In-built security | Questionmark

In-built security

Applies to the following products: 
Questionmark OnDemand
Questionmark Perception
Questionmark OnPremise
Applies to the following Perception versions: 
Perception 5.7

The internal security of QMWISe is provided by using SOAP headers in the request and response messages. SOAP headers are part of the data model. These headers can be enabled or disabled with configuration settings.

Questionmark recommends that basic authentication is used with QMWISe over SOAP headers. For more information on using basic authentication with QMWISe, please refer to the Basic authentication section of this guide.

The SOAP header for both request and response headers has the form:

<soap:Header>

<Security xmlns="http://questionmark.com/QMWISe/">

<ClientID>String</ClientID>

<Checksum>String</Checksum>

</Security>

</soap:Header>

The use of the ClientID and Checksum parameters are described below for the SOAP request header and the SOAP response header.

The SOAP request header

In the header for a SOAP request message:

  • The ClientID must be the name of valid Questionmark administrator. The administrator must have permission to change the server configuration.
  • The Checksum must be the plain text password for this administrator.

If you've been using an MD5 checksum created for earlier versions of Questionmark, it can still be used, as Perception 5.7 and OnDemand/OnPremise are backwards compatible with previously-created MD5 checksums. The SOAP header field is still called "Checksum" for this reason.

A typical SOAP request header would be:

<soap:Header>

<Security xmlns="http://questionmark.com/QMWISe/">

<ClientID>qmwiseuser</ClientID>

<Checksum>cL38@k#12F</Checksum>

</Security>

</soap:Header>

Permission to change the server configuration

This is set when the administrator is created or edited.

The option Server Configuration must be enabled for the administrator user you intend to use with QMWISe.

The SOAP response header

In the header for a SOAP response message, the ClientID must be the URL of the web service itself.

A typical SOAP response header would be as follows:

<soap:Header>

<Security xmlns="http://questionmark.com/QMWISe/">

<ClientID>http:/<Perception server>/qmwise5/qmwise.asmx</ClientID>

<Checksum>cL38@k#12F</Checksum>

</Security>

</soap:Header>