Search only in titles

---

Message Level Security

Security

Message-level security includes some of the security benefits of SSL, but with additional flexibility and features. With message-level security the SOAP message itself is encrypted. When you use message-level security, you can specify that only individual parts or elements of the message be signed, encrypted, or required, whereas the encryption used by the transport level security, SSL, is "all or nothing": either the entire SOAP message is encrypted or it is not encrypted at all.

Message-level security specifies whether the SOAP messages between a client application and the Web Service invoked by the client should be digitally signed or encrypted, or both. It also can specify a shared security context between the Web Service and client in the event that they exchange multiple SOAP messages. You can use message-level security to assure:

• Confidentiality, by encrypting message parts
• Integrity, by digital signatures
• Authentication, by requiring username or SAML tokens

Encrypting Messages

You can configure P6 EPPM Web Services with the following message level encryption settings:

• No message level encryption is allowed
• Server require at least one element in request messages be encrypted
• Server require at least one element in request messages be encrypted and server encrypts the response messages

Configuring P6 EPPM Web Services to encrypt P6 request/respond messages or request messages, involves the following tasks:

Task One: Determine keystore requirements

You will need a public/private key pair. Determine whether to use an existing keystore or create a new keystore. If you do not already have a keystore that you can use for P6 EPPM Web Services on the server on which P6 EPPM Web Services is deployed, follow the procedure below to create one.

1. On the server, open a command prompt.
2. Navigate to the <JAVA_HOME>\jdk\bin directory
3. The name of your keystore and the names and aliases of the user information that it contains will vary depending on your specific requirements. As an example, enter the following code to create a key for the P6 EPPM Web Services user Sam in a new keystore called mytestkeystore at c:\temp. Change the location as appropriate:

   keytool -validity 3600 -genkeypair -dname "CN=Sam Moore, OU=samDept, O=samOrg, L=samHome, S=Florida, C=US" -keyalg RSA -sigalg Sha1WithRSA -keystore mytestkeystore.jks -alias sam

4. Enter keystore password: mytestkeystore.
5. Enter key password for sam: sampwd.

Task Two: Set up the server to require encryption:

1. In the Primavera P6 Administrator, locate the Web Services/Security/Message Protection section.
2. Set the Encryption for Incoming Messages setting to true to require that P6 EPPM Web Services request messages be encrypted. When this setting is true, at least one element in each P6 EPPM Web Services request message must be encrypted.
3. Set the Encrypt Response setting to true to require that P6 EPPM Web Services response messages be encrypted. When the Encrypt Response setting and the Encryption for Incoming Messages setting are both set true, the server encrypts everything inside of the body element of P6 EPPM Web Services response messages.
4. Change the File Location setting to point to the location of the keystore. You determined the location of the keystore in task one.
5. Change the Keystore Password setting to the password of the keystore determined in task one.
6. Change the Private Key Alias setting to the alias of the private keystore determined in task one.
7. Change the Private Key Password setting to the password of the private keystore determined in task one.

Task Three: Export the certificate to a new keystore

1. Open a command prompt on the server.
2. Navigate to <JAVA_HOME>\jdk\bin directory.
3. Enter the following code to export the certificate to a new keystore. Change the keystore and alias as appropriate:

   keytool -export -keystore mytestkeystore.jks -alias sam -file sam.cer
   

4. Copy the sam.cer file to any client machines that are authorized to send request messages to the server.The sam.cer file contains the public key that clients will need to be able to send encrypted request messages to the server.

Task Four: Import the certificate

1. Open a command prompt on the client.
2. Navigate to the location on the client machine that contains the public key certificate file, for example sam.cer file.
3. Enter the following code to import the certificate to a new keystore. Change the alias and keystore as appropriate:

   keytool -import -alias sam -file sam.cer -keystore mykeystore.jks

4. Since the keystore doesn't yet exist, it will be created, and you will be prompted for a keystore password; type whatever password you want.

See Also

Security

Security

Transport Level Security using HTTPS

Consuming P6 EPPM Web Services over HTTPS (SSL) From Java using HTTP Cookies (On-Premises Only)

Application Level Security

How to Set Security Privileges

Global Profile Definitions

Project Profile Definitions

---

Last Published Thursday, May 2, 2024