Configuring Security on an Outgoing Service Call

If you need to apply a security policy on the outgoing service call, you do so by assigning a policy to the system participant that identifies the service endpoint.

You may need to do this, for example:

  • to invoke a secured external web service. See the How to Call a Secured External Web Service From a Process tutorial for more information.
  • to enforce credential mapping to ensure that a process instance always runs using fixed credentials. See the Using Credential Mapping to Associate a Specific Identity with a Process Instance tutorial for more information.

The security policy will then be applied to the outgoing message sent by the task or event, allowing it to be authenticated by the called service.

Note: The service must be invoked using a SOAP binding (with a concrete WSDL). You cannot apply a security policy if you are calling the service on its virtualization binding (using an abstract WSDL).

To assign a security policy to the system participant:

Procedure

  1. In Project Explorer, select the system participant that identifies the service endpoint.
  2. On the General tab of the Properties view, expand Shared Resource. The endpoint’s configuration details are displayed.
  3. In the Policy Type field, select the type of security policy required to invoke the service from the drop-down menu - one of:
    • Username Token, X509 Token or SAML Token, to authenticate the outgoing SOAP request using a Web Services Security (WSS) token of the indicated type.
    • Custom Policy, to apply a custom security policy to the outgoing SOAP request and, if required, to the incoming SOAP response.
      Note: You must use a Custom Policy if the SOAP response message returned by the service contains a security header. The Username Token, X509 Token or SAML Token policies do not handle an incoming SOAP response that contains a security header.

      See SOAP over JMS Binding Details (Provider) or SOAP Over JMS Binding Details (Consumer) for more information about these policy types.

  4. If you selected Username Token, X509 Token or SAML Token, a Governance App. Name field is displayed. Enter the name of the identity provider application from which the BPM runtime will obtain the authentication information needed to contact the service.
  5. If you selected Custom, a Custom Policy Set field is displayed:
    1. Click the Browse button. The Select Policy Set dialog is displayed, listing all external policy sets that are available in the current workspace.
      Note: The external policy set file that defines the policy to be used must be available in the same workspace. (It does not have to be in the same project.)

      If the required policy set file is not already available, click Cancel, import the file to the workspace and try again.

    2. Select the policy set that the BPM runtime will apply to the outgoing SOAP request (and, if appropriate, to the incoming SOAP response).
    3. Click OK.