Overview

Web services are used to integrate distributed applications with each other and to exchange data between applications. A business application sends a request to the Web service, triggers processing in the Web service and receives a response from the Web service. Since communication usually takes place over the public and unprotected Internet, this communication must be secured. For this reason, the protocol HTTPS is usually used for the exchange of request and response via a channel secured with TLS.

An application calling a Web Service directly

Typically, access to Web services is restricted to defined business applications. Therefore, the Web service must know who a request comes from, thus the Web service must authenticate the caller. Basic authentication by means of a username and password, which was often used in the past, is now considered too insecure. Today Web service users usually have to be able to identify themselves with digital certificates during initialization of the TLS connection.

Digital certificates are therefore required for the secure use of Web services. The creation, distribution and regular renewal of digital certificates is a complex process that ties up many resources and is therefore expensive. For this reason, the sedex platform provides a service for the Swiss e-government landscape which efficiently and cost-effectively handles the creation, distribution and regular renewal of digital certificates for Web service users.

The platform sedex relieves the providers and users of Web services by supporting the use of the normal sedex participant certificate also for secure access to Web services. This means that Web services also benefit from the proven organisation and infrastructure of sedex, especially the comprehensive certificate service for the benefit of the participants.

Technically this is made possible by a business application no longer calling the Web service provider directly, but sending the request to its own locally installed sedex Web Service Proxy (WS Proxy), a component of the sedex Client. The sedex WS Proxy then establishes a secure HTTPS channel through the internet to the Web Service Provider. It uses the sedex participant certificate for authentication. To the business application it looks like the sedex WS Proxy is offering the Web service, when in fact, the sedex WS Proxy is only an intermediary between the end-user application and the real Web service.

The sedex Web Service Proxy as intermediary

The use of the sedex certificate to establish the TLS connection to the Web service provider allows the Web service provider to reliably determine the identity of the caller based on the

sedex certificate. In addition, the Web service provider has the possibility to ask the sedex platform whether this sedex participant is authorized to use his service. As a result sedex offers a unique platform for both authentication and authorization of Web Services users, with several thousand participants already using it.

Note: The sedex Web service proxy is very different from a standard HTTP Web proxy you might be using to get access to the internet. For example the sedex-webserver-proxy has to be configured explicitly as the endpoint of the Web service in your business application and not as an outgoing standard http-web-proxy.