wMUsers Forum: webMethods Enterprise Server Security

Security Concepts

The security framework provided with webMethods Enteprise Server (ES) supports authentication, authorization, and encryption. ES authenticates clients that connect to an enterprise server. Authenticated clients are then authorized to access the Enterprise Server, brokers, client groups, or client states according to ACL configurations. Encryption is used for adapter-to-broker and broker-to-broker communication.

Security between adapters and native resources falls outside of the webMethods Enteprise Server environment and each adapter conforms (or not) to the security provided by the native resource.


Enteprise Server only supports authentication using digital certificates. Password authentication is not supported. The use of digital certificates makes it easy to encrypt the data exchanged between clients and brokers.

webMethods requires any client connecting to the enterprise (broker) server to provide a digital certificate to authenticate its identity. Clients can be any of:

  • Resource (intelligent or standard) Adapters
  • ATC Agents
  • Brokers
  • Manager tool
  • Document (Event) Tracker
  • Document (Event) Type Editor
  • Enterprise (Visual) Integrator
  • Monitor Tool
  • Custom Adapters



Once authenticated, specific access to the Enterprise Server can be granted to the client. Access can be granted to the following types of entities within the enterprise server:

  • Enterprise Server
  • Brokers
  • Client Groups
  • Clients (already created client states)


For each type of entity an access control list (ACL) of distinguished names determines which authenticated clients are authorized to access the entity. A distinguished name is the uniquely identifying information for a digital certificate.

In addition to ACL authorization, Client Groups provide an even finer level of access control. Client Groups are used to configure what events/documents clients can publish and subscribe to. This authorization functionality exists independently from the use of digital certificates, but it is not until digital certificates are used for client authentication that the system is secure. Without client authentication, anyone can run an adapter for any client group and both subscribe to and publish events the client group has been configured with.




One response to “wMUsers Forum: webMethods Enterprise Server Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s