message "Security Applied Successfully". And you will be redirected to the Service Dashboard.

Disabling Security Features

This function is used to disable Security from a particular service.

  1. In the navigator, under Manage/Service, click List. The Deployed Services page appears.
  2. Click on the service name from which you want to disable security. The Service Dashboard page appears.
  3. Click Security in the Quality of Service Configuration panel. The Security for Service page appears.
  4. To disable security from the service, in the Enable Security? drop down list, click No and confirm.
  5. You will see the message "Security Applied Successfully".

Note: All default security scenarios are described in the wizard.