We are facing issues due to the limitation in ORCA header that,
we have to provide username & password as plain text.
there should be mechanism to support the encrypted password can be used in ORCA header while cosnuming it to trigger AO workflows. below is the ORCA header where the paaasword type should be #PasswordText:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext- 1.0.xsd" soapenv:mustUnderstand="1">
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username- token-profile-1.0#PasswordText">Password (this should be encrypted)</wsse:Password>
BAO webservices document says following:
The ORCA web service is always available, so you must secure it properly:
- The ORCA web service supports only a subset of the WS-Security specification, the WS-Security UsernameToken Profile 1.1.
- The ORCA web service supports only the <wsse:PasswordText> type and does not support the <wsse:Nonce/> type.
Isn't it worth to secure password in ORCA calls?