When Enterprise Server is installed, SOAP layer message security providers are configured in the client and server-side containers of Enterprise Server, where they are available for binding for use by the containers, or by individual applications or clients deployed in the containers. During installation, the default providers are configured with a simple message protection policy that, if bound to a container, or to an application or client in a container, would cause the source of the content in all request and response messages to be authenticated by XML digital signature.
Enterprise Server administrative interfaces can be used as follows:
To modify the message protection policies enforced by the providers
To bind the existing providers for use by the server-side containers of Enterprise Server
To create new security provider configurations with alternative message protection policies
Analogous administrative operations can be performed on the SOAP message layer security configuration of the application client container. If you want web services security to protect all web services applications deployed on Enterprise Server. See Enabling Message Security for Application Clients.
By default, message layer security is disabled on Enterprise Server. To configure message layer security for the Enterprise Server see Enabling Default Message Security Providers for Web Services.
In most cases, you must restart Enterprise Server after performing administrative tasks. This is especially true if you want the effects of the administrative change to be applied to applications that were already deployed on Enterprise Server at the time the operation was performed.
The general implementation tasks for message security include some or all of the following:
If you are using a version of the Java SDK prior to version 1.5.0, and using encryption technology, configuring a JCE provider
If you are using a username token, verifying that a user database is configured for an appropriate realm
When using a username/password token, an appropriate realm must be configured and a user database must be configured for the realm.
Managing certificates and private keys, if necessary
Enabling the Enterprise Server default providers
Configuring new message security providers
In Enterprise Server, the administrator and the application deployer are expected to take primary responsibility for configuring message security. In some situations, the application developer might also contribute.
The system administrator is responsible for the following message security tasks:
Administering server security settings and certificate databases
Administering keystore and truststore files
Configuring message security providers on Enterprise Server
Turning on message security
(If needed) Installing the samples server
The application deployer is responsible for the following message security tasks:
Specifying (at application reassembly) any required application-specific message protection policies if such policies have not already been specified by the developer/assembler.
Modifying Sun-specific deployment descriptors to specify application-specific message protection policies information (message-security-binding elements) to web service endpoint and service references.
The application developer/assembler is responsible for the following message security tasks:
Determining if an application-specific message protection policy is required by the application
If so, the developer ensures that the required policy is specified at application assembly time.
Specifying how web services should be set up for message security
Message security can be set up by the administrator so that all web services are secured, or by the application deployer when the security provider or protection policy bound to the application must be different from that bound to the container.
Turning on message security if authorized to do so by the administrator