Applies To:
Show VersionsBIG-IP ASM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Overview: Creating a security policy for web services
Use the Application Security Manager to create a security policy for a web application that uses XML formatting or web services. The security policy can verify XML format, and validate XML document integrity against a WSDL or XSD file. The security policy can also handle encryption and decryption for web services.
The Deployment wizard guides you through the steps required to create a security policy to protect web services or XML transactions.
Considerations for developing XML security
Before you get started, you need to understand a bit about the application you are developing a security policy for. For example, you need to know the answers to the following questions:
- Does the web application use a WSDL or XML schema (XSD) file to validate the XML documents? Some web services use a WSDL or XML schema document to validate whether or not the incoming traffic complies with XML language rules. If the application uses a WSDL or XSD file, you need a copy of the file.
- Does the application use a URL or parameter to point to the server that you want to protect? You need to know the URLs or parameters that the application uses.
Task summary
About XML security
Because XML is used as a data exchange mechanism, it is important to inspect, validate, and protect XML transactions. With XML security, you can protect the following applications:
- Web services that use HTTP as a transport layer for XML data
- Web services that use encryption and decryption in HTTP requests
- Web services that require verification and signing using digital signatures
- Web applications that use XML for client-server data communications, for example, Microsoft Outlook Web Access
You implement XML security by creating an XML profile for a security policy. The XML profile can protect XML applications in the following ways:
- Validates XML format
- Enforces compliance against XML schema files or WSDL documents
- Implements defense rules for XML documents
- Masks sensitive XML data
- Encrypts and decrypts parts of SOAP (Simple Object Access Protocol) web services
- Signs and verifies parts of SOAP messages using digital signatures
Creating a security policy for web services
Before you can create a security policy using ASM, you need to complete the basic BIG-IP system configuration tasks including creating a VLAN, a self IP address, and other tasks according to the needs of your networking environment.
Creating a basic XML profile
Creating an XML profile with WSDL validation
When you upload a WSDL document, the system automatically populates a list of SOAP methods in the validation configuration of the XML profile. Additionally, the system adds the SOAP methods as URLs in the security policy, and automatically associates the XML profile with the URLs. The system configures into the policy all relevant URLs that it finds in the WSDL and designates them as valid SOAP methods. By default, all methods are enabled, which means that the security policy allows those methods.
Creating an XML profile with XML schema validation
Reviewing the status of an XML security policy
Fine-tuning an XML security policy
The system did not detect any new XML violations over the last hour
Enforcing a security policy
Flowchart for configuring XML security policy
How you proceed with configuring XML security depends on the type of application you want to protect. If the application consists simply of XML content, creating the security policy is straightforward. If your application is a SOAP web service, you have additional options for setting up the security policy.