Access and authentication for web services
BMC CMDB web services has several supported security policies that are consistent with the Web Services Security 1.0 standard. These policies facilitate authentication, integrity, and confidentiality of the information passed through BMC CMDB web services. You can use these supported policies and configuration settings to use BMC CMDB web services immediately after installation.
Complying with Web Services security policies
BMC CMDB web services has several supported security policies that are consistent with the Web Services Security 1.0 standard.
These policies facilitate authentication, integrity, and confidentiality of the information passed through BMC CMDB web services. You can use these supported policies and configuration settings to help you start using BMC CMDB web services immediately after installation.
BMC CMDB requires client authentication with wsse:Username. The wsse:Username authentication is the only default security policy.
Supported security policies for SOAP requests
BMC CMDB provides security policies for incoming Simple Object Access Protocol (SOAP) requests.
- The wsse:UsernameToken element manages authentication to BMC CMDB. You cannot remove or disable this policy.
- (optional ) XML Digital Signature manages authentication to the web service layer and verification of integrity of the content of the SOAP request.
- (optional ) XML Encryption manages confidentiality of the content of the SOAP request.
Authenticating to BMC CMDB with web services
The security policy that manages authentication to BMC CMDB requires a Simple Object Access Protocol (SOAP) request that includes wsse:UsernameToken and wsse:Password as mandatory elements. The other elements are optional. The following table describes the authentication elements.
Authentication elements
If created date and time enforcement is disabled, any created date and time token sent with the username is ignored.
The following is an example of the wsse:UsernameToken element:
The following example assumes that the password Type is PasswordText:
Web services authentication and request message integrity
The security policy that manages web services authentication and request message integrity checks requires that you authenticate to the web services and validate that the content of the message was not altered in transit or at any other point in its lifetime.
This security policy requires the client to generate a public key and corresponding private key combination for use in one of the following supported asynchronous signing algorithms. The client's private keystore keeps private keys safe and signs messages using the signing algorithm.
Message validation
When validating the message, the incoming service validates the following items:
- The signed content has been unchanged. It does this by validating the signature against the public key contained in the X509v3 certificate sent with the Simple Object Access Protocol (SOAP) request.
- The certificate was signed by a trusted certificate authority. It does this to authenticate the client and allow the request to process further.
A trusted certificate authority must sign the X509v3 certificate before use. BMC CMDB web services authenticates the X509v3 certificate, contained in the wsse:BinarySecurityToken element, by validating the signature of the certificate issued by a trusted certificate authority.
Trusted certificate authorities
BMC CMDB web services uses a truststore file, which contains the public keys of common trusted certificate authorities, to validate X509v3 certificates. See the following table for details about the default truststore.
Truststore details
For initial use and testing of BMC CMDB web services, you can use the client keystore (described in the following table), which contains a public and a private key, for proper signatures and authentication so that you can begin consuming BMC CMDB web services. The truststore contains a self-signed public certificate as a trusted certificate authority.
Client keystore details