Web Services security, or to be more precise, SOAP message security, identifies and
provides solutions for general computer security threats as well as threats unique
to Web services.
WSO2 Carbon supports WS Security, WS-Policy and WS-Security Policy specifications.
These specifications define a behavioral model for Web services. A requirement for
one Web service may not be valid for another. Thus defining service-specific
requirements might be necessary.
The WSO2 SOA platform provides important security features to your service. By default,
the security features are disabled. You should explicitly enable the security feature.
Adding Security Features
Understanding the exact security requirements should be the first step you should take
when planning to secure your Web services. For an example, you may have to consider what
security aspects are important to your service, whether it is the integrity,
confidentiality, or both.
In the navigator, under Manage/Services, click List.
The Deployed Services page appears.
Click on the service name for which you want to add
security features. The Service Dashboard
page appears.
Click Security in the Quality
of Service Configuration panel. The Security
for the Service page appears.
To enable security for the service, in the Enable
Security? drop down list, click Yes.
Figure 1: Enabling security
A list of available security scenarios is displayed. In addition to that, an
option is provided to select a custom security policy from Registry.
Figure 2: Selecting Default Security Scenarios
Figure 3: Referring to a policy from Registry
To enable security for your service, either you can select a default security scenario
from the 15 existing scenarios (as shown in Figure 2) or you can refer to a custom
security policy which is stored in Configuration Registry or Governance Registry
(as shown in Figure 3). After selecting the suitable option, click Next.
The Activate Security page appears. You can configure the
security features on this page. The configurations depend on your previous selections.
If you have selected a default security scenario, this page will show you the user groups,
key stores etc. according to the selected security scenario. But if you have referred to a
custom security policy from Registry, this page will show all the options to select user
groups and key stores and you have to select those according to your policy.
In a default scenario, if you have selected a policy that includes Username Token,
you will have the User Group panel to choose the users who are
allowed to access the service.
Figure 4: Activate security - User Groups
In a default scenario, if you have selected a policy that requires signing or
encryption, Trusted Key Stores and Private Key Store panels appear.
Select the KeyStore (wso2carbon.jks) and the Private Key Store
(Only the wso2carbon.jks keystore is available by default).
If you are applying security scenario 16 (Kerberos Token based security) you have to associate
your service with a service principal. Security scenario 16 is only applicable if you have a
"Key Distribution Center (KDC)" and an "Authentication Server
(AS)"
in your environment. Commonly you can find KDC and an AS in a LDAP Directory server.
2 configuration files are used to specify Kerberos related parameters. They are,
1. krb5.conf - Includes KDC server details, encryption/decryption algorithms etc ...
2. jaas.conf - Includes information relevant to authorization.
Usually above files are located at {server installation directory}/repository/conf directory.
After selecting scenario 16, you will be asked to fill information about service principal to
associate web service with. There you need to specify service principal name and service
principal password. Service principal must be already defined in the LDAP Directory server.
When you have referred to a custom policy from Registry, you will be provided
with all possible options to select user groups, trusted key stores and private
key store. You can select only the needed options according to your custom
policy and ignore others. Even if you select unwanted stuff, those will not be
used at runtime.
Figure 7: Activate Security - Custom policies
Click Finish. You will see the message "Security Applied Successfully".
And you will be redirected to the Service Dashboard.
Disabling Security Features
This function is used to disable Security from a particular service.
In the navigator, under Manage/Service, click List.
The Deployed Services page appears.
Click on the service name from which you want to disable security.
The Service Dashboard page appears.
Click Security in the Quality of Service Configuration
panel. The Security for Service page appears.
To disable security from the service, in the Enable
Security? drop down list, click No and confirm.
You will see the message "Security Applied Successfully".
Note: All default security scenarios are described in the wizard.