Web service authentication is controlled using a Web Service User Store. A Web Service User Store is a list of users that can call a Web service hosted by Rhapsody. Each user has a username, a password and a number of certificates.

Every Web service can independently define which users are permitted access. The Web Service User Store is independent of the main Rhapsody user store.

Adding a User

To add a user to the Web service user store:

  1. Navigate to View>Web Services. The Web Services dialog is displayed.

  2. Select the Edit Users icon. The Web Services User Store dialog is displayed:

  3. On the Web Services User Store dialog, in the Password storage mechanism field, indicate whether you want the user store to store hashed or encrypted passwords.

    If this field is changed and one or more users currently have passwords, a warning will be displayed. If converting from encryption to hashes, the warning indicates that this is a one-way conversion. If converting from hashes to encryption, the warning indicates that the conversion will delete all existing passwords (as there is no way to recover them to perform the conversion).

    • Encrypted passwords - Rhapsody can decrypt the passwords to retrieve the plain text passwords.
    • Hashed passwords - Rhapsody can never retrieve the plain text passwords.

  4. Select the Add icon. The Add New User dialog is displayed:

  5. Enter the following details:

    Field

    Description

    Username

    Required. The username must have at least one character, and may only use characters defined as NameChar in Section 2.3 of the XML specification. This effectively limits it to Unicode letters, digits and a few special characters including :, _, - and .

    Use Rhapsody variable for password

    Optional. Select this checkbox if you want to use a Rhapsody variable for the user's password.

    Password

    Optional. If you selected the Use Rhapsody variable for password checkbox, click the Select Variable link to select a variable. Otherwise, enter the password you want to use for the user.
    Although optional, the password is required if the user calls a Web service that performs UsernameToken authentication. As passwords are set by the administrator, rather than the user, there is no password policy in place.

    Confirm Password

    Optional. If you entered a password in the Password field, reenter the password to confirm it.
    This field is not available if you selected the Use Rhapsody variable for password checkbox.
  6. Select the OK button to add the user to the Web service user store. This applies all the changes to the engine immediately.

Associating Certificates

You may use X509 certificates when calling a Web service. Certificates are optional, but are required if:

  • Authentication is carried out using X509 tokens.
  • Asymmetric security bindings are in use, and the incoming requests use a reference to the certificate, rather than including it as a binary security token.

The following certificates are accepted as the issuers of the client certificates:

  • The certificate corresponding to the web service private key.
  • The configured client certificates (self-signed certificates).
  • Certificates imported into Rhapsody with a subject name matching the issuer name of the client certificate (it is located automatically as long as the issuer certificate has been imported into Rhapsody).

To associate a user with a certificate:

  1. Navigate to View>Web Services.
  2. On the Web Services dialog, select the Edit Users icon.

  3. On the Web Services User Store dialog, select a user, then select the Edit Certificates icon. The Select Certificates dialog is displayed:

  4. Select the certificates you want to use to authenticate this user, then select the OK button.
  5. Select the OK button on the Web Services User Store dialog to apply all the changes to the engine immediately.

In the case of self-signed certificates, where issuer is the same as the subject, it is sufficient to import the certificate into Rhapsody using the Certificate and Key Manager. However, for two way SSL authentication in Rhapsody, the setup for non-self-signed user certificates is as follows:

  1. Import the CA certificate that issued client certificate for SSL handshake.
  2. Import the web service user leaf certificate for user authentication.
  3. For end user certification to work, ensure the associated private key is included.

Deleting a User

To delete a user from the Web service user store:

  1. Navigate to View>Web Services.
  2. On the Web Services dialog, select the Edit Users icon.
  3. On the Web Services User Store dialog, select the Delete icon.
  4. Select the OK button to confirm that you want to delete the user.
  5. Select the OK button on the Web Services User Store dialog to apply all the changes to the engine immediately.

Importing a Web Service User Store

To import a Web service user store:

  1. Navigate to View>Web Services.
  2. On the Web Services dialog, select the Edit Users icon.

  3. On the Web Services User Store dialog, select the Import icon. The Import Web Services User Store dialog is displayed:

  4. Click the Browse link to locate the user store you want to import.
  5. Enter the password to decrypt the file.
  6. Select the Import button. If the import is successful, Rhapsody displays a confirmation message.
  7. Select the OK button on the Web Services User Store dialog to apply all the changes to the engine immediately.

Exporting a Web Service User Store

To export a Web service user store:

  1. Navigate to View>Web Services.
  2. On the Web Services dialog, select the Edit Users icon.

  3. On the Web Services User Store dialog, select the Export icon. The Export Web Services User Store dialog is displayed:

  4. Click the Browse link to select the location to which you want to export the user store and enter a filename.
  5. Enter a password to encrypt the file.
  6. Confirm the password, then select the Export button. If the export is successful, Rhapsody displays a confirmation message.