Configuring WS-Security for WSRP Consumption and Production

This chapter provides overviews of determining security requirements and WS-Security for WSRP and discusses how to:

Important! The procedures for configuring WSRP consumption and production must be performed in the order set out in this chapter.

Click to jump to parent topicDetermining Security Requirements

Before implementing WSRP, you first need to determine the level of security that you require. If you are consuming remote portlets, the level that you select must be the same as the producer. If you are producing portlets, consider whether you need to secure only the transmission channel or the transmission channel and the messages. You should also consider how security will affect the performance of your servers.

Including the No Security option, six types of token security options are available for WS-Security (set in the server-config.wsdd file):

Important! The security option used by the producer must be an exact match to the security option used by the consumer.

In addition, PeopleSoft features a WSRP WSS Enabled Response option. When specified in an outbound consumer request, the producer response must include a WSS header.

Click to jump to parent topicUnderstanding the PeopleSoft WS-Security for WSRP

WSRP involves passing SOAP messages between the WSRP consumer and producer. To safely use WSRP, Oracle provides message-level security between the consumer and the producer by incorporating WS-Security.

WS-Security is an extension to the concept of the SOAP envelope header that enables applications to construct secure SOAP message exchanges. It also provides a means for associating security tokens with messages.

WS-Security provides three main mechanisms:

This diagram shows the SOAP envelope, SOAP header, and SOAP body and how WS-Security embeds the security token in the SOAP messages:

WS-Security SOAP message structure

When the PeopleSoft portal is a WSRP consumer, the user ID and password of the user signed in to the portal is placed into a Username or SAML token in the SOAP header, and the WSRP portlet consumes it. It is presented to each portlet during the initial markup request. The security handler performs WS-Security token generation, digital signature generation, and token encryption before the PeopleSoft system sends the SOAP request message and the WS-Security SOAP header.

Important! The PeopleSoft portal authentication information (both the user ID and password) must be the same as the producer's.

When the PeopleSoft system is the producing system, the consuming system sends PeopleSoft the SOAP request message and the WS-Security SOAP header. The portal accepts the Username token in the WS-Security header from the remote portal, assuming that the ID and password are acceptable to the PeopleSoft system. The receiver security handler decrypts the SOAP header, validates the digital signature, verifies the WS-Security token, and generates a PS_TOKEN cookie, the PeopleSoft authentication token.

This diagram shows the PeopleSoft Portal as both WSRP consumer and WSRP producer.

PeopleSoft Portal as WSRP consumer and producer

The WS-Security support provided by PeopleSoft applications includes:

Note. PeopleSoft applications support SAML 1.1.

UserNameToken Security

With Username Token support, a consumer can supply a UsernameToken as a means of identifying the requestor by username, and optionally using a password to authenticate that identity to the web service provider.

This is an XML example of a UserName Token with password:

Note. The password is in clear text.

<soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="⇒ /wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username>QEDMO</wsse:Username> <wsse:Password Type="⇒ username-token-profile-1.0#PasswordText">QEDMO</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header>

This is an XML example of a UserName Token with digital signature:

<soapenv:Envelope xmlns:soapenv=""> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="⇒ /wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:Signature xmlns:ds=⇒ ""> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=""/> <ds:SignatureMethod Algorithm=""/> <ds:Reference URI="#id-18871350"> <ds:Transforms> <ds:Transform Algorithm=""/> </ds:Transforms> <ds:DigestMethod Algorithm=""/> <ds:DigestValue>Do+wViC4mSHBWYmRMWKaRDF8xmU=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-11549664"> <ds:Transforms> <ds:Transform Algorithm=""/> </ds:Transforms> <ds:DigestMethod Algorithm=""/> <ds:DigestValue>4NVgNpjX16B4+Wrmw+7bnGfeJSs=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> QFXQuStu8sLAvsDIgNaZHuVWBIes9GpgY6fGb9KLP209hzNi+cPp3NahsF1mVxcXzCjrui2Vc3vq wLtYA9kaFsM7EMY8TdJC9cmiepr07pR2iXXMmDYYp01dOQkz+3SeBg9F2qPOBAg/jTrWgppys2rS ES9pV6OIKRk0try8BcU= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-1049443"> <wsse:SecurityTokenReference wsu:Id="STRId-14721926" xmlns:wsu="http://docs."> <ds:X509Data><ds:X509IssuerSerial> <ds:X509IssuerName>CN=PeopleTools TEST root CA,DC=peoplesoft,DC=com,OU= PeopleToolsDevelopment,O=PeopleSoft Inc,L=Pleasanton,ST=CA,C=US</ds:X509IssuerName> <ds:X509SerialNumber>566474176348341487536757</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data></wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsse:UsernameToken wsu:Id="id-11549664" xmlns:wsu="http://docs.oasis-open. org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Username> QEDMO</wsse:Username><wsse:Password Type=" /01/oasis-200401-wss-username-token-profile-1.0#PasswordText">QEDMO</wsse: Password></wsse:UsernameToken></wsse:Security></soapenv:Header> <soapenv:Body wsu:Id="id-18871350" xmlns:wsu=" /2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ns1:testMethod xmlns: ns1="http://axis/service/security/test9/LogTestService9"/></soapenv:Body> </soapenv:Envelope>

SAML Token Security

A SAML token makes statements about a principal. All SAML tokens include the following common information:

This is an XML example of an SAML token:

<Assertion AssertionID="d9aeaa4c1126df5ee0c6df64fdf961b1" IssueInstant= "2008-05-14T18:18:47.246Z" Issuer="" MajorVersion="1" MinorVersion="1"xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml= "urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc: SAML:1.0:protocol"> <Conditions NotBefore="2008-05-14T18:18:47.184Z" NotOnOrAfter="2008-05- 14T18:28:47.184Z"/> <AuthenticationStatement AuthenticationInstant="2008-05-14T18:18:47. 215Z"AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <Subject> <NameIdentifier NameQualifier="">QEDMO</NameIdentifier> <SubjectConfirmation> <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender- vouches</ConfirmationMethod> </SubjectConfirmation> </Subject> </AuthenticationStatement> </Assertion>

This is an XML example of an SAML token with digital signature

- <soapenv:Envelope xmlns:soapenv=""> - <soapenv:Header> - <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open. org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> - <Assertion AssertionID="ede14876b3389b653824f0456e07676d" IssueInstant=" 2008-05-13T22:54:17.417Z" Issuer="" MajorVersion="1" MinorVersion ="1"xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc: SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> <Conditions NotBefore="2008-05-13T22:54:17.386Z" NotOnOrAfter="2008-05- 13T23:04:17.386Z" /> - <AuthenticationStatement AuthenticationInstant="2008-05-13T22:54:17. 401Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> - <Subject> <NameIdentifier NameQualifier="">QEDMO</NameIdentifier> - <SubjectConfirmation> <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ ConfirmationMethod> </SubjectConfirmation> </Subject> </AuthenticationStatement> </Assertion> - <wsse:SecurityTokenReference wsu:Id="STRSAMLId-11733267" xmlns:wsu=" utility-1.0.xsd"> <wsse:Reference URI="#ede14876b3389b653824f0456e07676d" ValueType="http: // 1.0#SAMLAssertion-1.1" /> </wsse:SecurityTokenReference> <wsse:BinarySecurityToken EncodingType=" 2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http:⇒ //" wsu:Id="CertId-28365241" xmlns:wsu="⇒ 200401-wss-wssecurity-utility-1.0.xsd">MIIElzCCBACgAwIBAgIKQrSKy⇒ QAAAAAL+DANBgkqhkiG9w0BAQUFADCBvjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwp⇒ QbGVhc2FudG9uMRcwFQYDVQQKEw5QZW9wbGVTb2Z0IEluYzEgMB4GA1UECxMXUGVvcGxlVG9vbHMg⇒ RGV2ZWxvcG1lbnQxEzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpwZW9wb⇒ GVzb2Z0MSEwHwYDVQQDExhQZW9wbGVUb29scyBURVNUIHJvb3QgQ0EwHhcNMDcwODE2MTc1MDIzWhc⇒ NMDgwODE2MTgwMDIzWjBxMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBx⇒ MKUGxlYXNhbnRvbjEPMA0GA1UEChMGT3JhY2xlMRQwEgYDVQQLEwtQZW9wbGVUb29sczERMA8GA1UEAww⇒ IcWVfaWJ0Z3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrvvgIBLkotkSm+tnbxjyNQl⇒ Ti3h3p8h44WhIJ1Ikdvhgtwk890doxdF1HkDaX0Zz7/9IcW4wc5l3z/C/r0kchcq95ToRxKZ5UC50Sx2wb⇒ T9/GL6GVUP/EBtGqcaZSeE4G9OHiVmeXxe7opb3InyyAxU/dbuLj/bMpOvABgbmdhAgMBAAGjggHm⇒ MIIB4jAdBgNVHQ4EFgQUZ1KpPrdYQY+mEdNk/YWKe4Iqn+wwHwYDVR0jBBgwFoAU/jeXdgwdjCBw⇒ IIOg3c+t5n06BswwgawGA1UdHwSBpDCBoTCBnqCBm6CBmIZMaHR0cDovL3B0bnRhczEyLnBlb3BsZXNvZn⇒ QuY29tL0NlcnRFbnJvbGwvUGVvcGxlVG9vbHMlMjBURVNUJTIwcm9vdCUyMENBLmNybIZIZmlsZTov⇒ L1xccHRudGFzMTIucGVvcGxlc29mdC5jb21cQ2VydEVucm9sbFxQZW9wbGVUb29scyBURVNUIHJvb3Qg⇒ Q0EuY3JsMIHwBggrBgEFBQcBAQSB4zCB4DBwBggrBgEFBQcwAoZkaHR0cDovL3B0bnRhczEyLnBlb3Bs⇒ ZXNvZnQuY29tL0NlcnRFbnJvbGwvcHRudGFzMTIucGVvcGxlc29mdC5jb21fUGVvcGxlVG9vbHMlMj⇒ BURVNUJTIwcm9vdCUyMENBLmNydDBsBggrBgEFBQcwAoZgZmlsZTovL1xccHRudGFzMTIucGVvc⇒ Gxlc29mdC5jb21cQ2VydEVucm9sbFxwdG50YXMxMi5wZW9wbGVzb2Z0LmNvbV9QZW9wbGVUb29scy⇒ BURVNUIHJvb3QgQ0EuY3J0MA0GCSqGSIb3DQEBBQUAA4GBABaZwo6xhKZFRbESi3ICewrBTKFjtDbmJvVq⇒ BaB0pConBMRGDJ0bQf9Rwo6/Ucm/BoUEEP/dzBkLYM0NEuEqoQvF4ZHRD73qwNV9CCUHU3nlwfn⇒ L5K54qrda4V2CoBvgpHEU7EVdt47YV2E8HUAUfyDaXZ0prRMB6I2KtKaaYBNI</wsse:BinarySecurity⇒ Token> - <ds:Signature Id="Signature-22949069" xmlns:ds="⇒ /xmldsig#"> - <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="⇒ xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="" /> - <ds:Reference URI="#STRSAMLId-11733267"> - <ds:Transforms> - <ds:Transform Algorithm="⇒ soap-message-security-1.0#STR-Transform"> - <wsse:TransformationParameters> <ds:CanonicalizationMethod Algorithm="" ⇒ /> </wsse:TransformationParameters> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="" /> <ds:DigestValue>TK2a7xf+ldF9MkI1XYut8g5RG+A=</ds:DigestValue> </ds:Reference> - <ds:Reference URI="#id-78219"> - <ds:Transforms> <ds:Transform Algorithm="" /> </ds:Transforms> <ds:DigestMethod Algorithm="" /> <ds:DigestValue>wTVh0pHi6NrTKDWnyXbX/WNCw68=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>LGWmXxak++duS8IfY+/4BphfPJW+Ka6a8DxUfYmUGUZ57d1HOmTs0fLR0Roqd⇒ IOKJtSD33qRyU6p 7lufZXsRoiJD5iEUJr+El7KgBEmFPFV5hDx2a+dnHN8Zd9A1DRh7qzr1ewKcRpd⇒ BDdoS2mJnqjcz mlLOU6aPQqKAjgRtZtg=</ds:SignatureValue> - <ds:KeyInfo Id="KeyId-15595312"> - <wsse:SecurityTokenReference wsu:Id="STRId-24840600" xmlns:wsu="http:⇒ //"> <wsse:Reference URI="#CertId-28365241" ValueType="⇒ /2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> - <soapenv:Body wsu:Id="id-78219" xmlns:wsu="⇒ /01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <ns1:testMethod xmlns:ns1="http://axis/service/security/test9/LogTestService9" ⇒ /> </soapenv:Body> </soapenv:Envelope>

Note these points about PeopleSoft SAML assertions:

Click to jump to parent topicSetting Up WSRP Security Options

This section discusses how to:

Click to jump to top of pageClick to jump to parent topicUsing HTTPS Protocol to Communicate Between Producer and Consumer

If you choose the security option Authentication token as Username token in clear text format, Oracle recommends that you use HTTPS to protect the username and password. For you to use HTTPS protocol, both the producer and consumer must first configure and enable SSL for HTTPS on their web servers.

Before the consumer imports the producer \pspc\wsdl\wsrp4j_service.wsdl, the producer must modify the file by setting it to HTTPS mode and changing the port number from the HTTP port number to the HTTPS port.

Note. The system automatically inserts the hostname and port number using the values entered during installation.


<?xml version="1.0" encoding="UTF-8"?> <wsdl:definitions targetNamespace="urn:oasis:names:tc:wsrp:v1:wsdl" xmlns:bind="urn:oasis:names:tc:wsrp:v1:bind" xmlns="" xmlns:wsdl="" xmlns:soap=""> <import namespace="urn:oasis:names:tc:wsrp:v1:bind" location="wsrp_v1_bindings.wsdl"/> <wsdl:service name="WSRPService"> <wsdl:port binding="bind:WSRP_v1_Markup_Binding_SOAP"⇒ name="WSRPBaseService"> <soap:address location=⇒ "https://<Producer Hostname>:<SSL⇒ port>/pspc/wsrp4j/WSRPBaseService"/> </wsdl:port> <wsdl:port binding="bind:⇒ WSRP_v1_ServiceDescription_Binding_SOAP"⇒ name="WSRPServiceDescriptionService"> <soap:address location="https://<Producer Hostname>⇒ :<SSL port>/pspc/wsrp4j/WSRPServiceDescriptionService"/> </wsdl:port> </wsdl:service> </wsdl:definitions>

Note. In the preceding example, <Producer Hostname> is the hostname of the producer web server and <SSL port> is the SSL port number of the producer web server.

If you are using an SSL accelerator in your PeopleSoft system, and you want to use the HTTPS protocol for WSRP to communicate with PeopleSoft Pure Internet Architecture, you need to use the following properties file:


Note. This is similar to using Web Profile Default Addressing fields.

See Configuring Web Profiles.

In this properties file, specify the default protocol, host, and port to override the incoming request protocol, host, and port. The settings that WSRP checks in the file are:

usePIAConfig = true

Checks whether settings in the file should be used.

If you set usePIAConfig to true, the incoming request is overridden by values set in the file. Otherwise, the system uses the incoming request values for protocol (scheme), host, and port.

portalHost=<your webserver host>

The default host to use.

portalPort=<your port>

The default port to use.


If you set SSLToPIA to true, the system uses HTTPS; otherwise, it uses the HTTP scheme.

See Also

Implementing WebLogic SSL Keys and Certificates

Setting Up SSL For WebSphere

Click to jump to top of pageClick to jump to parent topicInstalling Certificates for Encryption and Signature

When you select the Authentication token as Username token with full security security option, both the producer and the consumer must install the certificates that are used to enable the encryption and signature.

This diagram illustrates the process flow for installing certificates and enabling encryption and signature.

Process for installing certificates and enabling encryption and signature

First use the following reference for instructions on how to create and request your encryption and signature certificates.

See Implementing WebLogic SSL Keys and Certificates, Setting Up SSL For WebSphere.

Enabling Encryption


The encryption key and certificate are created on the producer and stored in the web server predefined keystore.

Note. Make sure that when you create the entry to hold your encryption keys and certificate in your keystore, the entry's alias name must be the security node name of your producer server.

Send the encryption certificate to the consumer. You can do this by using an out-of-band method, such as file copy or email.


Install the encryption certificate on the consumer server by running pskeymanager.cmd -import.

Note. Make sure that when you import the certificate, the entry's alias name must be the security node name of your producer server.

Enabling Message Signature


Create the signature key and certificate on the consumer and store in the web server predefined keystore.

Note. When you create the entry to hold your signature keys and certificate in your keystore, the entry's alias name must be the security node name of your consumer server.

Send the signature certificate to the producer. You can do this by using an out-of-band method, such as file copy or email.


Install the signature certificate on the producer server by running pskeymanager.cmd -import.

Note. When you import the certificate, the entry's alias name must be the security node name of your Producer server.

Encrypting Keystore Password Using PSCipher

A copy of the file, which contains PKI java keystore information such as keystore file location and password for the keystore can be found on both the consumer and producer servers.

The location of the file on the consumer web server is:


The location of the file on the producer web server is:


Here is the sample file:

To define the location of the keystore file, the portal administrator needs to define the proper keystore file to replace above property.

To encrypt the keystore password using Java program PSCipher:

  1. Run PSCipher.bat (.sh for UNIX) to encrypt the password

    % PSCipher.bat <password>

    For example, PSCipher interop provides output as UWZzB57U6SE=

  2. Update the encrypted password in the file for with the output from PSCipher.

See Encrypting Text With PSCipher.

Click to jump to parent topicSetting Up SAML

This section discusses how to:

Note. You must perform all of the tasks in the order presented to correctly implement the use of the SAML token.

Click to jump to top of pageClick to jump to parent topicCreating the SAML Administrator

The SAML administrator must have access to the SAML pages. You grant access to the SAML pages through the PTPT1000 permission list.

To create the SAML administrator:

  1. Access the User Profile page (PeopleTools, Security, User Profiles, User Profiles).

  2. Add a new user or select an existing user who will be the SAML administrator.

  3. Access the Roles page and insert a role that contains the PTPT1000 permission list.

  4. Save the user profile.

See Also

Creating a New User Profile

Click to jump to top of pageClick to jump to parent topicImporting Digital Certificates

To implement SAML, you must import the digital certificate of the sender and store it in the keystore of participating PeopleSoft applications.

See Configuring Digital Certificates.

Click to jump to top of pageClick to jump to parent topicConfiguring the SAML Inbound Setup

The SAML Inbound Setup page creates an InBound web service in the producer site that maps the one PeopleSoft user ID to one SAML assertion subject and links the subject with the sender's digital certificate (public key). The SAML administrator sets up a web service for each external user who accesses the PeopleSoft system and who is using the SAML security option. This information should be configured by the SAML administrator—someone who understands the external requirements and how these requirements map to the component permissions that are necessary for the user to accomplish the business task.

Access the Security Assertion Markup Language [SAML] Inbound Setup page (PeopleTools, Security, SAML Administration Setup, SAML Inbound Setup).

Certificate Alias

Enter the sender's public key, which you imported in the previous step (Importing Digital Certificates).

Note. This key must be base-64 encoded.


Enter the domain name of the issuing entity.


Enter a user ID or email address.


Enter the domain name of the issuing entity.

Mapping PeopleSoft UserID

Enter the user ID to map to the SubjectName. This field sets the PeopleSoft internal permissions for the external user and prevents cross-site vulnerability.

Note. This user ID does not have to be the user ID of the sender, but must be a valid PeopleSoft user in the PSOPRDEFN table.

Note. This field is internal to the PeopleSoft application and is hidden from all consumer sites and third-party systems.

Click to jump to top of pageClick to jump to parent topicRunning the RedeployWSRP.cmd Executable

To run the RedeployWSRP.cmd executable:

  1. Navigate to the producer web server folder, for example PSHOME/Webserver/bin.

  2. Double-click the file to launch the program.

  3. Select Option 5: Redeploy WSRPBaseService with the SAMLToken Security Option.

Click to jump to parent topicConfiguring WS-Security for PeopleSoft as a WSRP Producer

The ...peoplesoft\pspc\WEB-INF\ directory on the producer web server contains a server-config.wsdd file, which contains the WSRPBaseService definition plus the following variations. Each one of the variations is associated with a security option:

Security Option


1. None


2. UsernameToken in ClearText


3. Authentication Token as Username Token with full security


4. UsernameToken, No Password, Digitally Signed


5. SAMLToken Full Security


6. SAMLToken Full Security Option (timestamp)**


7. UsernameToken Full Security Option With WSS Response*


8. UsernameToken, No Password Full Security Option With WSS Response*


9. SAMLToken Full Security Option With WSS Response*


10. SAMLToken Full Security Option (timestamp) With WSS Response* **


* The response message must be signed and encrypted.

** A PeoplesSoft SAML token request does not contain a timestamp. However PeopleSoft can accept third-party SAML requests that contain timestamps. No configuration on the PeopleSoft system is required.

PeopleSoft applications provide two options for modifying the security constraint on the WSRPBaseService. Which option you should use depends on whether your web server is currently running. If your web server is running, you can modify WSRPBaseService without rebooting the server.

Note. The PIA_HOME\webserv\%DOMAIN_NAME%\ directory contains the redeployWSRP batch file.

Modifying WSRPBaseService Without Rebooting

To modify WSRPBaseService without having to reboot the web server:

  1. Using the command prompt, change to the directory containing the redeployWSRP file:

    cd %PIA_HOME%\webserv\%DOMAIN_NAME%\

  2. Enter the command redeployWS <option #>

    For example:

    redeployWSRP 2

    This will redeploy WSRPBaseService using UsernameToken in the clear text security option. The web service is undeployed and redeployed dynamically without having to reboot the web server.

Modifying WSRPBaseService and Rebooting

To modify WSRPBaseService if the web server is not up and running:

  1. Using the command prompt, change to the ...\peoplesoft\pspc\WEB-INF directory:

    For example:

    cd %PIA_HOME%\webserv\%DOMAIN_NAME%\applications\peoplesoft\pspc\WEB-INF\

  2. Copy <desired server-config.wsdd.option> to replace the server-config.wsdd file.

  3. Reboot the WSRP Producer Portal web server to allow the newly installed server-config.wsdd file to deploy web services for the producer.

Click to jump to parent topicDefining Nodes with WS-Security

This section discusses how to configure WS-Security for WSRP consumers.

Click to jump to top of pageClick to jump to parent topicPages Used to Define Nodes With WS-Security

Page Name

Definition Name





PeopleTools, Portal, Node Definitions, Portal

Enter required information for the WS-Security node.

WS Security


Click the WS Security tab on the Portal page.

Enable secure access based on WS-Security for remote producers.

Note. Secure access is optional. You must be an administrator to access this page.

Click to jump to top of pageClick to jump to parent topicConfiguring WS-Security for WSRP Consumers

Access the WS Security page. (Select PeopleTools, Portal, Node Definitions and click the WS Security tab.)

Use the Node Definition – WS Security page to select the authentication token type, as well as encryption, digital signature, and WSS response options.

Select Authentication Token Type options based on the options specified in the server-config.wsdd file.

Security Option

Authentication Token Options


Select None as the authentication token type, and deselect all check boxes.

Authentication Token as Username Token

Select Username Token as the authentication token type, and deselect all check boxes.

Authentication Token as Username Token with full security

Select Username Token as the authentication token type, and select both the Encrypted and Digitally Signed check boxes.

Note. With this setting, the Username token is encrypted and messages are digitally signed.

Authentication Token as Username Token with no password and digital signature

Select Username Token, no password as the authentication token type, and select the Digitally Signed check box.

Authentication Token as SAML Token with digital signature

Select SAML Token as the authentication token type.

Note. By default, SAML tokens are digitally signed.

Authentication Token as SAML Token with full security

Select SAML Token and select the Encrypted check box.

Note. With this setting, the SAML token is encrypted and by default messages are digitally signed.

Authentication Token as Username Token with full security and WSS Response*

Select Username Token as the authentication token type, and select the Encrypted, Digitally Signed, and WSRP WSS Enabled Response check boxes.

Note. With this setting, the Username token is encrypted and messages are digitally signed.

Authentication Token as Username Token , no password, with full security and WSS response*

Select Username Token, no password as the authentication token type, and select the Digitally Signed, and WSRP WSS Enabled Response check boxes.

Authentication Token as SAML Token with full security and WSS response*

Select SAML Token as the authentication token type, and select the Encrypted and WSRP WSS Enabled Response check boxes.

Note. With this setting, the SAML token is encrypted and by default messages are digitally signed.

* The response message must be signed and encrypted.

See Also

Importing Producer Information

Determining Security Requirements

Defining Portal Nodes