Web service security policies define the requirements for secure communication between a Web service and a client. vCenter Single Sign-On security policies are based on the WS-Policy framework and WS-SecurityPolicy specifications. A policy identifies specific elements for token requests. Based on the policy requirements, a vCenter Single Sign-On client will insert data into the SOAP security header for the token request.
vCenter Single Sign-On defines security policies for end user access, solution access, and for token exchange. The policies stipulate the following elements:
■
|
Security certificates (x509V3, x509PKIPathV1, x509PKCS7, or WssSamlV20Token11) |
■
| |
■
| |
■
|
vCenter Single Sign-On security policies specify that the body of the SOAP message for a holder-of-key token must be signed. Bearer tokens require only the username and timestamp tokens.
The following table shows the vCenter Single Sign-On policies and identifies the requirements for each policy. The vCenter Single Sign-On WSDL defines these policies for use with the vCenter Single Sign-On methods.
Security policy support is determined by the programming language that you use to write your client.
Your vCenter Single Sign-On client can use the .NET services that support web service security policies. See Security Policies.
The vCenter Single Sign-On SDK provides Java utilities that support the vCenter Single Sign-On security policies. Your vCenter Single Sign-On client can use these utilities to create digital signatures and supporting tokens, and insert them into SOAP headers as required by the policies. The SOAP header utilities are defined in files that are located in the samples directory:
SDK\sso\java\JAXWS\samples\com\vmware\sso\client\soaphandlers