3rd Party Web Service has WS-Security requirement

Calling external 3rd party web service that requires authentication by using a X.509 Digital Certificate. I know I need to add a WS Security header to the soap message, but not sure how to encrypt the data prior to submission.

I am using wm IS 6.5 sp2, and will not be upgrading to 7.x till late 2008. Is it possible to do this in 6.5 sp2? Has anyone done that?

For outbound web services requests, it is possible to add an X509 Certificate Token by constructing the correct header element and inserting it into the outbound SOAP request message. This can be done in IS 6.5.

If I were doing this in IS 6.5, I would attempt to use a WS-Security toolkit such as WSS4J to create the appropriate BinarySecurityToken from the desired X509 certificate, then convert that to a string and convert that string to a node to be inserted into the outbound SOAP request using the pub.soap.utils:addHeader service.

If WSS4J did not do what you needed, you could always create an IS doc type to hold the required elements of the desired token, populate those fields in the doc type and then convert to an XML string being sure to specify the expected namespaces in the nsDecls. The trick with this approach would be to get the initial IS doc type correct. If you had a valid token that the provider expects, then you might create your doc type from that XML instance document as a good starting point.

Some high-level information about the X509 security token profile can be found here.

Be sure to get example messages from the provider of your web service to ensure that you know what they’re really expecting. You might even ask them if they have a sample java client that demonstrates how the X509 security token can be added.



Thanks Mark.
I will look at the wss4j.

I checked the documentation from the vendor “The document assumes that the customer will be using
Microsoft Visual Studio.NET 2003 for its development. It further assumes that Visual
Basic.NET will be used as the development language. We cannot support
the development of any project using its components outside the Visual Studio.NET 2003 IDE
and Visual Basic .Net.”

Wow! How forward thinking of them. Why not just dictate that they are only interested in connecting with partners who are Microsoft shops and that all others can do business with their competitors?

Still, you can figure this out. It will help to have a working sample client from the vendor that you can run to produce (and capture) valid request messages.