Fix Pack 8550

Web Services Security HTTPS transport policy assertions

You can use assertions in the Web Services Security (WS-Security) policy defined in the WSDL file to ensure that SOAP messages are protected with the HTTPS secure transport. When used with security tokens such as UsernameTokens with clear text passwords, HTTPS can help to ensure confidentiality.

The assertions for the HTTPS transport in the WS-Security policy do not set up the HTTPS transport between the requestor and provider. They ensure only that the HTTPS transport is used when the web services application with the defined policy is called. Fix Pack 8550 To enable the transport security for web services, see Securing web services at the transport level.

Ensure that HTTPS is set up between the web services client and provider. To protect your SOAP messages with the HTTPS secure transport, complete the following extra steps.

  1. Fix Pack 8550 WS-Security must be explicitly enabled by adding the wsSecurity-1.1 feature. Make sure you also add the appSecurity-2.0 and jaxws-2.2 features, and other required Liberty features to the server.xml file of the Liberty profile.
  2. The WS-Security policy attached to your web services application must include a TransportBinding assertion, and must match the HTTPS configuration. The following example illustrates a sample TransportBinding assertion:
    <wsp:Policy xmlns:wsp="..." xmlns:sp="...">
        <sp:TransportBinding>
            <wsp:Policy>
                <sp:TransportToken>
                    <wsp:Policy>
                        <sp:HttpsToken />
                    </wsp:Policy>
                </sp:TransportToken>
                <sp:AlgorithmSuite>
                    <wsp:Policy>
                        <sp:Basic256 />
                    </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
                    <wsp:Policy>
                        <sp:Strict />
                    </wsp:Policy>
                </sp:Layout>
                <sp:IncludeTimestamp />
            </wsp:Policy>
        </sp:TransportBinding>
    </wsp:Policy>

By completing these extra steps after the HTTPS configuration, SOAP messages are required to be sent over HTTPS from a web services client to a web services provider.


Icon that indicates the type of topic Concept topic

Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Monday, 21 April 2014
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-express-iseries&topic=cwlp_wssec_utoken_https
File name: cwlp_wssec_utoken_https.html