Running a secure Web Service
M3 Web Services supports the use of WS-Policy, which is based on public key cryptography, also known as asymmetric cryptography. The implementation is based on signing and encrypting SOAP messages handled by the SOAP engine CXF.
Authentication: Key Exchange Process
M3 Web Services can be run in secured mode. This is enabled in the M3 Web Services Server View under Manage Service Security. If secured mode is enabled, this applies to the communication between clients and the M3 Web Services Server:
See information in implementing secured web services in Using X.509 Policy to secure Web Services.
-
The M3 Web Services Server generates a private/public key pair at installation that is unique to this M3 Web Services Server. For clients to be able to call the secured web services, they need some way to identify them. This means that a client needs a public/private key pair and also that the M3 Web Services Server has imported the client’s public key as a trusted certificate.
-
When the client has created its keys, the certificate (public key) needs to be uploaded to the Server. This ensures that the M3 Web Services Server only trusts valid client certificates. The client needs to get the certificate of the M3 Web Services Server and incorporate it into its keystore. This certificate is needed for encrypting messages.
-
When using the delivered x509 security policy, the message sent from the client will be signed and encrypted. This ensures that the M3 Web Services Server knows who the message is from and that the message content is safe from outside view.
Client <-> M3 Web Services Server
The X509 Policy is supplied with M3 Web Services to sign and encrypt the SOAP message using X.509 certificates.
M3 Web Services Server <-> back-end
Back-end systems are M3 or databases. The user credentials are supplied by HTTP layer basic authentication.