Security Considerations
Access to the Virtual File System
A SOAPam Virtual File System (VFS) is comprised of a set of audited Enscribe files whose names start with "VFS". These files contain sensitive information including userids, passwords, and server keys. These files should be secured in a manner that prevents access by unauthorized users. Only the SOAPam Server process itself needs to access these files (the process creator requires "read" and "write" access).
The VFSMGR utility ignores stored folder-access privilege settings on VFS content. A user with who can execute VFSMGR and has access to the VFS Enscribe files can access all VFS content.
Access to Server Processes and Server Classes
In the default configuration, the SOAPam Server accesses application server processes on behalf of Web service clients using the user identity under which the SOAPAM process was started. If you Safeguard-protect your server processes or set the Pathway server SECURITY parameter, you must allow access by this user identity to any servers that support SOAPam Web services.
Conversely, to prevent Web service developers from accessing specific server processes running on your NonStop Server, you can use Safeguard or the Pathway server SECURITY parameter to prevent the user identity under which the SOAPAM process runs from accessing such servers.
If the SOAPam Guardian User Impersonation feature is enabled, you can configure which Guardian user identity that the SOAPam Server should impersonate when accessing servers on behalf of a given Web service. In this case, you must configure Safeguard or Pathway to allow access by the impersonated user identity. Refer to Guardian User Impersonation for more information. Refer to User Impersonation for more information.
Access to TCP/IP
When specifying a TCP port number be aware that NonStop TCP/IP requires that a process that attempts to open a port numbered less than 1024 must be started by a member of the SUPER group (255,nnn). Refer to Starting the SOAPam Server for more information. In any case, the SOAPAM process creator must be allowed to communicate with the TCPIP (or TCPSAM) process.
Access to DDL Dictionaries
Web service developers may use SOAPam Server's Service Definition Wizard to generate Service Definition Files based on "definitions" stored in one or more DDL dictionaries on your NonStop Server. To support this feature, the SOAPAM process creator requires "read" permission for the Enscribe files that comprise a given DDL dictionary.
Guardian User Impersonation
When SOAPam Server executes a Web service method on behalf of a client, it sends an interprocess message to one of your Pathway or Guardian application servers. By default, it does this under the identity of the user that created (started) the SOAPam Server process (sometimes known as the "CAID" or creator accessor id).
Since the SOAPam Server is a Guardian process, the identity under which a Web service is executed may be important if Safeguard or Pathway security settings restrict access to the server process that supports the Web service.
Guardian User Impersonation is a feature that allows the server to internally switch (its "PAID" or process accessor id) to the user identity of a given Guardian user prior to sending an interprocess message This feature allows you to run the server under any user identity but still enforce user-based access privileges to servers. Using the SOAPam Control Panel, you set the impersonated user identity on the Virtual File System (VFS) folder that contains the Web service definition (.sdf) file. By setting an identity on the root folder, you can establish a default identity for all Web services.
In order to use the Guardian User Impersonation feature, you must:
- Start the SOAPAM process in User Impersonation mode
- Configure User Impersonation settings on the appropriate service folders