Add the following in the services.xml of your AAR service archive:

        <module ref="rampart"/>
<parameter name="sin.jaas.transport.login.context">Default</parameter>
<wsp:Policy wsu:Id="BasicAuthPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<sp:HttpBasicAuthentication/>
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:policyValidatorCbClass>com.softwareag.wsstack.jaas.callback.MultiLoginPolicyValidatorCallback</ramp:policyValidatorCbClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

• The communication must happen over HTTPS per the SOAP WS-Security specification
• As this is by the WS-Security specification the request to this service should contain a SOAP security header with a timestamp. In SOAP UI - WS-Security (WSS) for API Testing | SoapUI (Timestamp)
• The MultiLoginPolicyValidatorCallback class makes the connection between the Web Services Stack and the Software AG Security Infrastructure
• The “sin.jaas.transport.login.context” points to a JAAS login context defined in /profiles/CTP/configuration/jaas.config. In this example we have default one which works with the Software AG internal user store (common/conf/users.xml, common/conf/groups.xml, common/conf/roles.xml). New users can be added by using Reverb , role and group assignment happens by manual edit of the corresponding files.