Policy Server Guides › Policy Server Configuration Guide › Variables › Web Service Variables › Security Requirements When Resolving Web Services Variables

Security Requirements When Resolving Web Services Variables

Security for Web Services Variables requires an SSL connection between the Policy Server and the Web Service. You can also include a WS-Security header with a username token that the Web Service has been configured to recognize. WS-Security is a standard set of SOAP extensions that provides security token propagation, message integrity and confidentiality through signing and encryption.

For a secure resolution of a Web Services Variable:

• The Policy Server must make a SOAP request to a Web Service on behalf of a known identity (a Web Service account). This is similar to the model used by SiteMinder to access attributes in a User Directory.
• The WS-Security header containing the Web Services credentials can be configured to include a base-64-encoded SHA-1 digest of the password.
• A Web Service variable can be configured to use an SSL connection with a server-side certificate. This means that the Policy Server needs to be configured with the list of trusted CAs.

Note: For SSL connections, server-side certificates should be configured for the Web Service. A listed of trusted CAs should be configured on the Policy Server. To configure trusted CAs, use the smkeydatabase tool described in Certificate Authorities and Web Services Variables.