Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Configuring WS-Trust in Pega Platform

Updated on April 6, 2022

Use WS-Trust to issue, renew, and validate security tokens. WS-Trust utilizes a Secure Token Service (STS) to acquire secure tokens that are used to communicate with external systems that provide data to your application via web services.

Perform the steps in this task for each resource provider that requires secure tokens for SOAP messaging with your application.
  1. Define a WS-Policy file for STS token acquisition. For more information, see Creating a web service policy data instance.
    The STS web service policy specifies how your application can interact with the STS. Create both the STS policy and the resource provider policy before you create the STS SOAP connector. The resource provider web service policy can contain metadata about the STS service and other information, such as the token type to be requested.

    Unless your security requirements specify SSL-only access, you should manually create an assertion for user security information. For example, the Apache Rampart <RampartConfig> assertion provides information about the user needed for signing and encryption, as in the following example Rampart assertion:

    <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
    <ramp:user>.pyUsername</ramp:user>
    <ramp:encryptionUser>.pyEncryptionUser</ramp:encryptionUser>
    <ramp:userCertAlias>.pySignatureUser</ramp: userCertAlias>
    <ramp:userPassword>.pyUserPassword</ramp:userPassword>
    <ramp:signaturePassword>.pysignaturePassword</ramp:signaturePassword>
    </ramp:RampartConfig>
  2. Create the STS SOAP connector to request a token from the STS. For more information, see Creating a Connect SOAP rule and Configuring advanced details for a SOAP Connector.
    Note:
  3. Create a resource provider web service policy in Pega Platform. The Service policy specifies how your application can interact with the resource provider via web service.
    1. In the Service policy XML file, add the endpoint URL to the <wsp:AppliesTo> child element of the <sp:IssuedToken> element.
      Service policy XML file
      Example of adding the endpoint URL to the <wsp:AppliesTo> child element
    2. Create a resource provider web service policy. For more information, see Creating a web service policy data instance.
      Make sure to copy the namespaces specified in the WSDL file to <wsp:Policy.../>. In this example, namespaces copied manually from the WSDL include:
      wsu:Id="CalculatorServicePortBindingPolicy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" 
      xmlns:sunwsp="http://java.sun.com/xml/ns/wsit/policy" xmlns:ssp="http://schemas.sun.com/2006/03/wss/server" 
      xmlns:wsaw3c="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  4. Create the Connect SOAP connector to invoke the resource provider’s SOAP web service using the token. On the Advanced tab of the Connect SOAP rule, in the Service policy field, enter the name of the service policy that you create in step 3b.
    For more information, see Creating a Connect SOAP rule and Configuring advanced details for a SOAP Connector.

    Upon receiving credentials from your application, the STS issues a token for secure SOAP messaging. Credentials can be a username/password, or a token issued by a broker, such as an SAML token, digital signature, or Kerberos token.

  5. Create an activity that calls the STS and resource provider SOAP connectors as methods. The recommended approach is for the activity to execute the STS connector, and the service connector immediately after.
    1. In the activity that you created, on the Steps tab, in the Method field, press the Down arrow key and select Connect-SOAP.
    2. Click the Expand icon to expand the step.
    3. In the ServiceName field, enter the service name for the STS connection.
    4. In the ExecutionMode field, select Run.
    5. Click Add a step to add a step for the secure web service. Then, repeat steps 5a through 5d.
    6. Click Save.
  6. At the point in your flow where you want to establish a secure SOAP connection by using a token, add or edit an Integrator shape to reference the activity. For more information, see Activity form - how to create activities for flows.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us