Using Web Services Security Policies

ActiveMatrix BusinessWorks allows you to specify security policies for inbound and outbound SOAP messages. The security policies follow Web Services Security: SOAP Message Security 1.0 (WS-Security 2004) OASIS Standard 200401. You can find out more about this standard at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.

You define security policies in the Security Policy shared configuration resource. You can define one policy to share among all of your web services, or you can define multiple policies to use on a per-resource basis. You can include the following attributes within a policy:

  • Authentication — whether messages must be authenticated. Authentication can be performed either with usernames and passwords or with X.509 compliant certificates.

  • Integrity — whether messages must be validated with a signature to ensure the message has not been altered since its creation.

  • Confidentiality — whether messages are encrypted or unencrypted.

  • Timeout — whether messages should expire after a certain time.

See TIBCO ActiveMatrix BusinessWorks Palette Reference for more information about the Security Policy Resource.

Note: Errors encountered when using Web Service Security policies are generally not published. This is because malicious users could attempt to gain information about your security policy by attempting to replicate known errors. To prevent the general public from obtaining the Web Service Security error codes, only licensed customers can request a list of error messages and code by contacting TIBCO Support.