Web Service Client Attributes

The Web Service Client agent profile describes the configuration that is used for securing outbound web service requests from a web service client. The name of the web service client must be unique across all agents.

General

The following General attributes define basic web service client properties:

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the web service client agent.

Password Confirm

Confirm the password.

Status

Defines whether the web service client agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.

Universal Identifier

Lists the basic LDAP properties, that uniquely defines the web service client agent.

Security

The following attributes define web service client security attributes:

Security Mechanism

Defines the type of security credential that is used to secure the web service client request. You can choose one of the following security credential types:

• Anonymous — The anonymous security mechanism contains no security credentials.

• KerberosToken — Uses Kerberos security tokens.

• LibertyDiscoverySecurity — Uses Liberty-based security tokens.

• SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.

• SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.

• SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.

• SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.

• STSSecurity — Uses the security token generated from the Security Token service for a given web service provider.

• UserNameToken — Uses User Name Token with digest password.

• UserNameToken-Plain — Uses a user name token with a clear text password for securing web service requests.

• X509Token — Uses the X509 certificate.

STS Configuration

This attribute is enabled when the web service client uses Security Token service (STS) as the Security Mechanism. This configuration describes a list of STS agent profiles that are used to communicate with and secure the web service requests to the STS service.

Discovery Configuration

This attribute is enabled when the web service client is enabled for Discovery Service security. This configuration describes a list of Discovery Agent profiles that are used to secure requests made to the Discovery service.

User Authentication Required

When enabled, this attribute defines that the services client's protected page requires a user to be authenticated in order to gain access.

Preserve Security Headers in Message

When enabled, this attribute defines that the SOAP security headers are preserved by the web service client for further processing.

Use Pass Through Security Token

When enabled, this attribute indicates that the web service client will pass through the received Security token from the Subject. It will not try to create the token locally or from STS communication.

Liberty Service Type URN

The URN (Universal Resource Name) describes a Liberty service type that the web service client will use for service lookups.

Credential for User Token

The attribute represents the username/password shared secrets that are used by the web service client to generate a Username security token.

Signing and Encryption

The following attributes define signing and encryption configuration for web service security:

Is Request Signed

When enabled, the web services client signs the request using a given token type.

Is Request Header Encrypted

When enabled, the web services client security header will be encrypted.

Is Request Encrypted

When enabled, the web services client request will be encrypted.

Is Response Signature Verified

When enabled, the web services response signature is verified.

Is Response Decrypted

When enabled, the web services response will be decrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the WSC response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used to encrypt the web service response.

Encryption Strength

Sets the encryption strength used by he Security Token service to encrypt the web service response. Select a greater value for greater encryption strength.

Key Store

The following attributes configure the keystore to be used for certificate storage and retrieval:

Public Key Alias of Web Service Provider

This attribute defines the public certificate key alias that is used to encrypt the web service request or verify the signature of the web service response.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.

Key Storage Usage

This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:

• Location of Key Store

• Password of Key Store

• Password of Key

End Points

The following attributes define web service endpoints:

Web Service Security Proxy End Point

This attribute defines a web service end point to which the web service client is making a request. This end point is optional unless it is configured as a web security proxy.

Web Service End Point

This attribute defines a web service end point to which the web service client is making a request.

Kerberos Configuration

Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (KDC) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the web service principal registered with the KDC.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.

Kerberos Ticket Cache Directory

Specifies the Kerberos TGT (Ticket Granting Ticket) cache directory. When the user authenticates to the desktop or initializes using kinit (the command used to obtain the TGT from KDC), the TGT is stored in the local cache, as defined in this attribute.