When working with a web service that was failing, tcpmon showed an error page being returned. The page was an HTML 401 Unauthorized error. Despite the web service having a username and password set, and set correctly, the error continued to happened.

      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:UsernameToken>
            <wsse:Username>The_Right_User</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">The_Right_Password</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>

The reason for the error was because the HTTP Basic Authentication header is a part of the HTTP spec, and not the web service itself. The HTTP header needed to include the basic authentication token in order to make it past the web server to, in my case, SAP which create the service.

While in the WCS Admin Console changing the parameters for the message type properties, there will be an option for a username and password. Those are for the SOAP wsse:Security header and do us no good.

Edit the wc-server.xml file in the WC project. Find the OutboundConnector element with a name of HTTP-WS, similar to this:

<OutboundConnector default="true" enabled="true" id="-101" name="HTTP-WS" retries="3">

Inside that element, there will be an InteractionSpec element:

<InteractionSpec ClassName="com.ibm.commerce.wc.messaging.adapters.jcahttp.ws.JCAHTTPWSInteractionSpecImpl" default="true">

That element will contain a list of EditableProperty elements. Before the closing tag, add two more EditableProperty elements:

<EditableProperty Admin="userNameHttpAuthentication" display="false" editable="yes" name="setBasicAuthenticationName" value=""/>
<EditableProperty Admin="passwordHttpAuthentication" display="false" editable="yes" encrypt="yes" name="setBasicAuthenticationPassword" value=""/>

Save the file and restart the server. Going back to the Admin Console, selecting Configuration, Message types, and selecting a type that uses Web services over HTTP, you will now see an additional username and password field for Basic Authentication.

Enter in the username and password, and the token will be generated and include in the HTTP header for all requests finally getting past the 401 Unauthorized error page response.