Designer 10.7 | Cloudstreams Development Help | CloudStreams Governance Project | Policies | Action: Require Encryption
 
Action: Require Encryption
This action requires that an XML element (which is represented by an XPath expression) be encrypted. This action supports WS-SecurityPolicy 1.2 and cannot be used with REST virtual services or connector virtual services.
Prerequisites:
1. Configure Integration Server: Set up keystores and truststores in Integration Server (see the section Securing Communications with the Server in the document webMethods Integration Server Administrator’s Guide).
2. Configure CloudStreams: In the Integration Server Administrator, navigate to Solutions > CloudStreams > Administration > General and complete the IS Keystore Name, IS Truststore Name and Alias (signing) fields, as described in the section Setting the General Options in the document Administering webMethods CloudStreams).
When this policy action is set for the virtual service, CloudStreams provides decryption of incoming requests and encryption of outgoing responses. CloudStreams can encrypt and decrypt only individual elements in the SOAP message body that are defined by the XPath expressions configured for the policy action. CloudStreams requires that requests contain the encrypted elements that match those in the XPath expression. You must encrypt the entire element, not just the data between the element tags. CloudStreams rejects requests if the element name is not encrypted.
Note:
Do not encrypt the entire SOAP body because a SOAP request without an element will appear to CloudStreams to be malformed.
CloudStreams attempts to encrypt the response elements that match the XPath expressions with those defined for the policy. If the response does not have any elements that match the XPath expression, CloudStreams will not encrypt the response before sending. If the XPath expression resolves a portion of the response message, but CloudStreams cannot locate a certificate to encrypt the response, then CloudStreams sends a SOAP fault exception to the consumer and a Policy Violation event notification to CloudStreams.
*How CloudStreams Encrypts Responses
The Require Encryption action encrypts the response back to the client by dynamically setting a public key alias at run time. CloudStreams determines the public key alias as follows:
1. If CloudStreams can access the X.509 certificate of the client (based on the incoming request signature), it will use "useReqSigCert" as the public key alias.
OR
2. If the Identify Consumer action is present in the policy (and it successfully identifies a consumer application), then CloudStreams will look for a public key alias with that consumer name in the IS Keystore Name property. The IS Keystore Name property is specified in the Integration Server Administrator, under Solutions > CloudStreams > Administration > General. This property should be set to an Integration Server keystore that CloudStreams will use.
For an Identify Consumer action that allows for anonymous usage, CloudStreams does not require a consumer name in order to send encrypted responses. In this case, CloudStreams can use one of the following to encrypt the response in the following order, depending on what is present in the security element:
a. A signing certificate.
b. Consumer name.
c. WSS username, SAML token or X.509 certificate.
d. HTTP authorized user.
OR
3. If CloudStreams can determine the current IS user from the request (that is, if an Integration Server WS-Stack determined that Subject is present), then the first principal in that subject is used.
OR
4. If the above steps all fail, then CloudStreams will use either the WS-Security username token or the HTTP Basic-Auth user name value. There should be a public key entry with the same name as the identified username.
To set the Require Encryption action parameters
1. In the CloudStreams Governance view, click the policy name.
2. In the policy editor on the right side of the page, double-click Require Encryption in the Applied Actions list, and set the following action parameters.
Element Required To Be Encrypted
An XPath expression that represents the XML element that is required to be encrypted.
Namespace Prefix
Optional. Right-click the action name and click Add Namespace Prefix if you want to specify the namespace prefix of the element required to be encrypted. Enter the namespace prefix in the following format:
xmlns:<prefix-name>
For example: xmlns:soapenv. For more information, see the XML Namespaces specifications at http://www.w3.org/TR/REC-xml-names/#ns-decl.
The generated XPath element in the policy should look similar to this:
<sp:SignedElements xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-
securitypolicy/200702">
<sp:XPath
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">//soapenv:Body</sp
:XPath>
</sp:SignedElements>
Related Topics
Create a New Policy Wizard
General Properties View (Policy)
Action: Authorize User
Action: Identify Consumer
Action: Require HTTP Basic Authentication
Action: Require Signing
Action: Require SAML Token
Action: Require WSS Username
Action: Require X.509 Token