Applies To:
Show VersionsBIG-IP ASM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Implementing Web Services Security
Overview: Implementing web services security
Web services security adds another level of protection to XML-based web applications by embedding security-related data within SOAP messages. For web services that Application Security Manager™ protects, you can use web services security to do the following:
- Encrypt and decrypt parts of SOAP messages
- Digitally sign parts of SOAP messages
- Verify parts of SOAP messages using digital signatures
If you want to use features such as encryption, you can add web services security to an existing security policy that has an associated XML profile. You can enforce web services security only for URLs.
Task Summary
About client and server certificates
Client and server certificates are XML digital signatures that ensure the integrity of the message data, and can authenticate the identity of the document signer. By importing client and server certificates, the system can perform encryption and decryption of SOAP messages.
The system uses client and server certificates differently:
- Server Certificates
- Decrypt SOAP messages from a web client to a web service, or sign SOAP messages from a web service back to a web client.
- Client Certificates
- Encrypt SOAP messages from a web service to a web client, or verify SOAP messages from a web client to a web service.
Adding client and server certificates
To use web services security for encryption, decryption, and digital signature signing and verification, you must upload client and server certificates onto the Application Security Manager™. The system uses these certificates to process Web Services Security markup in SOAP messages within requests and responses to and from web services.
You must import both client and server certificates to perform encryption and decryption on the Application Security Manager.
Enabling encryption, decryption, signing, and verification of SOAP messages
Writing XPath queries
You can write up to three XPath queries to define the content that you are looking for in XML documents. When writing XPath queries, you use a subset of the XPath syntax described in the XML Path Language (XPath) standard at http://www.w3.org/TR/xpath.
These are the rules for writing XPath queries for XML content-based routing.
- Express the queries in abbreviated form.
- Map all prefixes to namespaces.
- Use only ASCII characters in queries.
- Write queries to match elements and attributes.
- Use wildcards as needed for elements and namespaces; for example, //emp:employee/*.
- Do not use predicates in queries.
Syntax for XPath expressions
This table shows the syntax to use for XPath expressions.
Expression | Description |
---|---|
Nodename | Selects all child nodes of the named node. |
@Attname | Selects all attribute nodes of the named node. |
/ | Indicates XPath step. |
// | Selects nodes that match the selection no matter where they are in the document. |
XPath query examples
This table shows examples of XPath queries.
Query | Description |
---|---|
/a | Selects the root element a. |
//b | Selects all b elements wherever they appear in the document. |
/a/b:* | Selects any element in a namespace bound to prefix b, which is a child of the root element a. |
//a/b:c | Selects elements in the namespace of element c, which is bound to prefix b, and is a child of element a. |
Configuring blocking actions for web services security
- If configured to Learn or Alarm when the violation occurs, the system does not encrypt or decrypt the SOAP message, and sends the original document to the web service.
- If configured to Block when the violation occurs, the system blocks the traffic and prevents the document from reaching its intended destination. The system sends a blocking response page. If the XML profile associated with the policy is configured to use an XML blocking response page, it uses the XML response. Otherwise, it uses the default response page.
- If a web services security violation occurs on an entity in staging, for example, a URL in staging associated with an XML profile, the violation (set to alarm or block) is not enforced.