Policy Server Guides › Policy Server Configuration Guide › Variables › Web Service Variables › Security Requirements When Resolving Web Services Variables

Security Requirements When Resolving Web Services Variables

Security for Web Services Variables requires an SSL connection between the Policy Server and the Web Service. You can also include a WS-Security header with a username token that the Web Service has been configured to recognize. WS-Security is a standard set of SOAP extensions that provides security token propagation, message integrity and confidentiality through signing and encryption.

For a secure resolution of a Web Services Variable:

• The Policy Server must make a SOAP request to a Web Service on behalf of a known identity (a Web Service account). This is similar to the model used by SiteMinder to access attributes in a User Directory.
• The WS-Security header containing the Web Services credentials can be configured to include a base-64-encoded SHA-1 digest of the password.
• A Web Service variable can be configured to use an SSL connection with a server-side certificate. This means that the Policy Server needs to be configured with the list of trusted CAs.

Note: For SSL connections, server-side certificates should be configured for the Web Service. A listed of trusted CAs should be configured on the Policy Server. To configure trusted CAs, use the smkeydatabase tool described in Certificate Authorities and Web Services Variables.

Configure the Web Service Variable Resolver

In order for the Policy Server to resolve a Web Service variable, you must configure the Web Service Variable Resolver to properly connect to the Web Service. The connection to the Web Service will fall into one of two categories:

• Both the Policy Server and the Web Service are on the same side of a firewall. There is no firewall between the two.
• There is a firewall between the Policy Server and the Web Service, but it is configured to allow one-way communication between the two (outbound requests from the Policy Server to the Web Service).

Before being able to use the Web Service Variables functionality, the Policy Server must be configured with a list of trusted CAs, using the SmKeyTool command line utility. If several Policy Servers are used in a load balancing or failover configuration, each of them must be configured with the same list of trusted CAs.

Default configuration settings are provided in the WebServiceConfig.properties file in the SiteMinder/Config/properties directory, and can be modified by the user.

Sample WebServiceConfig.properties Configuration File

# Netegrity Web Service Variable Resolver properties configuration file:
# This file must be in the classpath that is used when the policy server runs.
# ResolutionTimeout is the amount of time the resolver will at most wait to resolve all Web Service variables related to a given request.
#
# This setting is intended to end sessions that are waiting on a web service that is not responding. The time that the Web Agent will typically wait before responding is typically 60 sec (but may be changed # in the future), which means this setting should be 60000 or greater to cancel transactions that cannot be returned.
ResolutionTimeout=75000
# MaxThreadCount is the maximal number of active threads running within the Web Service variables resolver.
MaxThreadCount=10