SOAPbox Frequently Asked Questions:

What is SOAPbox?
Is Vordel SOAPbox a programming toolkit?
Is the SOAPbox only for SOAP messages?
Who uses SOAPbox?
How does SOAPbox test the security compliance of an XML application?
What are the system requirements to run Vordel SOAPbox?
When I download SOAPbox, where do I start? Is there a quick-start guide?
How much does Vordel SOAPbox cost?
If I'm planning to only use SSL to secure my Web Service, and have no plans to use WS-Security, so can I still use Vordel SOAPbox?
Can I use Vordel SOAPbox to add security to my Web Services?
Do I need to understand new Web Services security technologies such as WS-Security and SAML in order to use Vordel SOAPbox?
Does SOAPbox support Web server security technologies, such as SSL and HTTP-auth, as well as Web Services security technologies such as WS-Security?
Many XML security standards, such as XML Signature and XML Encryption, require me to generate keys and certificates. Does SOAPbox help with that?
SOAPbox supports XML Encryption. But can it be used to decrypt XML also?
I haven't built any XML applications yet, but I'd still like to use SOAPbox to learn about security standards. Are there sample applications I use?
Is support provided for SOAPbox?
Does SOAPbox allow me to use custom HTTP headers?
I need an application that will perform XML Signature and XML Encryption, like SOAPbox except not menu-driven. Does Vordel have such an application?
How do I get Vordel SOAPbox?

What is SOAPbox?
SOAPbox is a graphical application that acts as a testing client for an XML application, such as an XML Web Service. SOAPbox creates signed and encrypted XML messages, supports SSL and WS-Security and SAML, as well as SOAP attachments using MIME and DIME. In this way, SOAPbox can test the security policies used at an XML-processing application.

Is Vordel SOAPbox a programming toolkit?
No. Vordel SOAPbox is a graphical application which requires no programming to operate. It is designed to make it as easy as possible to generate digitally signed and encrypted XML documents, in order to test the security of an XML application.

Using SOAPbox, a tester can select a portion of an XML document and choose to sign or encrypt the elements which they have selected. Doing the equivalent operation using a programming toolkit would involve knowledge of XPath, XML Signature and XML Encryption, and, of course, a programming toolkit.

Is the SOAPbox only for SOAP messages?
No. Although it is called "SOAPbox", the SOAPbox can also be used to test applications that use so-called "Plain Old XML" without a SOAP envelope. For example, the screenshot below shows SOAPbox used to digitally sign part of an XML document, before sending it to an application over HTTP. In this way, the tester can see how the application behaves when the message is not signed, when the signature is broken, or when an untrusted certificate is used.

Hover to enlarge
Hover to enlarge 		     

Who uses SOAPbox?
SOAPbox is used by developers, architects, and testers who wish to test the security policies used by their XML applications. Registered SOAPbox users include Accenture, Abbey National, BankOne, British Telecom, Cisco, Credit Suisse First Boston, DaimlerChrysler, HBOS, Royal Bank of Scotland, and many others.

How does SOAPbox test the security compliance of an XML application?
SOAPbox is used to test the following:

  • Test client-side SSL and server-side SSL
  • Test how an application responds to an unexpected attachment (e.g. an executable sent in an attachment).
  • Test how an application processes XML messages that have been signed, including messages with broken signatures
  • Test how an application processes encrypted XML
  • Test compliance to WS-Security
  • Test SAML compliance by constructing SAML assertions
  • Highlight the security tokens in a SOAP message
  • Avoid having to write code to test the security of an XML application
Without using SOAPbox, testing would involve either programming a client application, or else would be left to chance.

What are the system requirements to run Vordel SOAPbox?
The following operating systems are supported:

  • Microsoft Windows including Windows 2000, XP and NT
  • Linux (including SuSe Linux, Redhat, and Debian)
  • Solaris

The hardware requirements are:

  • 64Mb RAM
  • 20Mb free disk space
  • SOAPbox includes a JAVA Virtual machine preconfigured to run with the download
Vordel SOAPbox uses a Java Virtual Machine which is configured with a security provider. For convenience, a pre-configured JVM is bundled with the download, and installs automatically.

When I download SOAPbox, where do I start? Is there a quick-start guide?
The quick-start guide is here.

How much does Vordel SOAPbox cost?
SOAPbox can be downloaded for free on a 1-day trial basis. After that it costs $99 for a perpetual license. Discounted pricing is available for multi-seat licences. Contact Vordel sales (sales@vordel.com) to enquire about a muliti-user licence.

If I'm planning to only use SSL to secure my Web Service, and have no plans to use WS-Security, so can I still use Vordel SOAPbox?
Yes. Vordel SOAPbox supports SSL, and allows you to test your SSL-protected Web Services by sending them XML messages over SSL. It supports client-side as well as server-side SSL. In fact, a popular use for SOAPbox is to test client-side SSL authentication.

Can I use Vordel SOAPbox to add security to my Web Services?
No. Vordel SOAPbox is a testing tool which is used to test the security of a Web Service. It's a useful tool to test the security configuration of a Web Service. Tools such as VordelSecure, the VS3000, and VordelDirector are used to add security to Web Services. These tools make it easy to configure and enforce policies such as "all XML must be digitally signed by a trusted partner, must arrive over SSL, must be logged, must not contain SOAP attachments, and must conform to the appropriate Schema."

Do I need to understand new Web Services security technologies such as WS-Security and SAML in order to use Vordel SOAPbox?
No. In fact, Vordel SOAPbox is a useful tool to learn about these new Web Services security technologies, since it can shows the input and output of secure Web Services in a simple GUI.

The intuitive interface allows SOAPbox users to learn about Web Services security standards. SOAPbox presents a tree-view of security tokens with security tokens and signatures automatically highlighted (see screenshot below).

Hover to enlarge
Hover to enlarge 		     


Does SOAPbox support Web server security technologies, such as SSL and HTTP-auth, as well as Web Services security technologies such as WS-Security?
Yes. SOAPbox supports server-side and client-side SSL, basic HTTP Authentication, and digest HTTP Authentication. This means that SOAPbox can be used to test the security configuration for normal Websites, as well as testing Web Services. In fact, many existing SOAPbox users are using the tool to test client-side SSL configuration for Websites that are protected using HTTPS.

Many XML security standards, such as XML Signature and XML Encryption, require me to generate keys and certificates. Does SOAPbox help with that?
Yes. SOAPbox includes a built-in Keystore which can import keys from a variety of sources, in a PEM and PKCS#12 format. For your convenience, a sample key-pair is provided with SOAPbox.

The operation of SOAPbox's keystore does not require the command-line, it is all GUI-based.

Hover to enlarge
Hover to enlarge 		     

SOAPbox supports XML Encryption. But can it be used to decrypt XML also?
Yes. You can use SOAPbox to decrypt content that has been encrypted using XML Encryption, providing you have access to the appropriate cryptographic key. The following screenshot shows encrypted XML content which can be decrypted using SOAPbox.

Hover to enlarge
Hover to enlarge 		     

I haven't built any XML applications yet, but I'd still like to use SOAPbox to learn about security standards. Are there sample applications I use?
Yes. SOAPbox comes pre-configured with a number of sample Web Services which you can test against.

Is support provided for SOAPbox?
We have a FAQ which contains answers to some more obvious questions. Please check these documents before you contact us. Please send feedback or problem reports to soapboxsupport@vordel.com

Does SOAPbox allow me to use custom HTTP headers?
Yes. In the following screenshot, we see SOAPbox being used to configure custom HTTP headers to be sent to an XML-consuming application.

Hover to enlarge
Hover to enlarge 		     

I need an application that will perform XML Signature and XML Encryption, like SOAPbox except not menu-driven. Does Vordel have such an application?
Yes! VordelDirector provides "security services" for signing and encrypting XML documents. You can send XML to VordelDirector in order to have it signed, encrypted, decrypted, or validated.

In the screenshot below, we see a VordelDirector "Signing Service" in action. SOAP messages sent through the signing service are automatically signed.

Hover to enlarge
Hover to enlarge 		     

How do I get Vordel SOAPbox?
Download your trial copy here or buy it here.



         


  Vordel SOAPbox datasheet