Using the WS-Security Transport Binding Policy

Learn about the WS-Security Transport Binding Policy.

For information about using policies in the context of the Community Manager developer portal, see Business Policies.

Table of Contents

About the WS-Security Transport Binding policy

The "WS-Security Transport Binding Policy" is used when the message protection is provided by the transport medium. A common usage scenario is using HTTPS as the message exchange transport medium. In a transport binding assertion, a transport token can be defined where messages can be contained and then exchanged only through a defined medium. WS-Security policy specification defines a HTTPS token that defines messages be transmitted over HTTPS.

Creating a WS-Security Transport Binding policy

To add an operational policy

  1. Go to Workbench > Browse > Organization, and select Policies > Operational Policies. The Policies Summary is displayed.
  2. Click Add Policy.
  3. Choose the policy type and click Next.
  4. Specify a name (required) and description (optional) and click Finish. At the Completion Summary, click Close. The Add Policy Wizard creates a draft policy instance that you can then configure on the Policy Details page.

For more information, see Add Policy.

Configuring a WS-Security Transport Binding Policy

To configure a WS-Security Transport Binding policy

  1. Go to Workbench > Browse > Organization and select the Policies > Operational Policies folder. The Policies Summary is displayed.
  2. Find the policy on the list and double-click to go to the Details page for the policy.
  3. In the second panel, click Modify to access the Modify WS-Security Transport Binding Policy wizard.
  4. In page 1, Specify Transport Binding Options, enter values for the binding options. For details about fields and values, see Specify Transport Binding Options below. Click Next.
  5. In page 2, Specify HTTPS Token Options, enter values for the token options. For details about fields and values, see Specify HTTPS Token Options below. Click Next.
  6. In page 3, Configure Security Algorithm, specify the security algorithm and associated settings. For details, see Configure Security Algorithm below.
  7. In page 4, Specify WS-Security 1.0 Options, specify security options. For details, see Specify WS-Security 1.0 Options below.
  8. In page 5, Specify WS-Security 1.1 Options, specify security options. For details, see Specify WS-Security 1.1 Options below.
  9. In page 6, Specify WS-Trust 1.0 Options, specify trust options. For details, see Specify WS-Trust 1.0 Options below.
  10. In page 7, Specify Security Audit Options, specify audit options. For details, see Specify Security Audit Options below.
  11. Click Finish.

Specify Transport Binding Options

Policy Configuration: Specify Transport Binding Options

The Specify Transport Binding Options page includes the options listed below.

WS-Security Policy Version
Specify the WS-Security Policy version. Versions 1.1 and 1.2 are currently supported.
Security Header Layout
A set of optional properties that are common to security bindings. These properties define rules for controlling the ordering layout when items are added to the Security Header. For properties that are enabled, assertions will set the value of a property. When the value appears in a policy, the property is set to the value indicated by the assertion. Choices:
  • Lax
  • Lax Timestamp First
  • Lax Timestamp Last
Include Timestamp
Indicates that the timestamp should be included in the transport binding.

Specify HTTPS Token Options

Policy Configuration: Specify HTTPS Token Options

The Specify HTTPS Token Options page includes the options listed below.

Token Inclusion
Allows you to specify an IncludeToken attribute in the message. Choices: Not Specified, Always, Once, or Never (Indicates that an external reference mechanism is used to refer to the key represented by the token).
Require Client Certificate
Check the box if the policy should require a client certificate.
Certificate Subject Category
The subject category for the token. Choices: Consumer, Service, End-User, User Defined, or None. For user-defined, specify the value.

Configure Security Algorithm

Policy Configuration: Specify Security Algorithm

The Configure Security Algorithm page includes the options listed below.

Algorithm Suite
Choose the algorithm suite that the policy will use for performing cryptographic operations with symmetric or asymmetric key based security tokens. Choices:
  • Basic128
  • Basic 192
  • Basic 256
  • TripleDes
  • Basic256Rsa15
  • Basic192Rsa15
  • Basic128Rsa15
  • TripleDesRsa15
  • Basic256Sha256
  • Basic192Sha256
  • Basic128Sha256
  • TripleDesSHA256
  • Basic256Sha256Rsa15
  • Basic192Sha256Rsa15
  • Basic128Sha256Rsa15
  • TripleDesSHA256Rsa15

For more detailed information about the algorithm suites supported, see Supported WS-Security Algorithm Suites.

Canonicalization
Allows you to select the canonical form used to test whether information content of an XML document has changed.
The default, Exclusive, determines which namespaces are actually being used and just copies those. You can set this field to Inclusive, which copies all declarations, even if they are defined outside of the scope of the signature.
XPath Version
Indicates the XPath version to be used: 1.0 (XPath10), 2.0 (XPathFilter20), or Not Specified (the default).
SOAP Normalization
Checking the box indicates that SOAP normalization is turned on.
STR Transform
Checking the box indicates that the STR Transform property is set to STRT10.

Specify WS-Security 1.0 Options

Policy Configuration: Specify WS-Security 1.0 Options

The Specify WS-Security 1.0 Options page includes the options listed below.

Do not specify options
Indicates that no WS-Security 1.1 options are specified. This is the default.
Specify options
Indicates that the specified options will apply to the policy.
Must Support Key Identifier Reference
Allows you to specify that Key Identifier References must be supported.
Must Support Issuer Serial Reference
Allows you to specify that Issuer Serial References must be supported.
Must Support External URI Reference
Allows you to specify that External URI References must be supported.
Must Support Embedded Token Reference
Allows you to specify that Embedded Token References must be supported.

Specify WS-Security 1.1 Options

Policy Configuration: Specify WS-Security 1.1 Options

The Specify WS-Security 1.1 Options page includes the options listed below.

Do not specify options
Indicates that no WS-Security 1.1 options are specified. This is the default.
Specify options
Indicates that the specified options will apply to the policy.
Must Support Key Identifier Reference
Allows you to specify that Key Identifier References must be supported.
Must Support Issuer Serial Reference
Allows you to specify that Issuer Serial References must be supported.
Must Support External URI Reference
Allows you to specify that External URI References must be supported.
Must Support Embedded Token Reference
Allows you to specify that Embedded Token References must be supported.
Must Support Thumbprint Reference
Allows you to specify that Thumbprint References must be supported.
Require Signature Confirmation
Allows you to specify that the Signature Confirmation property is set to true.
Must Support Encrypted Key Reference
Allows you to specify that the Encrypted Key References property is set to true.

Specify WS-Trust 1.0 Options

Policy Configuration: Specify WS-Trust 1.0 Options

The Specify WS-Trust 1.0 Options page allows you to configure a set of properties supported by WS-Trust 1.0 when the Trust10 assertion is part of the Endpoint Policy Subject. It includes the options listed below.

Do not specify options
Indicates that no WS-Trust 1.0 options will be specified in the policy.
Specify options
Indicates that the specified options will apply to the policy.
Must Support Client Challenge
Allows you to specify that client challenges must be supported.
Must Support Server Challenge
allows you to specify if server challenges must be supported.
Require Client Entropy
Allows you to specify that client entropy is required.
Require Server Entropy
Allows you to specify that server entropy is required.
Must Support Issued Tokens
Allows you to specify that issued tokens must be supported.

Specify Security Audit Options

Policy Configuration: Specify Security Audit Options

Choose from the available options controlling the audit data that's captured:

Generate Audit Data
Captures all message data, whether success or failure, for all message exchanges.
On Error Only
If you choose to generate audit data, you can specify that audit data is captured only when an error occurs on a message exchange.

Activating a policy

When you create and configure a policy, the policy is in Draft state. When the policy configuration is complete, activate the policy: click Activate Policy and then confirm. See Activate a Policy.

A policy in Draft state is not available for general use. Once you activate the policy, it is in Active state and is available for use.

Attaching a policy

To use the policy, go to the Policies folder in the respective organization and attach the policy to a web service, binding, or binding operation.