This policy is used to apply WS-Security settings while forwarding the request to the SOAP type backend web service via Apinizer.

With this policy, users can set the following settings in WS-Security standards to the message:

  1. Adding time-to-live information
  2. Adding Username Token information
  3. Creating Encrypted fields
  4. Create Signed fields

The image containing the policy settings is given below:


The policy fields are shown in the table below.

FieldDescription

Operation Sequence

The execution order of the WS-Security settings to be applied is displayed. Sorting can be managed by drag-and-drop method.

Must Understand

This field is used to set the mustUnderstand attribute value of the added WS-Security XML elements to true or false.

Add Entry

It is the part that allows the necessary settings to be added by selecting them.

Sections

Timestamp

The image containing the timestamp settings is given below:


The fields used for the timestamp configuration are shown in the table below.

FieldDescription

TTL (sec)

It is used to embed the information of how long the message is valid in the message. The default unit is seconds.

Username Token

The image containing the username token settings is given below:


The fields used for the username token configuration are shown in the table below.

FieldDescription

Username

It is the username information that the backend SOAP web service expects.

Password

It is the password information that the backend SOAP web service expects.

Nonce

If this field is checked, nonce information is generated and added to the WS-Security UsernameToken element.
CreatedIf this field is checked, created information is generated and added to the WS-Security UsernameToken element.

Password Type

Password type can be Text or Digest.

When Text is selected, the password field is clearly sent to the backend SOAP web service, when digest is selected, it is encrypted.

Digest Password generation algorithm:

Base64 ( SHA1 ( nonce + created + clear text password ) )

Encryption

With the settings made in this section, the desired parts of the message are encrypted and sent to the backend SOAP web service.

The image containing the encryption settings is given below:


The fields used for encryption configuration are shown in the table below.

FieldDescription
Key StoreKeyStore information that will be used to encrypt the area to be encrypted.

Key Identifier Type

This is the part where the key identifier type is set.

TypeDescription
Binary Security Token

The signing method takes the signing certificate, converts it to a BinarySecurityToken, puts it in the security header, and inserts a Reference to the binary security token into the wsse:SecurityReferenceToken . Thus the whole signing certificate is transfered to the receiver. The X509 profile recommends to use "Issuer Name and Serial Number" instead of sending the whole certificate.

Please refer to WS Security specification X509 1.1 profile, chapter 3.3.2 and to WS Security SOAP Message security 1.1 specification, chapter 7.2
Note: only local references to BinarySecurityToken are supported

Issuer Name and Serial Number

In contrast to "Binary Security Token" only the issuer name and the serial number of the signing certificate are sent to the receiver. This reduces the amount of data being sent. The encryption method uses the public key associated with this certificate to encrypt the symmetric key used to encrypt data.
Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3

X509 Certificate

The encryption method uses the public key associated with this certificate to encrypt the symmetric key used to encrypt data. The certificate is converted into a KeyIdentifier token and sent to the receiver. Thus the complete certificate data is transfered to receiver. The X509 profile recommends to use "Issuer Name and Serial Number" method instead of sending the whole certificate. 

Please refer to WS Security SOAP Message security 1.1 specification, chapter 7.3. Note that this is a NON-STANDARD method. The standard way to refer to an X.509 Certificate via a KeyIdentifier is to use "Subject Key Identifier"

Subject Key Identifier

Sends a "SubjectKeyIdentifier" to identify  the signing certificate.
Refer to WS Security specification X509 1.1 profile, chapter 3.3.1

Thumbprint SHA1 IDENTIFIER

"Thumbprint SHA1 IDENTIFIER" is used to set the specific key identifier ThumbprintSHA1.

This identifier uses the SHA-1 digest of a security token to identify the security token. Please refer to chapter 7.2 of the OASIS WSS 1.1 specification.

Embedded Key Info

Embeds a keyinfo/key name into the EncryptedData element.

Embed Security Token Reference

Embeds a keyinfo/wsse:SecurityTokenReference into EncryptedData element.

Custom Key Info

"Custom Key Info" is used internally only to set a specific Signature behavior.

The signing key, reference id and value type are set externally. 

Symmetric Encoding Algorithm

It is used to select the Symmetric Encryption Algorithm.

It can be one of 3 values: AES-128-CBC, AES-192-CBC, AES-256-CBC

Key Encryption Algorithm

It is used to select the Key Encryption Algorithm.

It can be one of 2 values: rsa-1_5, rsa-oaep-mgf1p

Encryption Parts

This is the part where the fields of the message to be encrypted are selected. It allows multiple fields to be encrypted.

The name of the element to be encrypted, namespace information, whether the content or the element should be encrypted information is entered and the definition is made.

Signature

The image containing the signature settings is given below:


The fields used for signature configuration are shown in the table below.

FieldDescription
Key StoreKeyStore information that will be used for signing the field to be signed.

Key Identifier Type

This is the part where the Key Identifier Type is set.

TypeDescription
Binary Security Token

The signing method takes the signing certificate, converts it to a BinarySecurityToken, puts it in the security header, and inserts a Reference to the binary security token into the wsse:SecurityReferenceToken . Thus the whole signing certificate is transfered to the receiver. The X509 profile recommends to use "Issuer Name and Serial Number" instead of sending the whole certificate.

Please refer to WS Security specification X509 1.1 profile, chapter 3.3.2 and to WS Security SOAP Message security 1.1 specification, chapter 7.2
Note: only local references to BinarySecurityToken are supported

Issuer Name and Serial Number

In contrast to "Binary Security Token" only the issuer name and the serial number of the signing certificate are sent to the receiver. This reduces the amount of data being sent. The encryption method uses the public key associated with this certificate to encrypt the symmetric key used to encrypt data.
Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3

X509 Certificate

The encryption method uses the public key associated with this certificate to encrypt the symmetric key used to encrypt data. The certificate is converted into a KeyIdentifier token and sent to the receiver. Thus the complete certificate data is transfered to receiver. The X509 profile recommends to use "Issuer Name and Serial Number" method instead of sending the whole certificate. 

Please refer to WS Security SOAP Message security 1.1 specification, chapter 7.3. Note that this is a NON-STANDARD method. The standard way to refer to an X.509 Certificate via a KeyIdentifier is to use "Subject Key Identifier"

Subject Key Identifier

Sends a "SubjectKeyIdentifier" to identify  the signing certificate.
Refer to WS Security specification X509 1.1 profile, chapter 3.3.1

Thumbprint SHA1 IDENTIFIER

"Thumbprint SHA1 IDENTIFIER" is used to set the specific key identifier ThumbprintSHA1.

This identifier uses the SHA-1 digest of a security token to identify the security token. Please refer to chapter 7.2 of the OASIS WSS 1.1 specification.

Embedded Key Info

Embeds a keyinfo/key name into the EncryptedData element.

Embed Security Token Reference

Embeds a keyinfo/wsse:SecurityTokenReference into EncryptedData element.

Custom Key Info

"Custom Key Info" is used internally only to set a specific Signature behavior.

The signing key, reference id and value type are set externally. 

Signature Algorithm

Used for signature algorithm selection.

It can be one of 2 values: rsa-sha1, dsa-sha1

Signature Canonicalization

Used to select the signature canonicalization method.

It can be one of 4 values:

C14N-OMIT-COMMENTS 
C14N-WITH-COMMENTS 
C14N-EXCLUDE-OMIT-COMMENTS 
C14N-EXCLUDE-WITH-COMMENTS 

Signature Parts

This is the part where the information about which fields of the message will be signed is selected. It allows multiple fields to be signed.

The name of the element to be signed, namespace information, whether the content or the element should be signed information is entered and the definition is made.


You can visit the Policies page for the details of the Conditions and Error Message Customization panels.