Securing Caché Web Services
[Home] [Back] [Next]
InterSystems: The power behind what matters   

Caché supports parts of the WS-Security, WS-Policy, WS-SecureConversation, and WS-ReliableMessaging specifications, which describe how to add security to web services and web clients. This chapter summarizes the tools and lists the supported standards. It discusses the following:

If your Caché web client uses a web service that requires authentication, and if you do not want to use the features described in this book, you can use the older WS-Security login feature. See Using the WS-Security Login Feature,” in the book Creating Web Services and Web Clients in Caché.
Tools in Caché Relevant to SOAP Security
Caché provides the following tools that are relevant to security for web services and web clients:
You can either use WS-Policy or you can use WS-Security and WS-SecureConversation directly. If you use WS-Policy, the system automatically uses the WS-Security tools as needed. If you use WS-Security or WS-SecureConversation directly, more coding is necessary.
A Brief Look at the WS-Security Header
A SOAP message carries security elements within the WS-Security header element — the <Security> subelement of the SOAP <Header> element. The following example shows some of the possible components:
These elements are as follows:
As shown here, an encrypted key element commonly includes a reference to a binary security token included earlier in the same message, and that token contains information that the recipient can use to decrypt the encrypted key. However, it is possible for <EncryptedKey> to contain the information needed for decryption, rather than having a reference to a token elsewhere in the message. Caché supports multiple options for this.
Similarly, a digital signature commonly consists of two parts: a binary security token that uses an X.509 certificate and a signature element that has a direct reference to that binary security token. (Rather than a binary security token, an alternative is to use a signed SAML assertion with the Holder-of-key method.) It is also possible for the signature to consist solely of the <Signature> element; in this case, the element contains information that enables the recipient to validate the signature. Caché supports multiple options for this as well.
Standards Supported in Caché
This section lists the support details for WS-Security, WS-Policy, WS-SecureConversation, and WS-ReliableMessaging for Caché web services and web clients.
WS-Security Support in Caché
Caché supports the following parts of WS-Security 1.1 created by OASIS (
WS-Policy Support in Caché
Both the WS-Policy 1.2 ( and the WS-Policy 1.5 ( frameworks are supported along with the associated specific policy types:
Note that <PolicyReference> is supported only in two locations: in place of a <Policy> element within a configuration element or as the only child of a <Policy> element.
WS-SecurityPolicy 1.2 is supported as follows. Equivalent parts of WS-SecurityPolicy 1.1 are also supported.
WS-SecureConversation Support in Caché
Caché supports parts of WS-SecureConversation 1.3 (, as follows:
Caché also supports the necessary supporting parts of WS-Trust 1.3 ( Support for WS-Trust is limited to the bindings required by WS-SecureConversation and is not a general implementation.
WS-ReliableMessaging Support in Caché
Caché supports WS-ReliableMessaging 1.1 and 1.2 for synchronous messages over HTTP. Only anonymous acknowledgments in the response message are supported. Because only synchronous messages are supported, no queueing is performed.
See and

Send us comments on this page
Copyright © 1997-2019 InterSystems Corporation, Cambridge, MA