Relevant for: API testing only
The default Web Service scenario is based on the WS-Security specification. This scenario lets you place security credentials in the actual SOAP message.
When a SOAP message sender sends a request, the security credentials, known as tokens, are placed in the SOAP message. When the Web server receives the SOAP request, it does not need to send additional requests to verify the integrity of the sender. The server verifies that the credentials are authentic before letting the Web Service execute the application. By not having to go back to the source of the credentials, the application performance improves significantly.
To further secure Web Services, it is common to use digital signatures or encryption for the SOAP messages. Digitally signing a SOAP message verifies that the message has not been altered during transmission. Encrypting a SOAP message helps secure a Web Service by making it difficult for anyone other than the intended recipient to read the contents of the message.
The transport level security includes the authentication and proxy server information. You can also specify Keep Alive preferences and connection timeout.
The WS-Security tab lets you set the message level security through tokens, signatures and encryption.
To support WS-Security, UFT enables you to create security tokens for your script. You can create multiple tokens and set their properties. After creating a token, you use it to sign or encrypt a SOAP message.
The Web Services security mechanism associates security tokens with messages. This mechanism supports several security token formats to accommodate a variety of authentication requirements. For example, a client might need to provide a proof of identity or a security certificate.
The following tokens are available:
The User Name token contains user identification information for the purpose of authentication: User Name and Password.
You can also specify Password Options, indicating how to send the password to the server for authentication: Text, None, or Hash. and indicate whether to include a timestamp.
This token is based on an X.509 certificate.
To obtain a certificate, you can either purchase it from a certificate authority, such as VeriSign, Inc. or set up your own certificate service to issue a certificate.
Most Windows servers support the public key infrastructure (PKI), which enables you to create certificates. You can then have it signed by a certificate authority or use an unsigned certificate.
The Kerberos protocol is used to mutually authenticate users and services on an open and unsecured network.
Using shared secret keys, it encrypts and signs user credentials. A third party, known as a KDC (Kerberos Key Distribution Center), authenticates the credentials.
After authentication, the user may request a service ticket to access one or more services on the network. The ticket includes the encrypted, authenticated identity of the user. The tickets are obtained using the current user's credentials.
The primary difference between the Kerberos and Kerberos2 tokens, is that Kerberos2 uses the Security Support Provider Interface (SSPI), so it does not require elevated privileges to impersonate the client's identity.
In addition, the Kerberos2 security token can be used to secure SOAP messages sent to a Web Service running in a Web farm.
SAML is an XML standard for exchanging security-related information, called assertions, between business partners over the Internet. The assertions can include attribute statements, authentication, decision statements, and authorization decision statements.
SAML uses brokered authentication with a security token issued by STS (Security Token Service). The STS is trusted by the client and the Web Service to provide interoperable security tokens.
SAML tokens are important for Web Service security because they provide cross-platform interoperability and a means of exchanging information between clients and services that do not reside within a single security domain.
The JKS (Java Keystore) certificate enables you access and use your Java Keystore web service certificates saved on a file. From this file, you specify the alias and password for your Web service.
When you add a security token to a SOAP message, it is added to the SOAP message in the form of an XML element in the WS-Security SOAP header. The message, however, is exposed and therefore requires additional security. This is especially true when the credentials, including the password, are sent in plain text as it is with role-based security.
The two methods used to secure the data are message signatures and message encryption:
Message Signatures. Message Signatures are used by the recipients to verify that messages were not altered since their signing. The signature is in the form of XML within the SOAP message. The recipient checks the signature to make sure it is valid.
Message Encryption. Although the XML message signature offers a mechanism for verifying that the message has not been altered since it was signed, it does not encrypt the SOAP message—the message is still plain text in XML format. To secure the message in order that it should not be exposed, you encrypt it, making it difficult for an intruder to view and obtain a user's password.