Integration Server 10.15 | Web Services Developer’s Guide | WS-Security Certificate and Key Requirements | WS-Security Key Resolution Order: Web Services Provider | Web Service Provider: Response (Outbound Security) Detailed Usage and Resolution Order
 
Web Service Provider: Response (Outbound Security) Detailed Usage and Resolution Order
Keep the following information in mind when reviewing the table below:
*The table refers to keystore and key aliases for the Signing Key, the Decryption Key, and the SSL Key. You can configure these keystore and key aliases on the Security > Certificates page of the Integration Server Administrator.
*The usage order applies to all attributes of a policy assertion except where otherwise specified. If a policy assertion is not specified, then certificate and key resolution order is not applicable.
Note:
The message addressing endpoint alias referred to in the table is the endpoint alias that is mapped to the address in the response map of the provider endpoint alias. For more information about message addressing endpoint aliases, see Creating an Endpoint Alias for Message Addressing for Use with HTTP/S.
Security Action
Options
Usage/Resolution Order
Signature
1. Message Addressing Endpoint Alias
WS Security Properties/Keystore Alias
WS Security Properties/Key Alias
Note:
Applies only in case of non-anonymous asynchronous response messages and if there is a message addressing endpoint alias associated with the response endpoint address.
2. Provider Endpoint Alias
WS Security Properties/Keystore Alias
WS Security Properties/Key Alias
3. Listener (Port) Settings
Listener Specific Credentials/Keystore Alias
Listener Specific Credentials/Key Alias
4. Server Settings
Signing Key/Keystore Alias
Signing Key/Key Alias
5. Server Settings
SSL Key/Keystore Alias
SSL Key/Key Alias
Include the certificate path
1. Message Addressing Endpoint Alias
Entire certificate chain associated with the specified Key Alias is used
Note:
Applies only in case of non-anonymous asynchronous response messages and if there is a message addressing endpoint alias associated with the response endpoint address.
2. Provider Endpoint Alias
Entire certificate chain associated with the specified Key Alias is used
3. Listener (Port) Settings
Entire certificate chain associated with the specified Key Alias is used
4. Server Settings
Entire certificate chain associated with the Key Alias specified for Signing is used
5. Server Settings
Entire certificate chain associated with the Key Alias specified for SSL is used
Do not include the certificate path
1. Message Addressing Endpoint Alias
Only the server's certificate (first certificate in the chain) associated with the specified Key Alias is used
Note:
Applies only in case of non-anonymous asynchronous response messages and if there is a message addressing endpoint alias associated with the response endpoint address.
2. Provider Endpoint Alias
Only the server’s certificate (first certificate in the chain) associated with the specified Key Alias is used
3. Listener (Port) Settings
Only the server’s certificate (first certificate in the chain) associated with the specified Key Alias is used
4. Server Settings
Only the server’s certificate (first certificate in the chain) associated with the Key Alias specified for Signing is used
5. Server Settings
Only server’s certificate (1st certificate in chain) associated with the Key Alias specified for SSL is used
Encryption
1. Message Addressing Endpoint Alias
WS Security Properties/Partner’s Certificate
Note:
Applies only in case of non-anonymous asynchronous response messages and if there is a message addressing endpoint alias associated with the response endpoint address.
2. WS Security Header
Public key included in the request header
3. Certificate Mapping
Public key (certificate) associated with resolved user and Usage (in the order specified below) for one of:
*Encrypt
*VerifyAndEncrypt
*SSL
X.509 Authentication
Note:
Applies only in case of non-anonymous asynchronous response messages and if there is a message addressing endpoint alias associated with the response endpoint address.
1. Message Addressing Endpoint Alias
WS Security Properties/Keystore Alias
WS Security Properties/Key Alias
2. Endpoint Alias
WS Security Properties/Keystore Alias
WS Security Properties/Key Alias
3. Server Settings
Signing Key/Keystore Alias
Signing Key/Key Alias
4. Server Settings
SSL Key/Keystore Alias
SSL Key/Key Alias
Include the certificate path
1. Message Addressing Endpoint Alias
Entire certificate chain associated with the specified Key Alias is used
2. Provider Endpoint Alias
Entire certificate chain associated with the specified Key Alias is used
3. Server Settings
Entire certificate chain associated with the Key Alias specified for Signing is use
4. Server Settings
Entire certificate chain associated with the Key Alias specified for SSL is used
Do not include the certificate path
1. Message Addressing Endpoint Alias
Only the server’s certificate (first certificate in the chain) with the specified Key Alias is used
2. Endpoint Alias
Only the server’s certificate (first certificate in the chain) associated with the specified Key Alias is used
3. Server Settings
Only the server’s certificate (first certificate in the chain) associated with the Key Alias specified for Signing is used
4. Server Settings
Only the server’s certificate (first certificate in the chain) associated with the Key Alias specified for SSL is used