This article explains how TrustedX can be used to secure Web services by means of the authentication, integrity and confidentiality methods.

Securing Web services

SOAP services  (Simple Object Access Protocol) REST (Representational State Transfer) services are the most common Web services. SOAP services represent a set of interoperable standards, including SOAP protocol, XML and the OASIS and W3C WS-* standards. The REST Web services are based on the existing Web infrastructure, XML (no SOAP), and the HTTP protocol.

Securing this type of Web services is handled differently:

• WS-Security (Web Services Security) consists of a set of enhancements to the SOAP protocol which includes a group of security methods. WS-Security provides integrity, confidentiality and authentication methods at SOAP message level; these methods are based on the XML-Dsig and XML-Enc standards and are used along with security tokens (e.g. X.509, kerberos or SAML).
• Unlike SOAP, REST does not specify any security methods. Consequently, there is no common interoperable framework to explicitly define which methods can be used and how they are to be applied. However, the tendency is to resort to the XML-Dsig, XML-Enc and SSL/TLS standards in order to equip this type of service with basic security methods.

TrustedX supports the PKI-based WS-Security methods, and digital certificates and security tokens that are based on SAML, X.509, kerberos and user name/password. As the TrustedX platform also supports signature and encryption methods according to XML-Dsig and XML-Enc standards, it provides a unique solution for the protection of the SOAP and REST Web services.

TrustedX securing architectures

The inclusion of security methods in Web services, by means of TrustedX, involves the consumption of specialized services. Given that the entire logic of the security methods is delegated to TrustedX, the implementation of the WS-Security, XML-Dsig and XML-Enc standards for securing Web messages is carried out from a SOA point of view.

The implementation architectures possible are:

1. Integration gateway: TrustedX is used as a security gateway, in that, it is responsible for protecting the sent messages and for processing the received messages. This architecture has the advantage of being able to implement the security methods without having to modify the Web services.
2. Security Web services: the application uses TrustedX to request protection or message processing. In this architecture, unlike the previous one, the TrustedX results are returned to the application.  
3. A combination of both.

The below figure illustrates the two architectures:

TrustedX's gateway functions include the capacity to receive SOAP/WS or REST/WS data, which are then processed by means of an XML Pipeline language, and finally, they are re-sent. The gateway's pipeline capacities make it possible to link a successive set of XML processing rules: transform, sign, verify, encrypt, decrypt, authenticate, authorize, access external information sources etc. which will be executed to obtain the desired data output. 

TrustedX will also be responsible for the following aspects which are key to managing trust.

• Private key management, where TrustedX provides protection methods to prevent key copying or its unauthorized use, and renders key and digital certificate renewal transparent to the applications.
• Centralized security policy and trust management, where the centralized management of the trusted entities (CAs, TAs and VAs) is made possible. Also, the requirements for validating digital certificates and verifying signatures are defined.
• Facilitation of the auditing of the system and of the security methods in the corporate SOA architecture. 

Examples of use of TrustedX

In the try section of TrustedX Labs, you will find a collection of example codes, which enable you to use TrustedX both as a Web and a trust service for securing SOAP messages. 

Go to discussion forum (1)