Web services will play a decisive role for business transactions in the future. The more the business volume increases, the more security mechanisms are needed. One possibility to provide the required security level is to use certificates, preferably stored on smartcards. Our challenge was to design a solution and construct a working prototype.

The given target platform consisted of Java and the .NET environment. First we implemented a .NET Client and a .NET Web Service. The client establishes a secure connection based on TLS and communicates through SOAP messages signed with smartcard based certificates. The Web Service is also able to sign the responses with a server certificate. Afterwards we implemented the same functionality using a Java environment. The Java client and the Java web service are also able of establishing a secure connection based on TLS and communicating through signed SOAP messages. We successfully finished this challenge after a few obstacles were overcome.

We conducted extensive performance tests with smartcards and smartcard readers. The result is that one requirement of Swiss Re could not met. Swiss Re requested that the time for the signing must take less than 200 ms, but the fastest card and reader needed at least twice as much.

After the other requirements were met, we used to spend our remaining time to solve interoperability problems. All outstanding difficulties were resolved after a few researches. Basically the interoperability is not longer a problem and the use of smartcards in productive environments can be recommended. Nevertheless time-critical applications should use a soft certificate instead of smartcard based certificates, because they are much faster.