CloudStreams 10.5 | webMethods CloudStreams | Administering webMethods CloudStreams | Policies | The Policy Actions | The Policy Action Reference | Require Encryption
 
Require Encryption
This action requires that an XML element (which is represented by an XPath expression) be encrypted. This action supports WS-SecurityPolicy 1.2 and cannot be used with REST services or connector virtual services.
Prerequisites:
1. Configure Integration Server: Set up keystores and truststores in Integration Server (see the section Securing Communications with the Server in the document webMethods Integration Server Administrator’s Guide).
2. Configure CloudStreams: In the Integration Server Administrator, navigate to Solutions > CloudStreams > Administration > General and complete the IS Keystore Name, IS Truststore Name and Alias (signing) fields, as described in Setting the General Options).
When this policy action is set for the virtual service, CloudStreams provides decryption of incoming requests and encryption of outgoing responses. CloudStreams can encrypt and decrypt only individual elements in the SOAP message body that are defined by the XPath expressions configured for the policy action. CloudStreams requires that requests contain the encrypted elements that match those in the XPath expression. You must encrypt the entire element, not just the data between the element tags. CloudStreams rejects requests if the element name is not encrypted.
Note:
Do not encrypt the entire SOAP body because a SOAP request without an element will appear to CloudStreams to be malformed.
CloudStreams attempts to encrypt the response elements that match the XPath expressions with those defined for the policy. If the response does not have any elements that match the XPath expression, CloudStreams will not encrypt the response before sending. If the XPath expression resolves a portion of the response message, but CloudStreams cannot locate a certificate to encrypt the response, then CloudStreams sends a SOAP fault exception to the consumer and a Policy Violation event notification to CloudStreams.
How CloudStreams Encrypts Responses:
The Require Encryption action encrypts the response back to the client by dynamically setting a public key alias at run time. CloudStreams determines the public key alias as follows:
1. If CloudStreams can access the X.509 certificate of the client (based on the incoming request signature), it will use useReqSigCertas the public key alias.
OR
2. If the Identify Consumer action is present in the policy (and it successfully identifies a consumer application), then CloudStreams will look for a public key alias with that consumer name in the IS Keystore Name property. The IS Keystore Name property is specified in the Integration Server Administrator, under Solutions > CloudStreams > Administration > General. This property should be set to an Integration Server keystore that CloudStreams will use.
For an Identify Consumer action that allows for anonymous usage, CloudStreams does not require a consumer name in order to send encrypted responses. In this case, CloudStreams can use one of the following to encrypt the response in the following order, depending on what is present in the security element:
*A signing certificate.
*Consumer name.
*WSS username, SAML token or X.509 certificate.
*HTTP authorized user.
OR
3. If CloudStreams can determine the current IS user from the request (that is, if an Integration Server WS-Stack determined that Subject is present), then the first principal in that subject is used.
OR
4. If the above steps all fail, then CloudStreams will use either the WS-Security username token or the HTTP Basic-Auth user name value. There should be a public key entry with the same name as the identified username.
Input Parameters
Element Required to be Encrypted
An XPath expression that represents the XML element that is required to be encrypted.
Namespace Prefix
Optional. Right-click the action name and click Add Namespace Prefix if you want to specify the namespace prefix of the element required to be encrypted. Enter the namespace prefix in the following format:
xmlns:prefix-name
For example:
xmlns:soapenv
For more information, see the XML Namespaces specifications at http://www.w3.org/TR/REC-xml-names/#ns-decl.
See below for an example XPath element generated in the policy.
Example Generated XPath Element
The generated XPath element in the policy should look similar to this:
<sp:SignedElements xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:XPath xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">//soapenv:Body</sp:XPath>
</sp:SignedElements>