Using the WS-Security Transport Binding Policy
Learn about the WS-Security Transport Binding Policy.
For information about using policies in the context of the Community Manager developer portal, see Business Policies.
Table of Contents
- About the WS-Security Transport Binding policy
- About the WS-Security Transport Binding policy
- Creating a WS-Security Transport Binding policy
- Configuring a WS-Security Transport Binding policy
- Specify Transport Binding Options
- Specify HTTPS Token Options
- Configure Security Algorithm
- Specify WS-Security 1.0 Options
- Specify WS-Security 1.1 Options
- Specify WS-Trust 1.0 Options
- Specify Security Audit Options
- Activating a policy
- Attaching a policy
About the WS-Security Transport Binding policy
The "WS-Security Transport Binding Policy" is used when the message protection is provided by the transport medium. A common usage scenario is using HTTPS as the message exchange transport medium. In a transport binding assertion, a transport token can be defined where messages can be contained and then exchanged only through a defined medium. WS-Security policy specification defines a HTTPS token that defines messages be transmitted over HTTPS.
Creating a WS-Security Transport Binding policy
To add an operational policy
- Go to Workbench > Browse > Organization, and select Policies > Operational Policies. The Policies Summary is displayed.
- Click Add Policy.
- Choose the policy type and click Next.
- Specify a name (required) and description (optional) and click Finish. At the Completion Summary, click Close. The Add Policy Wizard creates a draft policy instance that you can then configure on the Policy Details page.
For more information, see Add Policy.
Configuring a WS-Security Transport Binding Policy
To configure a WS-Security Transport Binding policy
- Go to Workbench > Browse > Organization and select the Policies > Operational Policies folder. The Policies Summary is displayed.
- Find the policy on the list and double-click to go to the Details page for the policy.
- In the second panel, click Modify to access the Modify WS-Security Transport Binding Policy wizard.
- In page 1, Specify Transport Binding Options, enter values for the binding options. For details about fields and values, see Specify Transport Binding Options below. Click Next.
- In page 2, Specify HTTPS Token Options, enter values for the token options. For details about fields and values, see Specify HTTPS Token Options below. Click Next.
- In page 3, Configure Security Algorithm, specify the security algorithm and associated settings. For details, see Configure Security Algorithm below.
- In page 4, Specify WS-Security 1.0 Options, specify security options. For details, see Specify WS-Security 1.0 Options below.
- In page 5, Specify WS-Security 1.1 Options, specify security options. For details, see Specify WS-Security 1.1 Options below.
- In page 6, Specify WS-Trust 1.0 Options, specify trust options. For details, see Specify WS-Trust 1.0 Options below.
- In page 7, Specify Security Audit Options, specify audit options. For details, see Specify Security Audit Options below.
- Click Finish.
Specify Transport Binding Options
The Specify Transport Binding Options page includes the options listed below.
- WS-Security Policy Version
- Specify the WS-Security Policy version. Versions 1.1 and 1.2 are currently supported.
- Security Header Layout
- A set of optional properties that are common to security bindings. These properties define rules for controlling the ordering layout when items are added to the Security Header. For properties that are enabled, assertions will set the value of a property. When the value appears in a policy, the property is set to the value indicated by the assertion. Choices:
- Lax
- Lax Timestamp First
- Lax Timestamp Last
- Include Timestamp
- Indicates that the timestamp should be included in the transport binding.
Specify HTTPS Token Options
The Specify HTTPS Token Options page includes the options listed below.
- Token Inclusion
- Allows you to specify an IncludeToken attribute in the message. Choices: Not Specified, Always, Once, or Never (Indicates that an external reference mechanism is used to refer to the key represented by the token).
- Require Client Certificate
- Check the box if the policy should require a client certificate.
- Certificate Subject Category
- The subject category for the token. Choices: Consumer, Service, End-User, User Defined, or None. For user-defined, specify the value.
Configure Security Algorithm
The Configure Security Algorithm page includes the options listed below.
- Algorithm Suite
- Choose the algorithm suite that the policy will use for performing cryptographic operations with symmetric or asymmetric key based security tokens. Choices:
- Basic128
- Basic 192
- Basic 256
- TripleDes
- Basic256Rsa15
- Basic192Rsa15
- Basic128Rsa15
- TripleDesRsa15
- Basic256Sha256
- Basic192Sha256
- Basic128Sha256
- TripleDesSHA256
- Basic256Sha256Rsa15
- Basic192Sha256Rsa15
- Basic128Sha256Rsa15
- TripleDesSHA256Rsa15
For more detailed information about the algorithm suites supported, see Supported WS-Security Algorithm Suites.
- Canonicalization
- Allows you to select the canonical form used to test whether information content of an XML document has changed.
- The default, Exclusive, determines which namespaces are actually being used and just copies those. You can set this field to Inclusive, which copies all declarations, even if they are defined outside of the scope of the signature.
- XPath Version
- Indicates the XPath version to be used: 1.0 (XPath10), 2.0 (XPathFilter20), or Not Specified (the default).
- SOAP Normalization
- Checking the box indicates that SOAP normalization is turned on.
- STR Transform
- Checking the box indicates that the STR Transform property is set to STRT10.
Specify WS-Security 1.0 Options
The Specify WS-Security 1.0 Options page includes the options listed below.
- Do not specify options
- Indicates that no WS-Security 1.1 options are specified. This is the default.
- Specify options
- Indicates that the specified options will apply to the policy.
- Must Support Key Identifier Reference
- Allows you to specify that Key Identifier References must be supported.
- Must Support Issuer Serial Reference
- Allows you to specify that Issuer Serial References must be supported.
- Must Support External URI Reference
- Allows you to specify that External URI References must be supported.
- Must Support Embedded Token Reference
- Allows you to specify that Embedded Token References must be supported.
Specify WS-Security 1.1 Options
The Specify WS-Security 1.1 Options page includes the options listed below.
- Do not specify options
- Indicates that no WS-Security 1.1 options are specified. This is the default.
- Specify options
- Indicates that the specified options will apply to the policy.
- Must Support Key Identifier Reference
- Allows you to specify that Key Identifier References must be supported.
- Must Support Issuer Serial Reference
- Allows you to specify that Issuer Serial References must be supported.
- Must Support External URI Reference
- Allows you to specify that External URI References must be supported.
- Must Support Embedded Token Reference
- Allows you to specify that Embedded Token References must be supported.
- Must Support Thumbprint Reference
- Allows you to specify that Thumbprint References must be supported.
- Require Signature Confirmation
- Allows you to specify that the Signature Confirmation property is set to true.
- Must Support Encrypted Key Reference
- Allows you to specify that the Encrypted Key References property is set to true.
Specify WS-Trust 1.0 Options
The Specify WS-Trust 1.0 Options page allows you to configure a set of properties supported by WS-Trust 1.0 when the Trust10 assertion is part of the Endpoint Policy Subject. It includes the options listed below.
- Do not specify options
- Indicates that no WS-Trust 1.0 options will be specified in the policy.
- Specify options
- Indicates that the specified options will apply to the policy.
- Must Support Client Challenge
- Allows you to specify that client challenges must be supported.
- Must Support Server Challenge
- allows you to specify if server challenges must be supported.
- Require Client Entropy
- Allows you to specify that client entropy is required.
- Require Server Entropy
- Allows you to specify that server entropy is required.
- Must Support Issued Tokens
- Allows you to specify that issued tokens must be supported.
Specify Security Audit Options
Choose from the available options controlling the audit data that's captured:
- Generate Audit Data
- Captures all message data, whether success or failure, for all message exchanges.
- On Error Only
- If you choose to generate audit data, you can specify that audit data is captured only when an error occurs on a message exchange.
Activating a policy
When you create and configure a policy, the policy is in Draft state. When the policy configuration is complete, activate the policy: click Activate Policy and then confirm. See Activate a Policy.
A policy in Draft state is not available for general use. Once you activate the policy, it is in Active state and is available for use.
Attaching a policy
To use the policy, go to the Policies folder in the respective organization and attach the policy to a web service, binding, or binding operation.