I want to secure a SOAP Webservice (an
As a small foreword: I'm pretty new to the whole security aspect of intersystems and soap itself.
I've tried it on 2 different systems with pretty much the same result:
- IIS Server with a 2 System-Mirror Healthshare 2018.1.2 Installation
- local development environment with an Apache 2.4 (not the limited one delivered with the standard installation of healthshare) and the Healthshare installation on the same machine
- (i must admit, im not a server administration guy so I am not sure, if that is set up 100% correctly there - but anyway the outcome was the same on both systems)
I've got a soap service, the ensemble production with the soap service active, the webapplication for it, made some changes to the ^SYS(Security...) global to make it available, created a role and a user and set them up. Without policy and allowing unauthenticated access and the unknown it worked as I had expected.
I had sent my test requests with SoapUI at this stage and got the correct response back from healthshare and the ensemble messages were created as expected, too.
What I have done / tried
- Generated WS-Policy for SSL/Username for my service - I unselected everything there in the policy-wizard (like ws-addressing, strict layout and require client certificate) to make it as easy as possible and minimize other error sources that i didn't want to deal with at this stage. I didn't change anything of the generated policy as I couldn't find hints that it would be nessessary.
- changed the webapplication to enforce the use of keyword instead of unauthenticated login, set up my created user with the appropriate role
- on both systems the default communication to the webserver is over https, on the local apache system i tried it with http only too, though
- In SoapUI the only configuration change was to create a outgoing ws-configuration with the username + password and apply it to my requests - the resulting request included the needed usernameToken then
- I sent my requests to this address: https://server-domain/webapplicationname/OBG.EnsWSP.EnsBS.TestSoapServic...
After that failed (see below) I wanted to check that the username/login is not the problem, so I edited the policy at this stage, removing the whole "<sp:transportBinding>" block - so that no SSL is required and only the usernameToken is still nessessary.
I also tried various changes to the policy at this stage, as im not sure what I had to do, but that was more like blind guessing.
Questions that I had but couldnt answer myself at this point
If I want to secure the communication with SSL, I expected to have to provide a certificate for it somewhere either in the policy, the webservice class, webapplication or something , but I still don't know how or where to do so, if it is needed. Currently only the webserver itself has a certificate set up for its https communication. for the IIS-Server setup there is also a %superserver %telnet and some mirror ssl-configs configured in healthshare
What were the results?
After the above steps up to 4. the request fails with a soap-fault:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:s="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body> <SOAP-ENV:Fault> <faultcode>SOAP-ENV:Server</faultcode> <faultstring>Serverapplikationsfehler</faultstring> <detail> <error xmlns="http://soap.test.com/2005/09/outbound"> <text>FEHLER #6454: Keine unterstützte Richtlinienalternative in Konfiguration OBG.EnsWSP.EnsBS.TestSoapServiceConfig:service.</text> </error> </detail> </SOAP-ENV:Fault> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
05/12/2020 16:11:10 ********************* Input to Web service with SOAP action = "" <soapenv:Envelope xmlns:out="http://soap.sforce.com/2005/09/outbound" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:sobject.enterprise.soap.sforce.com"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-A7D77B4D3793977976158929267071110"> <wsse:Username>someuser</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">somepassword</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">somenonce</wsse:Nonce> <wsu:Created>2020-05-12T14:11:10.711Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <out:notifications> <out:OrganizationId>1234567890ABCDEFGH</out:OrganizationId> <out:ActionId>1234567890ABCDEFGH</out:ActionId> <out:SessionId>123</out:SessionId> <out:EnterpriseUrl>www.test.de</out:EnterpriseUrl> <out:PartnerUrl>www.partnertest.de</out:PartnerUrl> <out:Notification> <out:Id>1234567890ABCDEFGH</out:Id> <out:sObject> <urn:Id>1234567890ABCDEFGH</urn:Id> <urn:Name__c>Testington</urn:Name__c> </out:sObject> </out:Notification> </out:notifications> </soapenv:Body> </soapenv:Envelope> --------------- Validate Security header: action="" Validating security element 1: %SOAP.Security.UsernameToken Security UsernameToken validated Security SSL message 05/12/2020 16:11:10 ********************* Validation Policy 2 in OBG.EnsWSP.EnsBS.TestSoapServiceConfig:service for OBG.EnsWSP.EnsBS.TestSoapService Headers: Tokens: Signatures: SignatureConfirmations: EncryptedData: Timestamp Id=, pos= ********************* Alternatives Alternative 1 sp:TransportBinding sp:IncludeTimestamp sp:AlgorithmSuite=Basic128 Supporting Tokens UsernameToken :type=sp:SignedSupportingTokens Include=AlwaysToRecipient wss=1.1 Supporting Token 1, type=sp:SignedSupportingTokens, tokenType=UsernameToken Token not found Validate of TransportBinding failed. No Alternative matches 05/12/2020 16:11:10 ********************* Output from Web service with SOAP action = "" <?xml version='1.0' encoding='UTF-8' standalone='no' ?> <SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:s='http://www.w3.org/2001/XMLSchema' > <SOAP-ENV:Body> <SOAP-ENV:Fault> <faultcode>SOAP-ENV:Server</faultcode> <faultstring>Serverapplikationsfehler</faultstring> <detail> <error xmlns='http://soap.test.com/2005/09/outbound'> <text>FEHLER #6454: Keine unterstützte Richtlinienalternative in Konfiguration OBG.EnsWSP.EnsBS.TestSoapServiceConfig:service.</text> </error> </detail> </SOAP-ENV:Fault> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
After that - as mentioned above -, I removed the whole transportBinding-part from the policy and tested it again with exactly the same request - then it worked again, as I expected.
I've sent all requests over https so they were basically encrypted, but as it seems, not like the policy wants me to.
Thanks for any help!