Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Using WS-Security to enhance SOAP messages

Updated on April 6, 2022

The WS-Security standard provides a set of enhancements to the SOAP messaging standard for the purpose of adding message-level security to web service transactions.

Depending on the service, you can configure the SOAP connector to include any combination of the following:

  • Encryption – Provides message confidentiality by encrypting some or all of the SOAP message content, in addition to any transport-layer encryption (SSL/TLS) that is used in the transmission of the message. Encryption ensures that the message content remains confidential until the appropriate receiving party decrypts it.
  • Signature – Provides message integrity by adding a digital signature to some or all of the SOAP message content. The receiving party must verify the signature to guarantee the authenticity of the message.
  • Timestamp – Increases message integrity by defining a time-to-live for the message, which prevents replay attacks.
  • Username token – Provides message-level authentication for web service transactions. When combined with Timestamp, Signature, and Encryption, a username token is a more secure alternative to HTTP basic authentication.

Understanding outflow

Outflow defines the configuration and run-time behavior of the outgoing SOAP message. In a SOAP connector, this is the request message. In a SOAP service, this is the response message.

  • Username tokens are added to the outgoing SOAP message.
  • Timestamps are added to the outgoing message
  • For Signature configurations, applicable message parts are assigned a hash value that is encrypted using Public Key Encryption (PKI) and added to the outgoing SOAP message.
  • For Encryption configurations, applicable message parts are encrypted using PKI, and added to the outgoing SOAP message.

Understanding inflow

Inflow defines the configuration and run-time behavior of the incoming SOAP message. In a SOAP connector, this is the response message. In a SOAP service, this is the request message.

  • Username tokens are validated against the configured value.
  • Timestamps are checked to determine whether the message has expired.
  • Digital signature is decrypted and validated against the incoming SOAP message content.
  • For Encryption configurations, applicable message parts of the incoming SOAP message are decrypted and converted back to standard XML text.
Learn how to configure these enhancements in your SOAP request and response message by completing the following tasks:
  • Previous topic More about XML Stream rules
  • Next topic Creating SOAP connectors that use WSS username tokens and timestamps

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us