CentraSite 10.3 | CentraSite User’s Guide | Runtime Governance | Run-Time Policy Management | Built-In Run-Time Actions Reference (CentraSite Business UI) | Built-in Actions for Run-Time Policies (CentraSite Business UI) | Require Signing
 
Require Signing
This action is applicable only for SOAP APIs. Requires that a request's XML elements, which is represented by an XPath expression or parts of soap request such as soap body or soap headers be signed.
Prerequisites
1. Configure Integration Server: Set up keystores and truststores in Integration Server, as described in the webMethods Integration Server Administrator’s Guide.
2. Configure Mediator: In the Integration Server Administrator, navigate to Solutions > Mediator > Administration > General and complete the IS Keystore Name, IS Truststore Name and Alias (signing) fields, as described in Administering webMethods Mediator. Mediator uses the signing alias specified in the Alias (signing) field to sign the response.
When this action is configured for a proxy API, Mediator validates that the requests are properly signed, and provides signing for responses. Mediator provides support for signing an entire SOAP message body or individual elements of the SOAP message body. Mediator uses a digital signature element in the security header to verify that all elements matching the XPath expression are signed. If the request contains elements that are not signed or no signature is present, then Mediator rejects the request.
Note:
You must map the public certificate of the key, used to sign the request, to an Integration Server user. If the certificate is not mapped, Mediator returns a SOAP fault to the caller.
Input Parameters
Sign By
Requires that a request's XML be signed.
Value
Description
Element
Select this option to sign the entire element, which is represented by an XPath expression.
Part
Select this option to sign the part of soap request such as soap body or soap headers.
If Sign By Element is selected
Namespace
(String). Namespace of the element required to be signed.
Prefix
Enter the namespace prefix in the following format: xmlns:<prefix-name> . For example: xmlns:soapenv.
URI
The generated XPath element in the policy should look similar to this:
<sp:SignedElements xmlns:sp=
"http://docs.oasis-open.org/ws-sx/
ws-securitypolicy/200702">
<sp:XPath xmlns:soapenv=
"http://schemas.xmlsoap.org/soap/envelope
/">//soapenv:Body</sp:XPath>
</sp:SignedElements>
Element Required to be Signed
(String). An XPath expression that represents the XML element that is required to be signed.
If Sign By Part is selected
Sign Part
Mark the SOAP Body checkbox to sign a part of the soap request.
-<sp:EncryptedParts xmlns:sp=
"http://docs.oasis-open.org/ws-sx
/ws-securitypolicy/200702">
<sp:Body/>
</sp:EncryptedParts>
Sign SOAP Headers
Select this option to sign the header of the soap request. To specify multiple headers, use the plus button to add rows and minus button to delete rows.
Name
(String). A name for the SOAP header field.
Namespace
(String). Namespace of the soap header required to be signed.

-<sp:SignedParts xmlns:
sp="http://docs.oasis-open.org
/ws-sx/ws-securitypolicy/200702">
<sp:Body/>
<sp:Header Namespace="http://
www.w3.org/2005/08/addressing
" Name="To"/>
<sp:Header Namespace
="http://www.w3.org/2005/08/
addressing" Name="From"/>
</sp:SignedParts>
Consider the following example of a SOAP message:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
</soap:Header>
<soap:Body>
<catalog xmlns="http://www.store.com">
<name>My Book</name>
<author>ABC</author>
<price>100</price>
</catalog>
</soap:Body>
</soap:Envelope>
The XPath expression for the SOAP expression appears as follows:
/soap:Envelope/soap:Body