Soap with WS-Security

Bruce_Patrick · April 21, 2017, 10:29pm

I am in need of help when using consumer soap wsdl execution.
I am trying to develop a POC where we execute a couple of soap API calls to an external system.
This system is supposed configured to utilize the Web Services Security UsernameToken Profile 1.1 and this is NOT included within the wsdl. First problem occurs when trying to import the wsdl, if done from HTTPS url I was given then webMethods (9.7) fails to import anything and I get a security error. If I save the wsdl to a local xml file it will successfully import but I don’t know how to change the webMethods components to utilize the security profile needed.

I read that a policy needs to be setup and imported into webservices descriptor component but wasn’t sure if this was correct or not.

If this is needed how does this then get into the connectors component that allows me to set the appropriate xml fields.

This is the soap header I am supposed to be creating:
soapenv:Header
<wsse:Security soapenv:mustUnderstand=“1”
xmlns:wsse=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”
xmlns:wsu=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>
<wsse:UsernameToken wsu:Id=“UsernameToken-xxxxxxxxxxxxxxxxxxx”>
wsse:UsernameWFS_XXXXXXX</wsse:Username>
<wsse:Password Type=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest”>XxXxXxXxXx=</wsse:Password>
<wsse:Nonce EncodingType=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>xxxxxxxxx==</wsse:Nonce>
wsu:Created2017-04-17T12:48:14.642Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>

  <wfswse:Impersonate xmlns:wfswse="http://services.workforcesoftware.com/xsd">
   <wfswse:UserId>9999</wfswse:UserId>
  </wfswse:Impersonate>

</soapenv:Header>

I don’t understand how to get these segments into connector code unless they have already been included within the WSDL.

Thanks for your help.

Prasad_Pokala · April 22, 2017, 6:13am

This blog post should explain most of your questions

[url]https://pokalablog.wordpress.com/2016/11/26/message-based-security-for-soap-in-webmethods-part-1/[/url]

Bruce_Patrick · April 24, 2017, 5:54pm

Thanks for the information but I still don’t understand how I get the other fields such as PasswordDigest, Created, and Impersonate Userid created and populated within the soap header. Even if I import another policy into the wsdl and rebuild the consumer connector it doesn’t seem to change anything on connector service, I see the authority/message/user and password but where are the other fields within the imported policy?

Prasad_Pokala · April 25, 2017, 7:30am

Hi Bruce, You need not pass in those fields. SOAP header will be composed as required at runtime based on policy we have chosen. In this case it will be “Username_Token” policy. So all SOAP header fields that are required for this will be injected. We only need to pass in username and password under “auth/message/user” and “auth/message/password”

Bruce_Patrick · April 25, 2017, 3:02pm

If I need to include
<wfswse:Impersonate xmlns:wfswse=“http://services.workforcesoftware.com/xsd”>
wfswse:UserId9999</wfswse:UserId>
</wfswse:Impersonate>
within the soap header would this go in the security policy and how would I get it populated?

Tong_Wang · April 27, 2017, 7:18pm

since the wfswse:Impersonate section is not a standard section from WSS, you have to customize your policy to include it.
not sure how the UserId will be injected, it’s non-standard.