In order to carry out its functions, the SOAP/AM Server requires access to various NonStop Server files and processes as described below.

Securing Access to the Virtual File System

A SOAP/AM Virtual File System (VFS) is comprised of a set of audited Enscribe files whose names start with "VFS". These files contain sensitive information including userids, passwords, and server keys. These files should be secured in a manner that prevents access by unauthorized users. Only the SOAP/AM Server process itself needs to access these files (the process creator requires "read" and "write" access).

The VFSMGR utility ignores stored folder-access privilege settings on VFS content. A user with who can execute VFSMGR and has access to the VFS Enscribe files can access all VFS content.

Securing Access to Servers

In the default configuration, the SOAP/AM Server accesses application server processes on behalf of Web service clients using the user identity under which SOAPAM was started. If you Safeguard-protect your server processes or set the Pathway server SECURITY parameter, you must allow access by this user identity to any servers that support SOAP/AM Web services.

Conversely, to prevent Web service developers from accessing specific server processes running on your NonStop Server, you can use Safeguard or the Pathway server SECURITY parameter to prevent the user identity under which the SOAPAM process runs from accessing such servers.

If the SOAP/AM "Guardian User Impersonation" feature is enabled, you can configure which Guardian user identity that the SOAP/AM Server should impersonate when accessing servers on behalf of a given Web service. In this case, you must configure Safeguard or Pathway to allow access by the impersonated user identity. Refer to Guardian User Impersonation for more information.

Securing Access to TCP/IP

When specifying a TCP port number be aware that Nonstop TCP/IP requires that a process that attempts to open a port numbered less than 1024 must be started by a member of the SUPER group (255,nnn). Refer to Starting the SOAP/AM Server for more information.

In any case, the SOAPAM process creator must be allowed to communicate with the TCPIP (or TCPSAM) process.

Securing Access to DDL Dictionaries

Web service developers may use SOAP/AM's Service Definition Wizard to generate Service Definition Files based on "definitions" stored in one or more DDL dictionaries on your NonStop Server.

To support this feature, the SOAPAM process creator requires "read" permission for the Enscribe files that comprise a given DDL dictionary.