PortSight Secure Access Documentation

Using Secure Access Web Service (ARWebService)

 

Introduction

 

PortSight Secure Access Web Service (ARWebService) allows you to authenticate users and control their access in client (WinForms) applications. This chapter provides and overview of the ARWebService and the following sub-chapters will guide you through the installation and development process:

 


 

ARWebService Overview


 

Since ARWebService itself must be well-secured, it uses Microsoft Web Services Enhancements 1.0 SP1 add-on (see http://msdn.microsoft.com/webservices), especially the WS-Security specification that provides three main mechanisms protecting XML Web services:

 

In short, WS-Security provides a foundation for protecting XML Web services. WS-Security is flexible and designed to be used as the basis for securing XML Web services through the combination of a wide variety of security models, including public key infrastructure (PKI).

 

ARWebService is intended to be secured with X.509 certificates using digital signatures and asymmetric encryption. Digital signatures help to verify the trustworthy of the partner and of course verify that the message has not been altered since it was signed. Asymmetric encryption encodes the content of the SOAP message and thus protects it against tapping during its transmission.

 

Another alternative of securing the communication is using a symmetric encryption. It may be used together with X.509 certificates for strengthening the security or it can be used as a standalone security mechanism where X.509 certificates cannot be used for some reason. Using symmetric encryption only is not reliable enough, because it ciphers the transmitted data but it doesn't sign them. Such a message cannot be secured from altering during transmission and the message sender's identity cannot be verified either. Moreover it's difficult to safely store the shared symmetric key on the client.

You can choose one of the following security mechanisms by configuring the ARWebService through its Web.config file:

 

Architecture

 

 

 

Additional Notes

 

The Web Service automatically (without additional configuration) supports following security scenarios: