3.2 Enabling access to the web service

See the Configuring SSL/TLS (HTTPS) section in the Securing Websites and Web Services document for details of setting up security on MyID web services. You must set up security on the Credential Web Service in the same way as the other MyID server-to-server web services.

Note: By default, all methods on the CWS are locked down.

3.2.1 Method lockdown

By default, all methods on CWS are blocked. Attempting to invoke one produces an HTTP 501 Error code. You can enable individual methods by modifying the MethodAccessControl.xml file in the CredentialWebService folder. This XML file allows you to explicitly enable or disable individual methods, and also to enable or disable any future methods implemented in later versions of the web service.

Note: Once you have modified and saved the MethodAccessControl.xml file, you must restart IIS for the settings to take effect.

Once deployed, this file is never updated by CWS upgrades. If CWS is updated to have new methods on it, those methods may not be enabled until you have manually adjusted this file.

3.2.2 Default settings

The default content of the MethodAccessControl.xml file is:

Copy
<?xml version="1.0" encoding="utf-8" ?>
<Methods default="no">
  <Method name="RequestCredential">no</Method>
  <Method name="RequestCredentialForDevice">no</Method>
  <Method name="AssignAdditionalIdentities">no</Method>
  <Method name="RemoveAdditionalIdentities">no</Method>
  <Method name="RemoveAllAdditionalIdentities">no</Method>
  <Method name="RequestUnlockCodeForDevice">no</Method>
  <Method name="RenewCertificate">no</Method>
  <Method name="RequestCertificate">no</Method>
  <Method name="GetCertificate">no</Method>
  <Method name="RequestCertificatePfx">no</Method>
  <Method name="GetCertificatePfx">no</Method>
  <Method name="IsAlive">no</Method>
</Methods>

To enable a method, change the corresponding value from no to yes. Any value other than yes (case sensitive) results in the method being blocked.

The attribute default on the root node dictates what should happen to methods not explicitly mentioned in the allowed list.

To allow all methods, and all future methods, you can modify the file to have the following content:

<?xml version="1.0" encoding="utf-8" ?>
<Methods default="yes" />