Since SOAP data (e.g. the headers above in Custom SOAP Headers) travels across the wire, by default, as plain text, using Rampart to encrypt your IBM Cúram Social Program Management custom SOAP headers is one way to help ensure the security of these credentials. Of course, you should plan a security strategy and implementation for all of your web services and related data based on your overall, enterprise-wide requirements, environment, platforms, etc. The information in this section is just one small part of your overall security picture.
There is additional information on coding your web service clients for Rampart security in Using Rampart With Web Services that will help provide context for the following.
The steps to encrypt these headers are:
<encryptionParts> {Element}{http://www.curamsoftware.com}Credentials </encryptionParts>
(See Defining the Axis2 Security Configuration for more information on the contents of this file.)
Or, add the following to your Rampart policy file:
<sp:EncryptedElements xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sp= "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:XPath xmlns:curam="http://www.curamsoftware.com" > /soapenv:Envelope/soapenv:Header/curam:Credentials/Password </sp:XPath> </sp:EncryptedElements>
(See Defining the Axis2 Security Configuration for more information on the contents of this file.)
With WS-Security applied as per above the credentials portion of the wsse:Security header will be encrypted in the SOAP message as shown in this example below, which you can contrast with Figure 3:
In the following example encryptedParts was used to encrypt the IBM Cúram Social Program Management credentials.
... <?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/ 2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"> <xenc:EncryptedKey Id="EncKeyId-A5ACA637487ECDA81713059750729855"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> ............ </wsse:Security> <!-- Credential data is then encoded in sections that follow as illustrated --> <xenc:EncryptedData Id="EncDataId-3" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/ 2001/04/xmlenc#aes128-cbc" /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference xmlns:wsse="http://..oasis- 200401-wss-wssecurity-secext-1.0.xsd"> <wsse:Reference URI="#EncKeyId-A5ACA637444e87ECDA81713059750729855"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> eZFRrk6VSncaDanYCjyVD=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <wsa:Action>urn:simpleXML</wsa:Action> </soapenv:Header>