How to Call a Secured External Web Service From a Process

In order to perform to enable a business process application to call a secured external web service, you need to perform some steps.

This tutorial will make you familiar with:

  • configuring the BPM runtime to call a particular secured external web service, by digitally signing an outgoing SOAP message using (in this example) an X.509 certificate.
  • configuring a business process application to call that secured external web service, by assigning the appropriate security policy to the system participant that identifies the web service endpoint.
Note: There are no initial resources or solutions for this tutorial. The tutorial assumes that you already know how to create a business process application to implement a call to an external web service, and then how to deploy and test that application.

You should work through each section in turn to complete the tutorial.

  • The BPM runtime can be configured to provide message-level security when a business process application invokes a secured external web service.
  • The BPM runtime implements the following message-level security mechanisms (defined by the WS-Security specification):
    • Authentication - A security token is inserted into the outgoing SOAP message. The service provider examines the token to validate the identity of the entity that is trying to invoke the web service.
    • Integrity - The outgoing SOAP message is signed with an XML digital signature. The service provider validates the signature to ensure that the message has not been changed in transit.
  • Specific security requirements are encapsulated in policy templates that are applied to business process applications. Currently supported policies are:
    • Security Assertion Markup Language (SAML) "Sender Vouches" token, which provides Single Sign-On (SSO).
    • X.509 certificate
    • UsernameToken
  • At design-time, the solution designer specifies the information that will be used by the calling process—the policy template to be used and the specific runtime information required.
  • At runtime, an identity provider resource instance intercepts the outgoing message and enforces the required policy with the appropriate runtime information.

Prerequisites

  • that you know how to implement a call to an external web service in a business process application, and then how to deploy and test that application. If you are not already familiar with these topics, run through the How to Call an External Web Service From a Process tutorial before attempting this one.
  • that you are familiar with web service security concepts and techniques.
  • the use of an X.509 certificate.

For More Information

If you wish to call an external web service that is secured using a SAML "Sender Vouches" token or a UsernameToken, you will need to follow similar steps to those described in this tutorial. Refer to the Administrator interface documentation for your BPM runtime environment for more information.

  1. Obtaining and Distributing the Required Security Credentials
    The credentials needed to contact the secured service must be made available to both the BPM runtime node (acting as the service consumer) and the system hosting the web service (the service provider):
  2. Creating a Keystore Provider Resource Template
    A keystore provider resource instance provides a reference to the keystore that contains the keypair required to invoke the secured web service. You will create a keystore provider resource template, and then a corresponding resource instance will be created automatically when you redeploy the BPM application.
  3. Creating an Identity Provider Resource Template
    An identity provider resource instance provides a reference to the specific keypair (via its alias) required to invoke the secured web service. You will create an identity provider resource template, and then a corresponding resource instance will be created automatically when you redeploy the BPM application.
  4. Configuring the System Participant in the Calling Process
    To invoke the secured external web service from the calling process, you must assign the security policy that will be applied to the outgoing message sent by the task or event to the system participant that identifies the web service endpoint.