This policy is used to apply WS-Security settings while forwarding the request to the SOAP type backend web service via Apinizer.
With this policy, users can set the following settings in WS-Security standards to the message:
Adding time-to-live information
Adding Username Token information
Creating Encrypted fields
Create Signed fields
The picture below shows the policy settings:
The policy fields are shown in the table below.
Field
Description
Operation Sequence
The execution order of the WS-Security settings to be applied is displayed. Sorting can be managed by drag-and-drop method.
Must Understand
This field is used to set the mustUnderstand attribute value of the added WS-Security XML elements to true or false.
Add Entry
It is the part that allows the necessary settings to be added by selecting them.
Sections
Timestamp
The picture below shows the timestamp settings:
The fields used for the timestamp configuration are shown in the table below.
Field
Description
TTL (sec)
It is used to embed the information of how long the message is valid in the message. The default unit is seconds.
Username Token
The picture below shows the username token settings:
The fields used for the username token configuration are shown in the table below.
Field
Description
Username
It is the username information that the backend SOAP web service expects.
Password
It is the password information that the backend SOAP web service expects.
Nonce
If this field is checked, nonce information is generated and added to the WS-Security UsernameToken element.
Created
If this field is checked, created information is generated and added to the WS-Security UsernameToken element.
Password Type
Password type can be Text or Digest.
When Text is selected, the password field is clearly sent to the backend SOAP web service, when digest is selected, it is encrypted.
Digest Password generation algorithm:
Base64 ( SHA1 (nonce + created + clear text password ) )
Encryption
With the settings made in this section, the desired parts of the message are encrypted and sent to the backend SOAP web service.
The picture below shows the encryption settings:
The fields used for encryption configuration are shown in the table below.
Field
Description
Key Store
KeyStore information that will be used to encrypt the area to be encrypted.
Key Identifier Type
This is the part where the key identifier type is set.
Type
Description
Binary Security Token
The signing method takes the signing certificate, converts it to a BinarySecurityToken, puts it in the security header, and inserts a Reference to the binary security token into the wsse:SecurityReferenceToken . Thus the whole signing certificate is transfered to the receiver. The X509 profile recommends to use "Issuer Name and Serial Number" instead of sending the whole certificate.
Please refer to WS Security specification X509 1.1 profile, chapter 3.3.2 and to WS Security SOAP Message security 1.1 specification, chapter 7.2 Note: only local references to BinarySecurityToken are supported
Issuer Name and Serial Number
In contrast to "Binary Security Token" only the issuer name and the serial number of the signing certificate are sent to the receiver. This reduces the amount of data being sent. The encryption method uses the public key associated with this certificate to encrypt the symmetric key used to encrypt data. Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3
X509 Certificate
The encryption method uses the public key associated with this certificate to encrypt the symmetric key used to encrypt data. The certificate is converted into a KeyIdentifier token and sent to the receiver. Thus the complete certificate data is transfered to receiver. The X509 profile recommends to use "Issuer Name and Serial Number" method instead of sending the whole certificate.
Please refer to WS Security SOAP Message security 1.1 specification, chapter 7.3. Note that this is a NON-STANDARD method. The standard way to refer to an X.509 Certificate via a KeyIdentifier is to use "Subject Key Identifier"
Subject Key Identifier
Sends a "SubjectKeyIdentifier" to identify the signing certificate. Refer to WS Security specification X509 1.1 profile, chapter 3.3.1
Thumbprint SHA1 IDENTIFIER
"Thumbprint SHA1 IDENTIFIER" is used to set the specific key identifier ThumbprintSHA1.
This identifier uses the SHA-1 digest of a security token to identify the security token. Please refer to chapter 7.2 of the OASIS WSS 1.1 specification.
Embedded Key Info
Embeds a keyinfo/key name into the EncryptedData element.
Embed Security Token Reference
Embeds a keyinfo/wsse:SecurityTokenReference into EncryptedData element.
Custom Key Info
"Custom Key Info" is used internally only to set a specific Signature behavior.
The signing key, reference id and value type are set externally.
Embedded Key Name
If the value of the Key Identifier Type field is Embedded Key Info, this field becomes active.
Symmetric Encoding Algorithm
It is used to select the Symmetric Encryption Algorithm.
It can be one of 3 values: AES-128-CBC, AES-192-CBC, AES-256-CBC
Key Encryption Algorithm
It is used to select the Key Encryption Algorithm.
It can be one of 2 values: rsa-1_5, rsa-oaep-mgf1p
Encryption Parts
This is the part where the fields of the message to be encrypted are selected. It allows multiple fields to be encrypted.
The name of the element to be encrypted, namespace information, whether the content or the element should be encrypted information is entered and the definition is made.
Signature
The picture below shows the signature settings:
The fields used for signature configuration are shown in the table below.
Field
Description
Key Store
KeyStore information that will be used for signing the field to be signed.
Key Identifier Type
This is the part where the Key Identifier Type is set.
Type
Description
Binary Security Token
The signing method takes the signing certificate, converts it to a BinarySecurityToken, puts it in the security header, and inserts a Reference to the binary security token into the wsse:SecurityReferenceToken . Thus the whole signing certificate is transfered to the receiver. The X509 profile recommends to use "Issuer Name and Serial Number" instead of sending the whole certificate.
Please refer to WS Security specification X509 1.1 profile, chapter 3.3.2 and to WS Security SOAP Message security 1.1 specification, chapter 7.2 Note: only local references to BinarySecurityToken are supported
Issuer Name and Serial Number
In contrast to "Binary Security Token" only the issuer name and the serial number of the signing certificate are sent to the receiver. This reduces the amount of data being sent. The encryption method uses the public key associated with this certificate to encrypt the symmetric key used to encrypt data. Please refer to WS Security specification X509 1.1 profile, chapter 3.3.3
X509 Certificate
The encryption method uses the public key associated with this certificate to encrypt the symmetric key used to encrypt data. The certificate is converted into a KeyIdentifier token and sent to the receiver. Thus the complete certificate data is transfered to receiver. The X509 profile recommends to use "Issuer Name and Serial Number" method instead of sending the whole certificate.
Please refer to WS Security SOAP Message security 1.1 specification, chapter 7.3. Note that this is a NON-STANDARD method. The standard way to refer to an X.509 Certificate via a KeyIdentifier is to use "Subject Key Identifier"
Subject Key Identifier
Sends a "SubjectKeyIdentifier" to identify the signing certificate. Refer to WS Security specification X509 1.1 profile, chapter 3.3.1
Thumbprint SHA1 IDENTIFIER
"Thumbprint SHA1 IDENTIFIER" is used to set the specific key identifier ThumbprintSHA1.
This identifier uses the SHA-1 digest of a security token to identify the security token. Please refer to chapter 7.2 of the OASIS WSS 1.1 specification.
Embedded Key Info
Embeds a keyinfo/key name into the EncryptedData element.
Embed Security Token Reference
Embeds a keyinfo/wsse:SecurityTokenReference into EncryptedData element.
Custom Key Info
"Custom Key Info" is used internally only to set a specific Signature behavior.
The signing key, reference id and value type are set externally.
Signature Algorithm
Used for signature algorithm selection.
It can be one of 2 values:rsa-sha1, dsa-sha1
Signature Canonicalization
Used to select the signature canonicalization method.
This is the part where the information about which fields of the message will be signed is selected. It allows multiple fields to be signed.
The name of the element to be signed, namespace information, whether the content or the element should be signed information is entered and the definition is made.
It is used to select the Signature Digest Algorithm.
