Layer7 API Management

  • 1.  Can someone please help me to know what is the use of Require WS-Secure Conversation Assertion and when it is supposed to be used?

    Posted Aug 25, 2016 06:58 AM

    I want to know when this assertion is to be considered .



  • 2.  Re: Can someone please help me to know what is the use of Require WS-Secure Conversation Assertion and when it is supposed to be used?

    Broadcom Employee
    Posted Aug 25, 2016 10:19 AM

    Hi SoniaMehta,

     

    The Require WS-Secure Conversation assertion allows you to require that request and response messages be secured using a secure conversation session. WS-SecureConversation  works in conjunction with WS-Security, WS-Trust and WS-Policy.

     

    I have included some links below detailing the specification.

     

    Require WS-Secure Conversation Assertion - CA API Gateway - 9.1 - CA Technologies Documentation 

    WS-SecureConversation 1.3 

    Using WS-Trust and WS-SecureConversation 

     

    Regards,

    Joe



  • 3.  Re: Can someone please help me to know what is the use of Require WS-Secure Conversation Assertion and when it is supposed to be used?

    Posted Aug 25, 2016 10:22 AM

    beat me to it lol...



  • 4.  Re: Can someone please help me to know what is the use of Require WS-Secure Conversation Assertion and when it is supposed to be used?
    Best Answer

    Posted Aug 25, 2016 10:22 AM

    Hello Sonia,

    Here's some info i was able to find,

     

    High Level, that assertion requires that the inbound message has the portions of the request needed to be WS-Secure compliant, if not, it will fail.

     

    DOCOPS

    The Require WS-Secure Conversation assertion allows you to require that request and response messages be secured using a secure conversation session. Specifically, messages must:

    • Include a "SecurityContextToken" referencing an already-established WS-Secure Conversation session
    • Include at least one element signed with the shared secret from this session as proof of possession of the session shared secret

    The Require WS-Secure Conversation assertion is a credential source that saves the user that owns the session for later authorization via the Authenticate User or Group Assertion. This assertion can be used in tandem with the Protect Against Message Replay, Sign Element, and Encrypt Element assertions.

    Some more information about using WS-Secure Conversation on the Gateway:

    • The Require WS-Secure Conversation assertion, by itself, does not require that the request message contain a timestamp, and does not check the validity of any time stamp that might be present. To protect against stale or replayed messages, use the Require WS-Secure Conversation assertion with the Protect Against Message Replay Assertion.
    • This assertion may behave unexpectedly if there are two users in different identity providers, with both recognizing the same certificate credentials.
    • To enable persistence for WS-Secure Conversation sessions, set the cluster property wss.secureConversation.clusterSessions to "true". This will allow WSSC sessions to be shared between cluster nodes.
    • Federated virtual users are not compatible with secure conversation. For more information on virtual users, see Federated Identity Provider Users and Groups.

     

    WIKIPEDIA

    Pros/Cons[edit]

    Following a pattern similar to TLS, WS-SecureConversation establishes a kind of session key. The processing overhead for key establishment is reduced significantly when compared to WS-Security in the case of frequent message exchanges. However, a new layer is put on top of WS-Security, that implies other WS-* protocols like WS-Addressing and WS-Trust. So the importance of performance has to be compared to the added complexity and dependencies. See the performance section in WS-Security.



  • 5.  Re: Can someone please help me to know what is the use of Require WS-Secure Conversation Assertion and when it is supposed to be used?

    Posted Aug 26, 2016 12:20 AM

    Thanks Doyle...So this assertion should be placed after some routing assertion?



  • 6.  Re: Can someone please help me to know what is the use of Require WS-Secure Conversation Assertion and when it is supposed to be used?

    Posted Aug 26, 2016 09:45 AM

    Typically, you would want this to be at the top of the policy... its best to fail early if you know the message will eventually fail.



  • 7.  Re: Can someone please help me to know what is the use of Require WS-Secure Conversation Assertion and when it is supposed to be used?

    Posted Aug 29, 2016 01:05 AM

    Thank you so much for your reply.As you said it is for securing request and response using  a session.If possible for you can you please explain it with small practical example (policy).When WS-Secure conversation actually gets established?I am sorry for asking again and again.



  • 8.  Re: Can someone please help me to know what is the use of Require WS-Secure Conversation Assertion and when it is supposed to be used?

    Posted Aug 29, 2016 04:55 AM

    Hi Sonia,

     

    The sample policy "WCF-passtru" uses this assertion. It available in the tread below. Consume WCF Service 

     

    Regards, Heiko.