Ok, to answer to myself for future reference, I think I found what I was looking for:
First of all you need to create the web service endpoint using JAX-WS. While this can generally be achieved in different ways, it's required to use a contract-first approach when using WS-Security, as the policies declared in the wsdl are parsed by the Apache CXF engine on both server and client sides. So, here is an example of WSDL contract enforcing signature and encryption using X 509 certificates...
Sounds like I need to either get a wsdl with WS-Security tags or I'll have to modify it myself.
Sorry for the late feedback.
Yes, the suggested (and supported on EAP) way of configuring ws-security is through proper ws-policy assertions in the wsdl, so contract-first approach.
If manually modifying the wsdl is a problem (as you need to figure out which assertions to add), you might get some help from the following approach (requires latest version of jbossws):
1) use the tools to generate the endpoint from the wsdl that's been provided to you
2) use @PolicySets (WS-Policy - JBoss Web Services - Project Documentation Editor) for attaching one of the existing sample policies to the published endpoint
3) (optional) save the published wsdl and get back to full contract first approach, removing the @PolicySets from your endpoint and referencing the saved wsdl; you can of course fine tune the policies / assertions in the wsdl (and should, to be sure of getting the exact level of security you need).