Require Signing
This action is applicable only for SOAP APIs. Requires that a request's XML elements, which is represented by an XPath expression or parts of soap request such as soap body or soap headers be signed.
Prerequisites
1. Configure Integration Server: Set up keystores and truststores in Integration Server, as described in the webMethods Integration Server Administrator’s Guide.
2. Configure Mediator: In the Integration Server Administrator, navigate to Solutions > Mediator > Administration > General and complete the IS Keystore Name, IS Truststore Name and Alias (signing) fields, as described in Administering webMethods Mediator. Mediator uses the signing alias specified in the Alias (signing) field to sign the response.
When this action is configured for a proxy API, Mediator validates that the requests are properly signed, and provides signing for responses. Mediator provides support for signing an entire SOAP message body or individual elements of the SOAP message body. Mediator uses a digital signature element in the security header to verify that all elements matching the XPath expression are signed. If the request contains elements that are not signed or no signature is present, then Mediator rejects the request.
Note:
You must map the public certificate of the key, used to sign the request, to an Integration Server user. If the certificate is not mapped, Mediator returns a SOAP fault to the caller.
Input Parameters
Sign By | Requires that a request's XML be signed. |
Value | Description |
Element | Select this option to sign the entire element, which is represented by an XPath expression. |
Part | Select this option to sign the part of soap request such as soap body or soap headers. |
If Sign By Element is selected |
Namespace | (String). Namespace of the element required to be signed. |
Prefix | Enter the namespace prefix in the following format: xmlns:<prefix-name> . For example: xmlns:soapenv. |
URI | The generated XPath element in the policy should look similar to this: <sp:SignedElements xmlns:sp= "http://docs.oasis-open.org/ws-sx/ ws-securitypolicy/200702"> <sp:XPath xmlns:soapenv= "http://schemas.xmlsoap.org/soap/envelope /">//soapenv:Body</sp:XPath> </sp:SignedElements> |
Element Required to be Signed | (String). An XPath expression that represents the XML element that is required to be signed. |
If Sign By Part is selected |
Sign Part | Mark the SOAP Body checkbox to sign a part of the soap request. -<sp:EncryptedParts xmlns:sp= "http://docs.oasis-open.org/ws-sx /ws-securitypolicy/200702"> <sp:Body/> </sp:EncryptedParts> |
Sign SOAP Headers | Select this option to sign the header of the soap request. To specify multiple headers, use the plus button to add rows and minus button to delete rows. |
Name | (String). A name for the SOAP header field. |
Namespace | (String). Namespace of the soap header required to be signed. -<sp:SignedParts xmlns: sp="http://docs.oasis-open.org /ws-sx/ws-securitypolicy/200702"> <sp:Body/> <sp:Header Namespace="http:// www.w3.org/2005/08/addressing " Name="To"/> <sp:Header Namespace ="http://www.w3.org/2005/08/ addressing" Name="From"/> </sp:SignedParts>
|
Consider the following example of a SOAP message:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
</soap:Header>
<soap:Body>
<catalog xmlns="http://www.store.com">
<name>My Book</name>
<author>ABC</author>
<price>100</price>
</catalog>
</soap:Body>
</soap:Envelope>
The XPath expression for the SOAP expression appears as follows:
/soap:Envelope/soap:Body