IBM webMethods Hybrid Integration

IBM webMethods Hybrid Integration

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

WS Security on Consumer WSD: PasswordText with Nonce and Created

  • 1.  WS Security on Consumer WSD: PasswordText with Nonce and Created

    Posted Mon October 15, 2018 11:34 AM

    Hi all,

    I want to add a username token to our outgoing SOAP requests containing a username, clear(plaintext) password, nonce, and created date like below:

    <wsse:UsernameToken wsu:Id=“UsernameToken”>
    wsse:UsernameAdministrator</wsse:Username>
    <wsse:Password Type=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText”>manage</wsse:Password>
    <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">+N5aKhsk4nK+mvU6w//HRg==</wsse:Nonce>
    wsu:Created2018-10-15T09:10:09.132Z</wsu:Created>
    </wsse:UsernameToken>

    Is this possible? What I’ve done so far:

    1. Added a port alias to the consumer WSD’s binding to make the username and password configurable.
    2. Played around with policies. I can get a username token with a username and clear password, and I’ve been able to get it to have a username, hashed password digest, nonce, and created. With IS 10.1, is this even possible, given that policies are only supporting up to WSSecurityPolicy 1.2?

    #API-Management
    #soa
    #webMethods


  • 2.  RE: WS Security on Consumer WSD: PasswordText with Nonce and Created

    Posted Tue August 27, 2019 04:13 AM

    Hi Jondric Zafra,

    As you mentioned that “I’ve been able to get it to have a username, hashed password digest, nonce, and created.”, we now need to send the same manner, can you please share the policy if we have like this.

    Regards,
    Ravi.


    #API-Management
    #soa
    #webMethods


  • 3.  RE: WS Security on Consumer WSD: PasswordText with Nonce and Created

    Posted Tue August 27, 2019 04:22 AM

    another quick update, i am using the below pocily file, however i am getting response “Security processing failed (actions mismatch)”, is there any way to track the SOAP header going out from IS apart from TCP/IP monitor which is not showing anything.

    <wsp:Policy wsu:Id=“Username_Over_Transport_Digest” Name=“Username Over Transport with Digest”
    xmlns:wsp=“Web Services Policy Framework (WS-Policy) and Web Services Policy Attachment (WS-PolicyAttachment)
    xmlns:wsu=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>
    wsp:ExactlyOne
    wsp:All
    <sp:TransportBinding xmlns:sp=“XML Namespace Document for WS-Security-Policy 1.2”>
    wsp:Policy
    sp:TransportToken
    wsp:Policy
    <sp:HttpsToken RequireClientCertificate=“false” />
    </wsp:Policy>
    </sp:TransportToken>
    sp:AlgorithmSuite
    wsp:Policy
    sp:Basic256Sha256/
    </wsp:Policy>
    </sp:AlgorithmSuite>
    sp:Layout
    wsp:Policy
    sp:Strict/
    </wsp:Policy>
    </sp:Layout>
    sp:IncludeTimestamp/
    </wsp:Policy>
    </sp:TransportBinding>

            <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient" >
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>

    </wsp:Policy>


    #API-Management
    #soa
    #webMethods


Related Content