358 Patterns: Implementing Self-Service in an SOA Environment
Figure 10-42 Point-to-point security with HTTPS
Here are a few simple guidelines to help decide when transport-level security
should be used:
No intermediaries are used in the Web service environment.
With intermediaries, the entire message has to be decrypted to access the
routing information. This would break the overall security context.
The transport is only based on HTTP.
No other transport protocol can be used with HTTPS.
The Web services client is a stand-alone Java program.
WS-Security can only be applied to clients that run in a J2EE container (EJB
container, Web container, application client container). HTTPS is the only
option available for stand-alone clients.
The service integration bus provides facilities for secure communication between
service requestors and the bus (inbound to the bus), and between the bus and
any target Web services (outbound from the bus). Security in the bus can be
applied at a number of different levels.
Web services security (WS-Security) in the bus
HTTP endpoint listener authentication
Using HTTPS with the bus
Proxy server authentication
For more details on how to implement the above security levels in the bus, see
Chapter 22 of WebSphere Version 6 Web Services Handbook Development and
10.8.2 Web Services Gateway
If you are deploying the application using Network Deployment, you have the
option to deploy your Web services through IBM’s Web Services Gateway. This
option is not available for standalone server environments.