Netegrity to build Web services security spec

Netegrity Inc. this week will unveil support for emerging security standards in its Web services transaction software, which lets corporations safeguard business-to-business communications using the nascent technology.

TransactionMinder 5.6, which authenticates the sender and authorizes the delivery of Web services messages between applications, has been upgraded with support for WS-Security, an emerging standard the Organization for the Advancement of Structured Information Standards is developing.

TransactionMinder’s support for WS-Security will help it ensure that a Web services application can verify who is sending it Simple Object Access Protocol (SOAP) messages and that it only accepts messages from other applications that are authorized to access its services. The software also audits all transactions.

Support for the standard means corporations can adopt TransactionMinder without regard for a business partner’s infrastructure as long as the business partner can produce and consume SOAP messages that adhere to the WS-Security specification.

WS-Security supports six forms of security tokens for authentication, and TransactionMinder 5.6 has incorporated three: user name and password, X.509 certificates and the Security Assertion Markup Language (SAML).

“WS-Security and SAML round out the basic identity and access management needs for secure communications,” says Jason Bloomberg, an analyst with ZapThink. “TransactionMinder will allow systems to securely communicate using Web services.”

TransactionMinder competes with products such as VeriSign Inc.’s Trust Gateway and with integrated capabilities from BEA Systems Inc., IBM Corp. and Microsoft Corp.

But Bloomberg says other protocols are needed for more sophisticated security, such as those for policy and federation that are in development under the WS-Security umbrella.

Security has been a major issue hampering corporate adoption of Web services. WS-Security is helping to answer those concerns. Furthermore, security must be combined with other Web services protocols such as those for reliable messaging and management to create a distributed computing model worthy of enterprise adoption.

To that end, Netegrity also will release a reference architecture that shows how other vendors’ products can be integrated with TransactionMinder, such as Web services management software from Confluent Software Inc. and Digital Evolution Inc.

TransactionMinder consists of a policy server and an agent that runs on various Web servers, including support for Sun and open source Apache. Version 5.6 adds support for Microsoft’s .Net platform. The agent acts as the enforcement point, stripping the WS-Security information from SOAP messages and authenticating the sender against its policy server, which can run on Windows 2000 or Sun Solaris. Once the application sending the message is authenticated, it is then given authorization to access the Web service or some subset of its functionality. Conversely, TransactionMinder also can return SOAP messages secured using the WS-Security protocol.

“With Web services deployments you have to bind identity to the Web services to see who is using it and to track usage,” says Preteek Mishra, director of technology and architecture at Netegrity.

“TransactionMinder is the realization of that. You manage identity at the enterprise level and that is enforced at all the specific resources.”

TransactionMinder 5.6 is expected to ship Oct. 15. Pricing starts at US$150,000 for four CPUs.