000034714 - Using Web Services Security for Case Management API in RSA Adaptive Authentication (OnPrem) 7.x

Document created by RSA Customer Support Employee on Jan 31, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034714
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.X
Platform: All/generic
Platform (Other):
O/S Version: All/generic
IssueWhile using Case Management API, the SOAP calls were unable to fetch/update case information from Adaptive Authentication with error : 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
         <faultstring>WSDoAllReceiver: security processing failed</faultstring>

Authentication and authorization is required for all users issuing Case Management API SOAP calls.
The case management webservice URL would be similar to the below :
The HOSTNAME and PORT needs to be changed as per the environment where case management application is deployed.
Case Management API provides the ability to use Web Services Security (WS-Security) for authentication purposes. WS-Security allows the communication of various security token formats such as user identification and password credentials.
Authorization is accomplished by assigning the users to at least one of two specific roles defined to grant access to the Case Management API service:
• CMAPIExtract, for selecting and viewing activities (events)
• CMAPIUpdate, for selecting and viewing activities, and updating actions
These roles must be defined in Access Management application and the users should only have access to these roles.
If either one of these roles, or both are the only roles that exist for a user, the user’s password will not have an expiration date. Additionally, a user with this role does not need to change the password during the first logon.
In case an external Identity store is being used to authorize the users, these roles must be defined in the external identity store that you are using to manage your users, such as Ldap or AD. The password for these users should be preferably set not to expire in the identity store.
While implementation, the Case Management API service requires you to add a security header to each SOAP call for WS-Security purposes. WS-Security requires a specific format for the SOAP header. The required parameters are:
• wsse:userName
• wsse:Password
These parameters and their values are the user’s credentials passed to the Case Management API service for authentication and authorization purposes. If this format is not followed, the authentication process rejects the SOAP call.
Once the credentials are verified, the rest of the SOAP call is processed accordingly. If the authentication or the authorization fails, the SOAP call receives a SOAP fault and the user is denied access to the Case Management API service.

The following example shows the required format for the security SOAP header and sample SOAP call to extract cases from case management API :
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://ws.rsa.com/cm/types">
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:UsernameToken wsu:Id="UsernameToken-3D55DF3AFAB2A4FD8C14811612518641" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[PASSWORDTEXT]</wsse:Password>

Please note that the password needs to be in Plain Text in API calls