API Gateway 10.11 | Using API Gateway | Aliases | Creating a SOAP Message Security Alias
 
Creating a SOAP Message Security Alias
You must have the API Gateway's manage aliases functional privilege assigned to perform this task.
A SOAP message security alias contains message level security information that is requires to access the native API. If the native service is enforced with any WS security policy, API Gateway enforces those policies in the outbound request while accessing the native API using the configuration parameters specified in the alias.
*To create SOAP message secure alias
1. Expand the menu options icon , in the title bar, and select Aliases.
2. Click Create alias.
3. In the Basic information section, provide the following information:
Field
Description
Name
Name of the alias.
Type
Select SOAP message secure alias.
Description
Description of the alias.
4. Click Technical information and provide the following information:
Field
Description
Authentication scheme
Specify the type of authentication scheme you want to use to authenticate the client.
Available values are:
*None. Does not use any authentication types to authenticate the client.
*WSS Username. Generates a WSS username token and sends it in the soap header to the native API.
*Kerberos. Fetches a Kerberos token and sends it to the native API.
*SAML. Fetches a SAML token and sends it to the native API.
For Authentication scheme None. Does not require any properties.
For Authentication type WSS Username, authenticate using any of the following:
Custom credentials
Specifies the values provided in the policy to be used to obtain the WSS username token to access the native API.
Provide the following information:
*Username. Specifies a username used to generate the WSS username token.
*Password. Specifies the password used to generate the WSS username token.
For Authentication type Kerberos, authenticate using any of the following:
Custom Credentials
Uses the Basic authentication credentials coming in the transport header of the incoming request for client principal and client password.
Provide the following information:
*Client principal. A valid client LDAP user name.
*Client password. A valid password of the client LDAP user.
*Service principal. A valid Service Principal Name (SPN). The specified value is used by the client to obtain a service ticket from the KDC server.
*Service principal nameform. Specifies the format in which you want to specify the principal name of the service that is registered with the principal database. Select one of the following:
*Username. Represents the principal name as a named user defined in LDAP used for authentication to the KDC.
*Hostbased. Represents the principal name using the service name and the host name, where host name is the host computer.
Delegate incoming credentials
Specifies the values provided in the policy to be used by the API providers to select whether to delegate the incoming Kerberos token or act as a normal client.
Provide the following information:
*Client principal. A valid client LDAP user name.
*Client password. A valid password of the client LDAP user.
*Service principal. A valid Service Principal Name (SPN). The specified value is used by the client to obtain a service ticket from the KDC server.
*Service principal nameform. Specifies the format in which you want to specify the principal name of the service that is registered with the principal database. Available values are:
*Username. Represents the principal name as a named user defined in LDAP used for authentication to the KDC.
*Hostbased. Represents the principal name using the service name and the host name, where host name is the host computer.
Incoming HTTP basic auth credentials
Specifies the incoming HTTP basic authentication credentials to access the native API.
Provide the following information:
*Service principal nameform. Specifies the format in which you want to specify the principal name of the service that is registered with the principal database. Select one of the following:
*Username. Represents the principal name as a named user defined in LDAP used for authentication to the KDC.
*Hostbased. Represents the principal name using the service name and the host name, where host name is the host computer.
For Authentication type SAML
SAML issuer configuration
Specifies the SAML issuer configuration that is used by the API Gateway to fetch the SAML token which is then added in the SOAP header and sent to the native API.
This field is visible and required only if you have configured a SAML issuer in Administration > Security > SAML issuer section.
Signing configurations
Keystore alias
Specify the keystore that needs to be used by API Gateway while sending the request to the native API. A keystore is a repository of private key and its corresponding public certificate.
Key alias
The key alias is the private key that is used sign the request sent to the native API.
Encryption configurations
Truststore alias
Select the truststore to be used by API Gateway when sending the request to the native API. Truststore is a repository that holds all the trusted public certificates.
Certificate alias
Select the certificate from the truststore that is used to encrypt the request that is sent to the native API.
Stage
Specify a stage, if you want the alias to be applicable to a specific stage.
5. Click Save.