Integration Server 10.15 | Built-In Services Reference Guide | Security Folder | Summary of Elements in this Folder | pub.security:decryptAndVerify
 
pub.security:decryptAndVerify
WmPublic. Decrypts the encrypted data and verifies the associated digital signature.
Input Parameters
data
Document. The data that you want to decrypt and verify must be in one of the following formats. If multiple input parameters are supplied for data, the service throws an exception stating that only one parameter must be passed.
Key
Description
string
String. Optional. The string that you want to decrypt and verify.
stream
java.io.InputStream. Optional. The stream data that you want to decrypt and verify.
bytes
byte[ ]. Optional. The byte array that you want to decrypt and verify.
file
String. Optional. The absolute or relative path of the file that you want to decrypt and verify. If the file is outside the Integration Server or Microservices Runtime installation directory, provide the absolute path. Otherwise, place the file in your Integration Server or Microservices Runtime working directory.
The About page in Integration Server Administrator and Microservices Runtime Administrator displays the working directory. The watt.server.homeDir server configuration parameter also specifies the working directory.
loadAs
String. Optional. The format in which the service returns the output. Set to:
*bytes to return the output as a byte array. This is the default.
*stream to return the output as a stream object.
*string to return the output as a string.
secretKey
Document. The secret key to extract the private key required to decrypt the data.
Provide secretKeyBytes, secretKeyString, or secretKeyRingFile. If you provide secretKeyRingFile, you must also provide secretKeyAlias. Otherwise, the service throws an exception.
Key
Description
secretKeyBytes
byte[ ]. Optional. The secret key file in bytes.
Note:
Secret key files have a .asc extension.
secretKeyString
String. Optional. The secret key as a string.
secret​KeyRingFile
String. Optional. The absolute or relative path of the secret keyring file. The secret keyring file is a collection of secret keys with a unique key ID. If the file is outside the Integration Server or Microservices Runtime installation directory, provide the absolute path. Otherwise, place the file in your Integration Server or Microservices Runtime working directory.
The About page in Integration Server Administrator and Microservices Runtime Administrator displays the working directory. The watt.server.homeDir server configuration parameter also specifies the working directory.
Note:
Secret keyring files have a .skr extension.
secretKeyAlias
String. Optional. The 64 bit (16 characters) key identifier of the secret key.
Note:
This parameter is required only when you use secretKeyRing​File.
secretKey ​Passphrase
String. Password required to extract the private key from the secret key. This is the password provided while generating the secret key.
publicKey
Document. The public key required to verify the digital signature associated with the data.
Provide publicKeyBytes, publicKeyString, or publicKeyRingFile. If you provide publicKeyRingFile, you must also provide publicKeyAlias. Otherwise, the service throws an exception.
Key
Description
publicKeyBytes
Object List. Optional. One or more public key files as byte arrays.
Note:
Public key files have a .asc extension.
publicKeyString
String List. Optional. One or more public keys as strings.
public​KeyRingFile
String. Optional. The absolute or relative path of the public keyring file. The public keyring file is a collection of public keys with a unique key ID. If the file is outside the Integration Server or Microservices Runtime installation directory, provide the absolute path. Otherwise, place the file in your Integration Server or Microservices Runtime working directory.
The About page in Integration Server Administrator and Microservices Runtime Administrator displays the working directory. The watt.server.homeDir server configuration parameter also specifies the working directory.
Note:
Public keyring files have a .pkr extension.
publicKeyAlias
String List. Optional. One or more public key aliases as strings. A public key alias is the 64-bit (16 characters) key identifier of a public key.
Note:
This parameter is required only when you use publicKeyRingFile.
Output Parameters
stream
java.io.OutputStream. Conditional. Decrypted and verified data as an output stream. Returned when the loadAs input parameter is set to stream.
bytes
byte[ ]. Conditional. Decrypted and verified data as bytes. Returned when the loadAs input parameter is set to bytes.
string
String. Conditional. Decrypted and verified data as a string. Returned when the loadAs input parameter is set to string.
verified
Boolean. Indicates whether the signature associated with the data is verified or not. A value of:
*true indicates that the signed data is verified.
*false indicates that the signed data is not verified.
status
String. Indicates whether the data is successfully decrypted and verified. If successful, status is success. Otherwise, status contains failure along with an error message.
Usage Notes
Use the pub.security:decryptAndVerify service when an external system connected to Integration Server requires decrypted data with verified signature.
Prerequisites to use the pub.security:decryptAndVerify service:
*Generate a public-secret key pair for Integration Server.
*Make sure that the external system has access to Integration Server's public key.
*Make sure that Integration Server has access to external's system's public key.
Decryption and verification works as follows:
1. The external system sends the data encrypted with Integration Server's public key and signed with its secret key.
2. Integration Server receives the data and passes it to the pub.security:decryptAndVerify service.
3. The service uses the private key extracted from the secret key to decrypt the data.
4. The service then uses the external system's public key to verify the signature of the decrypted data.
5. The service returns the decrypted and verified data.
To decrypt and verify the data signed and encrypted for multiple users, you must provide your secret key and the users' public keys to the service. You can provide the public keys to the service as a list of byte arrays, strings, or a keyring file. If you provide a keyring file, you must also provide the public key aliases.
Integration Server is in FIPS mode, if the watt.security.fips.mode server configuration parameter is set to true.
Authentication keys used in this service must be in the PGP format and generated using the RSA encryption algorithm.
Note:
Authentication keys in the .ecc format are not supported.