Using the HTTP Binding Component

Mutual Certificates Security

The Mutual Certificates Security mechanism uses security through authentication and message protection to ensure integrity and confidentiality. This mechanism requires a keystore and truststore file for both the client and server sides of the application.

For an example of configuring WS Security for Mutual Certificates Security see Using the WSIT Mutual Certificates Security Mechanism with the HTTP BC

Server-Side Requirements

The following server-side options need to be configured for this security mechanisms:

Client-Side Requirements

The following client-side options need to be configured for this security mechanisms:

Table 22 Mutual Certificates Security Configuration Properties




Algorithm Suite 

Specifies the algorithm suite required to perform cryptographic operations with symmetric or asymmetric key-based security tokens.  

See Algorithm Suite under Table 21 for more information.

Basic 128bit 

Security Header Layout 

Specifies the layout rule to apply when adding items to the security header. Options are Strict, Lax, Lax (Timestamp First), and Lax (Timestamp Last). 

See Security Header Layout under Table 21 for more information.


Require Derived Keys 

Specifies that a derived key is required.  

A derived key is a cryptographic key created from a password or other user data. Derived keys allow applications to create session keys as needed, eliminating the need to store a particular key. The use of the same session key (for example, when using Secure Session) for repeated message exchanges is sometimes considered a risk. To reduce that risk, enable Require Derived Keys.  

Select the checkbox to enable. 

Establish Secure Session (Secure Conversation) 

Secure Session enables establishes a shared security context between the consumer and provider when a multiple-message-exchange sequence is first initiated. Subsequent messages use (possibly derived) session keys that increase the overall security while reducing the security processing overhead for each message.  

For more information see Establish Secure Session under Table 21.

Select the checkbox to enable. 

Require Derived Keys for Secure Session 

Specifies that a derived key is required for Secure Session. See Require Derived Keys above for more information. 

Select the checkbox to enable. 

Encrypt Signature 

Specifies whether the primary signature and signature confirmation elements must be encrypted.  

Select the checkbox to enable. 

Encrypt before Signing 

Specifies that the order of message protection is to encrypt the SOAP content, then sign the entire SOAP body. The encryption key and signing key must be derived from the same source key.  

If not selected, the default behavior is Sign Before Encrypt.  

Check box Selected indicates disabled.