Posts Tagged ‘XML Encryption

Encrypting XML Messages

The following instructions describe how to encrypt outgoing responses for a handler or basic virtual service object. You can also configure encryption for service descriptors, in which case the outgoing request is encrypted. The procedure is similar to that described here.

To set up encryption of outgoing responses:

Step 1

While logged on to the console as an Administrator user or as a Privileged user with the Routing role, click Virtual Services link in the navigation menu.

Step 2

Click the name of the virtual service object for which you want to configure XML encryption.

As mentioned, for XML encryption controls to be enabled for the service definition, its message specification must indicate that it is XML data. It cannot be raw byte data, for example, which is the default for non-SOAP HTTP service definitions. The Response Message Specification pane indicates how the message content is treated, whether as XML or as raw byte. If necessary, change message-body handling settings by:

  1. Clicking the Edit link in the heading of the Response Message Specification subsection of the Outgoing Response section of the page.
  2. Use the editor’s controls to specify that the handler treat the bodies of outgoing response messages as XML.
  3. Click Save Changes.

Step 3

In the service definition settings page, specify content encryption by clicking the Add Encryption Listor the Enable link in the XML Encryption pane of the message processing section.

Step 4

In the XML Encryption configuration page, use the following controls to specify how encryption occurs:

  1. The public key attribute of the consumer that sent the original request message
  2. The public key used to sign the original request message.
  3. A public key set by an extension created with the ACE XML Gateway SDK. This is onlyavailable if any extensions are on the ACE XML Manager. This ability is useful if an extension performs client authentication and it has access to the user’s public key, which can then be used in message processing.
  4. Any public key that a Consumer Certificate Resource provides to the ACE XML Manager. The Upload button allows you to add as a named Consumer Certificate Resource an XML certificate or keypair from the local file system or by URL.

You can create as many XPath expressions as necessary to select elements to encrypt. For SOAP services, if the expression matches multiple elements in the message, all are encrypted. For HTTP post body, only the first element is matched.


Tags : , , , , , , , , , , , , , , , , , ,

Axis2 Web Services Framework

In recent years many Web Services frameworks emerged. One of the most popular open source Web Services Framework is Apache Axis2. The Rampart module of Axis2 contains an implementation of the WS-Security standard, which allows to apply XML Encryption and XML Signature in SOAP messages.

To use a module in the Axis2 framework, the module must be engaged to the Axis2’s message flow. A flow is a collection of modules, where each module takes the incoming SOAP message context, processes it, and passes it to the next module. When the SOAP message comes to the end of the flow, it is forwarded to a Message Receiver. The Message Receiver invokes the function implemented in the Service class and passes the result to the output flow.

The Axis2 flow consists typically of  three modules, namely Transport, Security, and Dispatch. The Security module processes the security elements. In particular, encrypted elements are first decrypted and then parsed by an XML parser in order to update the SOAP message context. The decrypted and validated content is then passed on to the Dispatch module. Each module in the flow and the Message Receiver can stop the SOAP message processing if an error occurs. In this case the processing is terminated and an appropriate SOAP fault is returned.

We distinguish between two types of server responses. We say that a security fault is returned, if the server replies with a WSDoAllReceiver: security processing failed message. If an application-specific error or no error message is returned, then we say that the server replies with an application response.

Tags : , , , , , , , , , , ,