<sm:Module xsi:type="sm:ecm_gsoap.service">
      <sm:Host>qcg.example.com</sm:Host>
      <sm:Port>19003</sm:Port>
      <sm:Authentication>
        <sm:Module xsi:type="sm:atc_transport_ssl.service">
          <sm:ServiceAuthentication>
            <sm:X509CertKeyFile>/opt/qcg/etc/qcg-comp/certs/qcgcertkey.pem</sm:X509CertKeyFile>
          </sm:ServiceAuthentication>
        </sm:Module>
        <sm:Module xsi:type="sm:atc_msg_wsse_username.service">
          <sm:UserdirModule>
            <sm:Module xsi:type="sm:userdir_pam"/>
          </sm:UserdirModule>
        </sm:Module>
        </sm:Authentication>
        <sm:Authorization>
          <sm:Module xsi:type="sm:atz_username"/>
        </sm:Authorization>
   </sm:Module>

Please note:

• qcgcertkey.pem must contain both service key and certificate,
• the <UnprivilegedUser> user used to run the service must be authorized to use the pam_authenticate method (e.g. in case of flat passwd files, the group of the user must have read permission for the /etc/shadow file)
• you must provide proper pam configuration for qcg-compd daemon

  # cat /etc/pam.d/qcg-compd 
  #%PAM-1.0
  auth       include      system-auth
  account    include      system-auth