2 Replies Latest reply on Feb 5, 2013 12:14 PM by Michel

    Security for WS created using Provide Web Service Wizard

      We have "Provided few PeopleSoft WSDLs" to a third party that uses these WSDLs to fetch data from PeopleSoft. (Perfect!)

      Problem: Anyone else other than the third party, who knows the WSDL URL and Request Parameters can get the data from PeopleSoft. (Not Good!)

      Question: What is the simplest way to implement WSDL / WS Security so that only a particluar external system/target system (Fusion/Salesforce/etc..) can only invoke them to fetch data from PSFT? (or) In other words, Can we configure the PeopleSoft IB with a 'white list' of requesting domains that are allowed to invoke the services, say (google.com,salesforce.com,oracle.com)

      In short What is the simplest method to secure WS created using Provide Web Service Wizard! ?

      Any suggestions to make these WSDL URLs safe will be greatly appreciated! Thank You!

        • 1. Re: Security for WS created using Provide Web Service Wizard
          Hi Ashish,

          WS-Security can be enabled by checking the "User/Password Required" check-box via "PeopleTools-> Integration Broker-> Integration Setup-> Service Operations". You can grant access to specific Permission Lists by clicking the "Service Operation Security" link. Create a user/role that has access to this permission list and instruct your "third party" to include a wsse security header containing the username and password in the soap message.

          I don't know of any provided way to filter requests based on the requesting domain. This can be done through a reverse proxy, apache httpd with mod_rewrite for example.


          Bauke Gehem
          • 2. Re: Security for WS created using Provide Web Service Wizard
            The PeopleBooks contain a whole chapter on how to set up secure integration between environments:


            I've linked the 8.52 version here, so depending on your actual tools version you might have to search for it in the books for your version.

            I think there isn't an 'easiest' way when securing webservices properly. My advice would be what Bauke suggested in combination with SSL/TLS encryption. This in combination with certificates prevents any unwanted access.