What Every NonStop User Should Know About Web Service Security
Question How can you tell who the NonStop users are in the audience when you are doing a product presentation?
Answer They are the ones who always ask:
Is it high-performance?
Is it scalable?
Is it secure?
In this article, we want to address the question of security as it relates to Web Service.
Security is always on NonStop users’ mind, as they are very protective of their applications and data on the platform. Historically, security was accomplished relatively easily because of the proprietary nature of the Guardian platform, such as the unique NonStop world of 6530 protocol, SCOBOL code, TAL, etc. Today this “security via obscurity” has given way to open architecture in order to promote easier inter-platform exchange. Nowadays, more and more NonStop Users are embracing the benefits of SOA and Web Services. At the same time, they still want to be assured that security measures are available to protect their data.
Here a quick review of some basic measures you can use to secure Web Service transactions:
Access Control – Make sure your WSDLs and Web Services can be accessed only by authorized sources.
Enforce the rule that only computers with a specific IP address or within a range of IP addresses can have access.
Require authentication to access the web service repository. That is, all requests must have a User ID and Password to get through. SOAPam supports both Basic and Digest Authentication.
Instead of allowing access to all web services by any authenticated user, consider segmenting them into different service groups. Allow each group of services to be accessible only with authorized access via authentication. This way, you can protect more sensitive web services (such as UPDATE payroll data) from unauthorized users. SOAP/AM provides the ability to enforce access to certain web services only by certain users.
Encryption -Protect the request and response data by encrypting the data in flight.
One of the benefits of the using SOAP is that HTTPS is available for encryption.
Both SSL and TLS for encryptions are included as standard in SOAPam.
The above should be augmented by additional higher-level security, such as on the application level.
For example, you may want to require a valid application level logon and password to determine whether the user is entitled to perform the requested function.
By adopting SOAP and Web Services, you will enable your programs to interoperate more easily with other platforms, while taking advantage of the many available built-in security features such as HTTP authentication and encryption via SSL/TLS.
Do you find this tutorial blog helpful? Let us know what you think, and how we can make it even better. Don’t forget, you can subscribe to our blogs (top right-hand corner of this page) to get automatic email notification when a new blog is available.