Configure Outbound Authentication Message Policy Action

Knowledge base
1

Supported Versions: 10.0 & above

Introduction

Using the “Outbound Authentication - Message” policy action , API Gateway can sign the outgoing SOAP message, encrypt the outgoing SOAP message, add X509 token to the SOAP message ,add username token to the SOAP message , add time stamp to the SOAP message, add kerberos token to the SOAP message, add SAML token to the SOAP message based on the web service security policies enforced at the native API.

Prerequisite

We need to configure keystore and truststore in integration server and select the same in API Gateway which can be used to sign and encrypt the outgoing SOAP message to the native API.

Keystore
KeyStore is a repository private key and its corresponding public certificate. We are going to use this keystore. This keystore contains 3 private keys(partner1,partner2,policygateway) and its corresponding public certificates.

Truststore
TrustStore is a repository of trusted public certificates. We are going to use this truststore. This truststore contains multiple trusted public certificates

Step 1: Create Keystore Alias in Integration Server with the following values

Alias : APIGatewayKeystore

Location : packages\WmAPIGateway\config\resources\security\pgkeystore.jks

Password : password

736×797 35.2 KB

Step 1.1: Configure 3 private keys present in the keystore.

Password: password

819×789 37 KB

Step 2: Configure Truststore Alias in Integration Server with the following values

Alias : APIGatewayTruststore

Location : packages\WmAPIGateway\config\resources\security\cacerts

Password : changeit

740×794 32.9 KB

NOTE

  • Install the native service package in Integration server 10.0 or later
  • API Gateway installation and Native Service integration server installation should be different
  • The native services that are used in this tutorial are given below,
    1. SOAPnativeService.employeeService:EmployeeService_WSS_Username
    2. SOAPnativeService.employeeService:EmployeeService_Sign
    3. SOAPnativeService.employeeService:EmployeeService_Encrypt
    4. SOAPnativeService.employeeService:EmployeeService_X509
  • The WSS policies that used in this tutorial should be placed in “{IS Installation Directory}\IntegrationServer\instances\default\config\wss\policies” location
  • The API Gateway assets used in this tutorial are given below,
    1. Employee_API_WSS_Username
    2. Employee_API_Sign
    3. Employee_API_Encrypt
    4. Employee_API_X509

Use Case 1 - Adding WSS Username Token in the Outbound SOAP Message

The native API is enforced with requiring WSS Username token policy. This is the wsdl of the native API. API Gateway will add the username token in the outgoing SOAP header to the native API. The username we specify must be an IS user in the Integration Server where the native API is residing.
In this use case the native API is residing in Integration Server.

Step 1: Create an API in API Gateway with the native API’s WSDL

Step 2: Configure “Outbound Authentication - Message” policy action with the following values

Authentication scheme: WSS username

Authenticate using : Custom credentials

Username : Administrator

Password : manage

1575×806 67.8 KB

Step 3: Using a SOAP client with gateway endpoint send the SOAP request.

Request sent From SOAP client to API Gateway

<soapenv:Envelope xmlns:soapenv="
xmlns:soap=">
   <soapenv:Header/>
   <soapenv:Body>
      <soap:addEmployeeFS>
         <Position>SoftwareEngineer</Position>
         <EmployeeFName>Tom</EmployeeFName>
         <EmployeeLName>Hanks</EmployeeLName>
         <EmployeeAge>68</EmployeeAge>
      </soap:addEmployeeFS>
   </soapenv:Body>
</soapenv:Envelope>

Request sent from API Gateway to native API

<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv="
xmlns:soap=">
    <soapenv:Header>
        <wsse:Security xmlns:wsse=" xmlns:wsu=" soapenv:mustUnderstand="1">
            <wsse:UsernameToken wsu:Id="UsernameToken-4">
                <wsse:Username>Administrator</wsse:Username>
                <wsse:Password Type=">manage</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
        <soap:addEmployeeFS>
            <Position>SoftwareEngineer</Position>
            <EmployeeFName>Tom</EmployeeFName>
            <EmployeeLName>Hanks</EmployeeLName>
            <EmployeeAge>68</EmployeeAge>
        </soap:addEmployeeFS>
    </soapenv:Body>
</soapenv:Envelope>

Use Case 2 - Signing the Outbound SOAP Message

The native API is enforced with require signing policy.This is the wsdl of the native API. API Gateway will sign the SOAP body using the private key and send the SOAP request to native API. If the native API is residing in Integration Server the public certificate of the of the corresponding private key should be mapped to an IS user.

In this use case the native API is residing in Integration Server. API Gateway will use partner1 private key to sign the SOAP request.

Step 1: Add the keystore and truststore in the Integration Server where the native API is residing by following the steps in the “Prerequisite” section.

1278×738 50.4 KB

Step 2: Configure Certificate Settings in the Integration Server where the native API is residing with the following values.

Signing Key

  • Keystore Alias : NativeAPIKeystore

  • Key Alias : partner2

Decryption Key

  • Keystore Alias : NativeAPIKeystore

  • Key Alias : partner1

image
image639×733 31 KB

Step 3: Configure Client Certificates in the Integration Server where the native API is residing with the following values.

Certificate Path: packages\WmAPIGateway\config\resources\security\partner1cert.der

User : Administrator

Usage : Verify

1268×423 35.9 KB

Step 4: Create an API in API Gateway with the native API’s WSDL

Step 5: Configure “Outbound Authentication - Message” policy action with the following values

Authentication scheme: None

Signing Configurations

  • Keystore Alias : APIGatewayKeystore

  • Key Alias : partner1

image
image1278×933 64.5 KB

Step 6: Using a SOAP client with gateway endpoint send the SOAP request.

Request sent From SOAP client to API Gateway

<soapenv:Envelope xmlns:soapenv="
 xmlns:soap=">
   <soapenv:Header/>
   <soapenv:Body>
      <soap:addEmployeeFS>
         <Position>3</Position>
         <EmployeeFName>Tom</EmployeeFName>
         <EmployeeLName>Hardy</EmployeeLName>
         <EmployeeAge>34</EmployeeAge>
      </soap:addEmployeeFS>
   </soapenv:Body>
</soapenv:Envelope>

Request sent from API Gateway to native API

<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv=" xmlns:soap=">
    <soapenv:Header>
        <wsse:Security xmlns:wsse=" xmlns:wsu=" soapenv:mustUnderstand="1">
            <ds:Signature xmlns:ds=" Id="SIG-9">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm=">
                        <ec:InclusiveNamespaces xmlns:ec=" PrefixList="soap soapenv"/>
                    </ds:CanonicalizationMethod>
                    <ds:SignatureMethod Algorithm="/>
                    <ds:Reference URI="#Id-1251913679">
                        <ds:Transforms>
                            <ds:Transform Algorithm=">
                                <ec:InclusiveNamespaces xmlns:ec=" PrefixList="soap"/>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="/>
                        <ds:DigestValue>EHmgBmBsDns2OPWb62/v7rmox9Y=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>Sh1ojhj8ZGH0yXWC0l0vKYVGL6pkCN7EyugbGZgIA+
33cH+U5Nb+uCz3qIXdtM8SFaD5yg1DECv6ZxTko9wZn0
+yu7EsotwxHgpbOPDZ0mzuodfgjO4MMO7GGbFUAdcWLIAizS9ZtAyfhsLJeEpDQbAzmSgjLVcpjbHV
qlxBQ/lYhDcH4WWi+e10tos36drC5x8Lycptcx0KdXcfh5+
Gs7QgRFqPQAvXvfOmI4dXorWjWsCfdtfCwriG+w7jd0QNZeYru
QqYMpnOkbQhQxUnOLfWrLW2kg7CDd3UVGpn/HS9E5dtAZamoe/A
Vyg8h/37pRt3RQoqJeVkVMZrbloJ1Q==</ds:SignatureValue>
                <ds:KeyInfo Id="KI-ED1F77457C995F208E148912705022526">
                    <wsse:SecurityTokenReference wsu:Id="STR-ED1F77457C995F208E148912705022527">
                        <ds:X509Data>
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=webM TEST CA,OU=lh,O=webMethods,L=Fai
rfax,ST=Virginia,C=US</ds:X509IssuerName>
                                <ds:X509SerialNumber>1411550803</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu=" wsu:Id="Id-1251913679">
        <soap:addEmployeeFS>
            <Position>3</Position>
            <EmployeeFName>Tom</EmployeeFName>
            <EmployeeLName>Hardy</EmployeeLName>
            <EmployeeAge>34</EmployeeAge>
        </soap:addEmployeeFS>
    </soapenv:Body>
</soapenv:Envelope>

Use Case 3 - Encrypting the Outbound SOAP Message

The native API is enforced with require encryption policy.This is the wsdl of the native API. API Gateway will encrypt the SOAP body using the public key of the native API and sends the SOAP request.
In this use case the native API is residing in Integration Server. API Gateway will use partner2 certificate to encrypt the SOAP request.

Step 1: Add the keystore and truststore in the Integration Server where the native API is residing by following the steps in the “Prerequisite” section.

image
image1278×738 50.4 KB

Step 2: Configure Certificate Settings in the Integration Server where the native API is residing with the following values.

Decryption Key

  • Keystore Alias : NativeAPIKeystore

  • Key Alias : partner2

image
image611×745 30.3 KB

Step 3 : Create an API in API Gateway with the native API’s WSDL

Step 4: Configure “Outbound Authentication - Message” policy action with the following values

Authentication scheme: None

Encryption Configurations

  • Keystore Alias : APIGatewayKeystore

  • Key Alias : partner2

image
image1268×942 64.4 KB

Step 6: Using a SOAP client with gateway endpoint send the SOAP request.

Request sent From SOAP client to API Gateway

<soapenv:Envelope xmlns:soapenv="
xmlns:soap=">
   <soapenv:Header/>
   <soapenv:Body>
      <soap:addEmployeeFS>
         <Position>5</Position>
         <EmployeeFName>Tom</EmployeeFName>
         <EmployeeLName>Hardy</EmployeeLName>
         <EmployeeAge>34</EmployeeAge>
      </soap:addEmployeeFS>
   </soapenv:Body>
</soapenv:Envelope>

Request sent from API Gateway to native API

<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv=" xmlns:soap=">
    <soapenv:Header>
        <wsse:Security xmlns:wsse=" xmlns:wsu=" soapenv:mustUnderstand="1">
            <wsse:BinarySecurityToken EncodingType=" ValueType=" 
wsu:Id="ED1F77457C995F208E148912856634329">MIIDTjCCAjagA
wIBAgIEVCLGLzAN
BgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0
ZhaXJmYXgxEzARBgNVBAoMCndlYk1ldGh
vZHMxCzAJBgNVBAsMAmxoMRUwEwYDVQQDDAx3ZWJNIFRFU1QgQ0EwHhcNMTQwOTI0MTMyNzA5Whc
NMjQwOTI0MTMyNzA5WjBnMQswCQYDVQQGEwJVUzE
RMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVBAoMCndlYk1ldG
hvZHMxCzAJBgNVBAsMAmxoMREwDwYDVQQDDAhwYXJ0bmVyMjCCA
SIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJywF9GHsl6xSFoyZ6BqjMzHUUSnRvlK
yq6A3yOrTNapLRZ6Bu7htFAQNKTfhB/rsDjIqQw0HbBoUqc4lQqr
VGKV15osB29a7SmBYOvBB2j+8v01i/pQbQYg2d4Ub9N+uGPalXzD9cCctQ9TrfZwp82Ke9tA
khcX1dM1FBWrbkWx7XpOv1ybHu/WUw7RmXd/P1mNKYs6LkD1OtRI
8rRJMTlQ1bUjttSv0Ulr55RS00LwQXFUzuathM7EzLPWP08O/FBxngjgjR23YDD0AGgiXnZ2
T21fvMkokLUDQyKuLBseKF/nk4illIEdJfWHaNZaZNQfD7DM6svGQ
uvzRNn2V18CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACWJrbR0zHQOdwTOMxQuBt9V9WJyHg
GCPNfNQE5PdVgqKjot02O82m0D4VnDHR1F8kQjVgkBGfvmzpEkf4U
v8AyumpCFDt7LI5P5zGvj6D3eDxWWTWtBYQ+pna1wRQPYPeZ5IJfYJz7wiubVTPjRpvCqNMC
u9GKXEMi7+YxhBK7lIrf/wBCU7536hqHEJ3J0sTr82+c+4
8Kwh68BFiC+KWE00SotP0kzeLRFbUX9LvASp71ZDsgLU36EVTv9CFEKnrStLFg2vHw7
R0FWHCfcx+s5mdGaasbW5blrADvk3s4ugefuUpaRGJ2PekGjfCyr+DZ
jS57biKkx7OrW8okdt5Q==</wsse:BinarySecurityToken>
            <xenc:EncryptedKey xmlns:xenc=" Id="EK-ED1F77457C995F208E148912856634328">
                <xenc:EncryptionMethod Algorithm="/>
                <ds:KeyInfo xmlns:ds=">
                    <wsse:SecurityTokenReference>
                        <wsse:Reference URI="#ED1F77457C995F208E148912856634329" ValueType="/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
                <xenc:CipherData>
                    <xenc:CipherValue>iO2DQ+E6cApDstZ2xVOA+nxsmBLtMp0CvUAoi6qEHnf9Ti
QAvXSSeO7Pcb/Z7WN7xZUurx8Hil8oEYa8gg14dtJg6LUIbsi3lJNfqv
JK1Nh0M9GaQpn19J9ISCLvG8Ary70qH
Qlk3x+qUHnwrL0hA+5OlR/nskgjLwXIhUF7AYsxFoVzSBf7WUrWyKFydb
QRB+HnC+KVaC+Q1QF8v3HN11f3qqq5SLPNGg7
FiZC0MqyQf8glK1HKFWhv7eVgDBS6nZjf0H7kvdInMMWb/emH9RA8igQzP+
jyLef2SaKOCIILFAHNN6Vn49YwG8DzRxz/hLtNi
5uLMYo7wOJ5zu2SDg==</xenc:CipherValue>
                </xenc:CipherData>
            </xenc:EncryptedKey>
            <xenc:ReferenceList xmlns:xenc=">
                <xenc:DataReference URI="#ED-10"/>
            </xenc:ReferenceList>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body xmlns:wsu=" wsu:Id="Id-560719255">
        <xenc:EncryptedData xmlns:xenc=" Id="ED-10" Type=">
            <xenc:EncryptionMethod Algorithm="/>
            <ds:KeyInfo xmlns:ds=">
                <wsse:SecurityTokenReference xmlns:wsse=" xmlns:wsse11=" wsse11:TokenType=">
                    <wsse:Reference URI="#EK-ED1F77457C995F208E148912856634328"/>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>sE88iIdHk4lD+9z7b6ODFq
27O/ylBCHfboQlMYMsf5s/Mrq0JK
7WcB3OyFh49XUw7Xmv67d6o41Lnah5g22WZs9p5osvWbyBNHcl
i+GDV+94a9Lxtlo2f/daijb7iK
en3WlFxoDofjA50P2GbCGqNWv+Q1gOuaWaX5OYmVt4sg+AgVF
hb1w+UQRsAPIff1+hU3zcTztMNbVv/
XWAlq7xus9UWa3FPqsFGxvXE86XYgog1ojEspA3a8aT4/1GxQNyd2Varv
rSP9NrwtmxwqXYTmnrsbNjiOVeMgRNTvcYtK5UAlDJalg1wQ==</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </soapenv:Body>
</soapenv:Envelope>

Use Case 4 - Adding X509 Token in the Outbound SOAP Message

The native API is enforced with require X509 token policy.This is the wsdl of the native API. API Gateway will add X500 token in the SOAP header and sends the SOAP request to the native API.

In this use case the native API is residing in Integration Server. API Gateway will use policygateway X509 certificate to be added in the SOAP header.

Step 1: Create an API in API Gateway with the native API’s WSDL

Step 2: Configure “Outbound Authentication - Message” policy action with the following values

Authentication scheme: None

Encryption Configurations

  • Keystore Alias: APIGatewayKeystore

  • Key Alias : policygateway

image
image1258×866 62.5 KB

Step 3: Using a SOAP client with gateway endpoint send the SOAP request.

Request sent From SOAP client to API Gateway

<soapenv:Envelope xmlns:soapenv="
xmlns:soap=">
   <soapenv:Header/>
   <soapenv:Body>
      <soap:addEmployeeFS>
         <Position>30</Position>
         <EmployeeFName>Tom</EmployeeFName>
         <EmployeeLName>Hardy</EmployeeLName>
         <EmployeeAge>34</EmployeeAge>
      </soap:addEmployeeFS>
   </soapenv:Body>
</soapenv:Envelope>

Request sent from API Gateway to native API

<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope xmlns:soapenv=" xmlns:soap=">
    <soapenv:Header>
        <wsse:Security xmlns:wsse=" xmlns:wsu=" soapenv:mustUnderstand="1">
            <wsse:BinarySecurityToken EncodingType=" ValueType=" wsu:
Id="X509-ED1F77457C995F208E148913554250778">
MIIDTzCCA
jegAwIBAgIEVCLI9TANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJVUzERMA8GA
1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVBAoMC
ndlYk1ldGhvZHMxCzAJBgNVBAsMAmxoMRUwEwYDVQQDDAx3ZWJNIFRFU1QgQ0EwH
hcNMTQwOTI0MTMzNzE1WhcNMjQwOTI0MTMzNzE1WjBoMQswCQYDVQQG
EwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVB
AoMCndlYk1ldGhvZHMxCzAJBgNVBAsMAmxoMRI
wEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC2Ee+qImmOZQL5U+Nh50C6IYhUe4Aa3
01T/k27ckQT2p5oVB5Gy8I/vvPn4A8U3LZ/NKp+x0oEs5UjQWza4gAtN8j3JDsYwF
vstKmchy5jn5APG0MWR/KOOtmEd0c
vXG3t9SqDMIzcL4mXd7ebTc9H/JAMUJPTwSCe8z8m1rj1NTsNr84vfJlsnI45O/D
rUP95aY/nf4I
YyHZeEnrNRIsHyF7Wxa/eDEMweo5V3ILSvuhtipqUuKOb3b8HlU6L5OgnsMRpqrABJ3MpjBR
M8OPl7zMgEsYFtHjIAYkJy0o9tGUMy02krks4psC9HdZQTeb4dMthKP
6solZwWrVP+JJfAgM
BAAEwDQYJKoZIhvcNAQELBQADggEBAK9AmerN0jU1AfWZXp5e13HEIxbko/I2P1DlOLoWR/C
8vZM2bSz10X8rPBpDfrl+7CUQIBEvh5kKsAN6FhLwR19bBnlkM+EM1SJLRbJfktkZpGBV
/qItCjrykJMV7VNR7t8FwYfuqwc9yX0Lp5WEeawy8L/4XiD8lq7mlALATNd3DafZHrkNY
V0YC+uxZPMVt7Qr1OY/9Cl/5TaMcnsjmE4a/eFNYGPtTPLbOMYKzPeLKrXcwuQ26q/0Z
O1L9XvNrbnw+y8aSAV7lW0NbVRI2hclMh3qj13VNRR1dzu+WoSx4TyvsMZjw
C/DHcKzZHvXuePZ4Z6dCGdZ4r/5KRjgSdQ=</wsse:BinarySecurityToken>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
        <soap:addEmployeeFS>
            <Position>30</Position>
            <EmployeeFName>Tom</EmployeeFName>
            <EmployeeLName>Hardy</EmployeeLName>
            <EmployeeAge>34</EmployeeAge>
        </soap:addEmployeeFS>
    </soapenv:Body>
</soapenv:Envelope>