Previous Topic: Variables OverviewNext Topic: Create a Variable


Web Service Variables

Web service variables provide a method for including dynamic data from a web service in a CA SiteMinder® policy. Web service variables are resolved by calling a web service. The Policy Server sends a SOAP request document, as specified in the web service variable definition, and receives a SOAP response document as a reply. The Policy Server extracts the value of the web services variable from the SOAP response document.

The Simple Object Access Protocol (SOAP) is a lightweight, XML-based protocol that consists of three parts:

The following figure shows how a CA SiteMinder® deployment resolves a web services variable for a web service inside an Intranet. The web service is on the same side of the firewall as the Policy Server.

Graphic showing a SiteMinder deployment resolving a web services variable for a web service inside an Intranet

In this scenario, if a Web Service variable is associated with an authorization request, it is resolved on the Policy Server side by calling the Web Service Variables Resolver. The Web Service Variables Resolver runs in the same process space.

When defining the Web Service variable, the user specifies the SOAP document to send to the Web Service, the authentication credentials, and other parameters.

The resolver sends the specified SOAP document to the web service, extracts the value of the variable from the response and forwards it to the Policy Server to complete the authorization request.

Even if there is a firewall between the Policy Server and the web service, it can be configured to allow communication between the two. The Policy Server issues the request and reads the response, so the firewall is only required to allow outbound requests from the Policy Server to the web service.

A secure SSL connection can be configured between the Policy Server and the web service to allow for the inbound responses to come from the Web Service to the Policy Server. The SSL connection uses the server-side certificates on the web service and a list of trusted certificate authorities that are configured on the Policy Server side.

Component Requirements for Web Service Variables

Web service variables require a session store.

Note: More information about configuring a session store, see the Policy Server Installation Guide. For more information about upgrading a session store, see the CA SiteMinder® Upgrade Guide.

Security Requirements When Resolving Web Services Variables

Security for Web Services Variables requires an SSL connection between the Policy Server and the Web Service. You can also include a WS-Security header with a username token that the Web Service has been configured to recognize. WS-Security is a standard set of SOAP extensions that provides security token propagation, message integrity and confidentiality through signing and encryption.

For a secure resolution of a Web Services Variable:

Note: For SSL connections, configure server–side certificates for the Web Service. Configure a list of trusted CAs on the Policy Server. To configure trusted CAs, use the certificate data store described in Certificate Authorities and Web Services Variables.

Configure the Web Service Variable Resolver

In order for the Policy Server to resolve a Web Service variable, you must configure the Web Service Variable Resolver to properly connect to the Web Service. The connection to the Web Service will fall into one of two categories:

Before being able to use the Web Service Variables functionality, the Policy Server must be configured with a list of trusted CAs, using the SmKeyTool command line utility. If several Policy Servers are used in a load balancing or failover configuration, each of them must be configured with the same list of trusted CAs.

Default configuration settings are provided in the WebServiceConfig.properties file in the SiteMinder/Config/properties directory, and can be modified by the user.

Sample WebServiceConfig.properties Configuration File
# Netegrity Web Service Variable Resolver properties configuration file:
# This file must be in the classpath that is used when the policy server runs.
# ResolutionTimeout is the amount of time the resolver will at most wait to resolve all Web Service variables related to a given request.
#
# This setting is intended to end sessions that are waiting on a web service that is not responding. The time that the Web Agent will typically wait before responding is typically 60 sec (but may be changed # in the future), which means this setting should be 60000 or greater to cancel transactions that cannot be returned.
ResolutionTimeout=75000
# MaxThreadCount is the maximal number of active threads running within the Web Service variables resolver.
MaxThreadCount=10
Certificate Authorities and Web Services Variables

To use SSL connections when resolving web services variables, configure a list of trusted Certificate Authorities (CAs). The Policy Server uses the CAs when it establishes a connection to a Web Service.

Use the Administrative UI to configure the list in the certificate data store.