Module for AS4 Version 10.1.May 2019 | Understanding and Using webMethods AS4 Module | Installing and Using AS4 Module | Configuring Module for AS4 | Configuring Optional Features | Configuring Security
 
Configuring Security
 
Configuring Certificates in Trading Networks
Configuring Receipts
Using Algorithm Suites
To secure your AS4 message exchange, configure the security TPA parameters in the requestUM or replyUM leg for a user message and in the requestSM leg for a pull signal.
*To configure security
1. In My webMethods Applications >Administration > Integration > B2B > Trading Partner Agreements.
2. Select the TPA for which you want to configure security.
3. In the TPA Data panel, configure the security parameters as follows:
a. enablesecurity Enable or disable security
*true— Security is enabled.
*false— Security is disabled. This is the default.
b. includeTimeStamp Includes time stamp in the security header. The default value is false.
*true— Time stamp will be included in the security header.
*false— Time stamp will not be included in the security header.
c. x509 Information required to sign and encrypt an AS4 message using the WSS X.509 Certificate Token Profile. Configure the following parameters:
Parameter
Value
sign
Specify if the message will be signed and which parts of the message will be signed. When you use your own policy file for security settings, the values of the sign parameters are ignored. Configure the following parameters:
Parameter
Value
enableSign
Whether signing is enabled. Specify one of the following:
*true—Signing is enabled.
*false—Signing is disabled. This is the default.
certificateId
Optional. The certificate ID to use for signing or verifying a signature for a message. The partner certificate ID must be used while receiving a message. You can view the enterprise certificateId for the configured certificates in the My webMethods Server: Partner Profiles > Certificates > Certificate ID column.
element
The XPath of each element that needs to be signed. For example, to sign the Timestamp element, add /soapenv:Envelope/soapenv:Header/Messaging/UserMessage/MessageInfo/Timestamp.
Click Add or Insert to configure multiple element paths that need to be signed. Specify:
attachments
Whether signing of the attachments for a message is enabled. Specify one of the following:
*true—Signing of the attachments of a message is enabled.
*false—Signing of the attachments of a message is disabled. This is the default.
signReceipt
Whether signing of the receipt is enabled. Specify one of the following:
*true—Signing of the receipt is enabled.
*false—Signing of the receipt is disabled. This is the default.
Note:
If enableSign is set to false and signReceipt is set to true, the receipt will not be signed.
receiptCertificateID
The certificate ID to use for signing the receipt.
signReceiptBody
Whether signing the receipt body is enabled. Specify one of the following:
*true—Signing of the receipt body is enabled.
*false—Signing of the receipt body is disabled. This is the default.
Note:
This parameter can be enabled only if signReceipt is enabled.
Parameter
Value
element
The path to the element that needs to be signed.
encrypt
Whether the message will be encrypted and which parts of the message will be encrypted.
Note:
When you use your own policy file for security settings, the values of the encrypt parameters are ignored.
Parameter
Value
enableEncrypt
Whether encryption is enabled. Specify one of the following:
*true—Encryption is enabled.
*false—Encryption is disabled. This is the default.
certificateId
The certificate ID to use for encrypting or decrypting a message. The partner certificate ID must be used for encryption while sending a message. The enterprise certificate ID must be used for decryption. You can view the enterprise certificateId for the configured certificates in the My webMethods Server: Partner Profiles > Certificates > Certificate ID column.
element
The XPath of each element that needs to be encrypted. For example, to encrypt the Timestamp element, add /soapenv:Envelope/soapenv:Header/Messaging/UserMessage/MessageInfo/Timestamp.
Click Add and configure the following parameters:
Parameter
Value
element
Each element to be encrypted.
Click Add or Insert to add elements to be encrypted.
attachments
Whether encrypting the attachments of a message is enabled. Specify one of the following:
*true—Encrypting of the attachments of a message is enabled.
*false—Encrypting of the attachments of a message is disabled. This is the default.
encryptBody
Whether to encrypt the body of a message or not. Specify one of the following:
*true—Enables encryption of the message body. This is the default.
*false—Disables encryption of the message body.
algorithmSuite
Specifies the algorithm suite to be used for signing and encrypting. For more information about algorithm suites, see Using Algorithm Suites.
d. usernameToken Information needed to authenticate the AS4 message. Configure the following parameters:
*username User name to authenticate the message.
*password Password to authenticate the message.
*hashpassword Whether password hashing is enabled. Specify one of the following:
true—Password hashing is enabled.
false—Password hashing is disabled. This is the default.
e. policyFile Optional. Absolute path of the policy file. The policy file must adhere to the format specified in OASIS WS-SecurityPolicy.
f. pmodeAuthorize Whether to authorize the messages on the MEP leg for processing. Specify one of the following:
*true—Messages are authorized for processing.
*false—Messages are not authorized for processing. This is the default.
g. receipt Information that identifies how receipts are handled. Configure the following parameters:
*sendReceipt Whether a receipt (Receipt ebMS signal) is sent. Specify one of the following:
true—A receipt is sent.
false—A receipt is not sent. This is the default.
*replyPattern Specifies the reply pattern of the receipt signal. Specify one of the following:
response—The module sends the receipt on the back channel. This reply pattern can only be used with the One-Way/Push MEP. This is the default.
callback— The module sends the receipt signal as a separate request.
*replyTo Specifies the endpoint URL to which the receipt is sent. You must configure this parameter when replyPattern is set to callback.
*nonRepudiation Whether the hash values for the digests in the user message should be included in the receipt. Specify one of the following:
true—Hash values are included in the receipt.
false—Hash values are not included in the receipt. This is the default.
4. Click Save or Save and Close.