Action: Require Signing
Note:
Dependency requirement: A policy that includes this action must also include the Identify Consumer action.
This action requires that an XML element (represented by an XPath expression) be signed. This action supports WS-SecurityPolicy 1.2 and cannot be used with REST virtual services or connector virtual services.
Prerequisites:
1. Configure Integration Server: Set up keystores and truststores in Integration Server (see the section Securing Communications with the Server in the document webMethods Integration Server Administrator’s Guide).
2. Configure CloudStreams: In the Integration Server Administrator, navigate to Solutions > CloudStreams > Administration > General and complete the IS Keystore Name, IS Truststore Name and Alias (signing) fields, as described in the section Setting the General Options in the document Administering webMethods CloudStreams). CloudStreams uses the signing alias specified in the Alias (signing) field to sign the response.
When this policy action is set for the virtual service, CloudStreams validates that the requests are properly signed, and provides signing for responses. CloudStreams provides support both for signing an entire SOAP message body or individual elements of the SOAP message body.
CloudStreams uses a digital signature element in the security header to verify that all elements matching the XPath expression were signed. If the request contains elements that were not signed or no signature is present, then CloudStreams rejects the request.
Note:
You must map the public certificate of the key used to the sign the request to an Integration Server user. If the certificate is not mapped, CloudStreams returns a SOAP fault to the caller.
To set the Require Signing action parameters
1. In the CloudStreams Governance view, click the policy name.
2. In the policy editor on the right side of the page, double-click Require Signing in the Applied Actions list, and set the following action parameters.
Element Required To Be Signed
An XPath expression that represents the XML element that is required to be signed.
Namespace Prefix
Optional. Right-click the action name and click Add Namespace Prefix if you want to specify the namespace prefix of the element required to be encrypted. Enter the namespace prefix in the following format:
xmlns:<prefix-name>
The generated XPath element in the policy should look similar to this:
<sp:SignedElements xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-
securitypolicy/200702">
<sp:XPath
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">//soapenv:Body</sp
:XPath>
</sp:SignedElements>