With HTTP Basic Authentication, you can pass the credentials in the HTTP Request rather than in the SOAP Header, which is what you would do if using WS-Security. I am not advocating HTTP Basic Authentication over WS-Security, just pointing out the option.
I am not familiar with the PHP libraries you are using to setup your soap client, so I can't give you exact code to help you here. However, it should be in the area where you are configuring your request to the service. You will pass the username/password that corresponds to your authorized LiveCycle ES user.