Before you can complete this task, you first must have created a security policy
using the option Create a policy for XML and web services
manually, created and associated an XML profile with the policy, and
uploaded security certificates onto the system.
You can use the web services security features of Application
Security Manager™ to off load encryption and decryption of SOAP messages from
the application server. Web services security can also handle verification of digital
signatures and digital signing of SOAP messages.
-
On the Main tab, click .
The XML Profiles screen opens.
-
Click the name of the XML profile for which you want to configure web services
security, or create a new profile.
The XML Profile Properties screen opens.
-
For the Web Services Security setting, select
Enabled.
-
Click Web Services Security Configuration.
The XML Profile Properties screen displays Web Services Security
Configuration options.
-
For Server Certificate, select one server certificate
from the list, or click Create to add a new certificate
to the configuration.
A Request area appears after you specify the certificate.
The system uses the server certificate to decrypt SOAP messages from a
web client to a web service, or sign SOAP messages from a web service back to a
web client.
-
For Client Certificates, select names from the
Available list and then move them into the
Members list.
The system uses the client certificates to encrypt SOAP messages from a
web service to a web client, or to verify SOAP messages from a web client to a
web service.
-
In the Request area, for Action, select the action you
want the system to perform in SOAP message requests.
- Select Verify and Decrypt to decrypt and verify
digitally signed SOAP messages. F5 recommends that you use this value.
- Select Decrypt to decode encrypted SOAP messages.
- Select Verify to validate digitally signed SOAP
messages. This option is available only if you imported client certificates,
but no server certificate.
-
For Role/Actor, select a role to determine which
security headers you want the system to process in SOAP message requests.
Role |
Description |
Do not check role/actor
|
Process all security headers regardless of the role. This is the
default setting. |
Custom role/actor
|
Process security headers that contain the role you type in the
adjacent box. |
next
|
Process security headers that contain the role
next or
http://www.w3.org/2003/05/soap-envelope/role/next. |
none
|
Process security headers that contain the role
none or
http://www.w3.org/2003/05/soap-envelope/role/none. |
ultimateReceiver
|
Process security headers that contain the role
ultimateReceiver or
http://www.w3.org/2003/05
/soap-envelope/role/ultimateReceiver. |
-
Select the Enforce And Verify Defined Elements check box
to confirm that elements defined in the Namespaces and Elements area of the
screen and contained in the request are signed and verified.
This setting also enforces the options SOAP Body in Request Must Be
Signed and Verified and Enforce Timestamp In
Request.
-
In the Response area, for Action, select the action you
want the system to perform on the elements defined in the Namespaces and
Elements area of the screen for SOAP message responses.
- Select Encrypt to encrypt the elements.
- Select Sign to digitally sign the
elements.
- Select Sign, Then Encrypt to first digitally sign
and then encrypt the elements. F5 recommends that you use this
value.
- Select Encrypt, Then Sign to first encrypt, then
digitally sign the elements.
Note: For the action to occur, you must also select Apply
Action To Defined Elements.
-
To limit how long a security header is valid:
-
Enable the Add Timestamp setting.
-
Type the length of time (in seconds) the timestamp should be valid. The
default is 300 seconds.
If you want the timestamp to be valid for an unlimited amount of time,
enter 0. The maximum value is
134217728 seconds.
-
For Role/Actor, select a role to insert into the
security header of SOAP messages.
Role |
Description |
Do not assign role/actor
|
If the document contains a security header without a role, the
system inserts the cryptographic information into the security header.
This is the default setting. |
Assign custom role/actor
|
If the document contains a security header with a custom role, the
system inserts the cryptographic information into the existing security
header. In the field, type the custom role/actor attribute. |
next
|
If the document contains a security header with the
next role, the system inserts the
cryptographic information into that security header. |
none
|
If the document contains a security header with the
none role, the system inserts the
cryptographic information into that security header. |
ultimateReceiver
|
If the document contains a security header with the
ultimateReceiver role, the system inserts the
cryptographic information into that security header. |
-
If the response action includes signing, for Signature
Algorithm, select the type of signature algorithm used to sign
parts of SOAP messages in responses that match the response elements that you
configure in the Namespaces and Elements area of the screen.
- Select RSA-SHA-1 (the default value) to use the
RSA public cryptosystem for encryption and authentication.
- Select HMAC-SHA-1 to use secret-key
hashing.
Tip: Be sure your clients support this type of encryption.
-
If the response action includes encryption, for Encryption
Algorithm and Key Transport Algorithm,
select the types of encryption to use for the elements and keys.
-
Select the Apply Action To Defined Elements check box to
perform the action you selected.
-
In the Namespaces and Elements area of the Web Services Security Configuration,
configure these settings to specify how to process the XML document:
-
For Namespace Mappings, add the namespace
mappings (prefix and URLs) the system uses for XPath queries:
-
Select the SOAP Body In Request Must Be Signed And
Verified check box to verify that requests contain a
SOAP body that is digitally signed and verified.
If not, the system issues a Verification Error
violation.
-
Select the Enforce Timestamp In Request check
box to verify that the SOAP request contains a valid timestamp.
If the request has no timestamp, the Missing
Timestamp violation occurs. If the timestamp is expired,
the system issues the Expired Timestamp
violation.
-
Specify which parts of the XML document you want the system to process:
- If you want the response action to apply to the whole SOAP message
(/soapenv:Envelope/soapenv:Body), select the
Apply Action to Entire Response Body Value check
box.
- To specify which parts of requests and responses you want the system to
process, use the Elements setting to add XPath
expressions to define the parts of the SOAP message to encrypt.
-
If you are updating an existing profile, click Update.
If you are creating a new profile, click Create.
The security policy that is associated with the XML profile now includes web
services security for the XML application.