Supported Versions: 10.0 & above
Introduction
Using the “Outbound Authentication - Message” policy action , API Gateway can sign the outgoing SOAP message, encrypt the outgoing SOAP message, add X509 token to the SOAP message ,add username token to the SOAP message , add time stamp to the SOAP message, add kerberos token to the SOAP message, add SAML token to the SOAP message based on the web service security policies enforced at the native API.
Prerequisite
We need to configure keystore and truststore in integration server and select the same in API Gateway which can be used to sign and encrypt the outgoing SOAP message to the native API.
Keystore
KeyStore is a repository private key and its corresponding public certificate. We are going to use this keystore. This keystore contains 3 private keys(partner1,partner2,policygateway) and its corresponding public certificates.
Truststore
TrustStore is a repository of trusted public certificates. We are going to use this truststore. This truststore contains multiple trusted public certificates
Step 1: Create Keystore Alias in Integration Server with the following values
Alias : APIGatewayKeystore
Location : packages\WmAPIGateway\config\resources\security\pgkeystore.jks
Password : password
Step 1.1: Configure 3 private keys present in the keystore.
Password: password
Step 2: Configure Truststore Alias in Integration Server with the following values
Alias : APIGatewayTruststore
Location : packages\WmAPIGateway\config\resources\security\cacerts
Password : changeit
NOTE
- Install the native service package in Integration server 10.0 or later
- API Gateway installation and Native Service integration server installation should be different
- The native services that are used in this tutorial are given below,
- SOAPnativeService.employeeService:EmployeeService_WSS_Username
- SOAPnativeService.employeeService:EmployeeService_Sign
- SOAPnativeService.employeeService:EmployeeService_Encrypt
- SOAPnativeService.employeeService:EmployeeService_X509
- The WSS policies that used in this tutorial should be placed in “{IS Installation Directory}\IntegrationServer\instances\default\config\wss\policies” location
- The API Gateway assets used in this tutorial are given below,
- Employee_API_WSS_Username
- Employee_API_Sign
- Employee_API_Encrypt
- Employee_API_X509
Use Case 1 - Adding WSS Username Token in the Outbound SOAP Message
The native API is enforced with requiring WSS Username token policy. This is the wsdl of the native API. API Gateway will add the username token in the outgoing SOAP header to the native API. The username we specify must be an IS user in the Integration Server where the native API is residing.
In this use case the native API is residing in Integration Server.
Step 1: Create an API in API Gateway with the native API’s WSDL
Step 2: Configure “Outbound Authentication - Message” policy action with the following values
Authentication scheme: WSS username
Authenticate using : Custom credentials
Username : Administrator
Password : manage
Step 3: Using a SOAP client with gateway endpoint send the SOAP request.
Request sent From SOAP client to API Gateway | Request sent from API Gateway to native API |
---|---|
< soapenv:Envelope xmlns:soapenv = "
|
<
Position
>SoftwareEngineer</
Position
>
<
EmployeeFName
>Tom</
EmployeeFName
>
<
EmployeeLName
>Hanks</
EmployeeLName
>
<
EmployeeAge
>68</
EmployeeAge
>
</
soapenv:Envelope
>
|<?
xml
version
=
'1.0'
encoding
=
'utf-8'
?>
<
soapenv:Envelope
xmlns:soapenv
=
"
<
wsse:Security
xmlns:wsse
=
"
xmlns:wsu
=
"
soapenv:mustUnderstand
=
"1"
>
<
wsse:UsernameToken
wsu:Id
=
"UsernameToken-4"
>
<
wsse:Username
>Administrator</
wsse:Username
>
<
wsse:Password
Type
=
"
>manage</
wsse:Password
>
<
Position
>SoftwareEngineer</
Position
>
<
EmployeeFName
>Tom</
EmployeeFName
>
<
EmployeeLName
>Hanks</
EmployeeLName
>
<
EmployeeAge
>68</
EmployeeAge
>
Use Case 2 - Signing the Outbound SOAP Message
The native API is enforced with require signing policy.This is the wsdl of the native API. API Gateway will sign the SOAP body using the private key and send the SOAP request to native API. If the native API is residing in Integration Server the public certificate of the of the corresponding private key should be mapped to an IS user.
In this use case the native API is residing in Integration Server. API Gateway will use partner1 private key to sign the SOAP request.
Step 1: Add the keystore and truststore in the Integration Server where the native API is residing by following the steps in the “Prerequisite” section.
Step 2: Configure Certificate Settings in the Integration Server where the native API is residing with the following values.
Signing Key
-
Keystore Alias : NativeAPIKeystore
-
Key Alias : partner2
Decryption Key
-
Keystore Alias : NativeAPIKeystore
-
Key Alias : partner1
Step 3: Configure Client Certificates in the Integration Server where the native API is residing with the following values.
Certificate Path: packages\WmAPIGateway\config\resources\security\partner1cert.der
User : Administrator
Usage : Verify
Step 4: Create an API in API Gateway with the native API’s WSDL
Step 5: Configure “Outbound Authentication - Message” policy action with the following values
Authentication scheme: None
Signing Configurations
-
Keystore Alias : APIGatewayKeystore
-
Key Alias : partner1
Step 6: Using a SOAP client with gateway endpoint send the SOAP request.
Request sent From SOAP client to API Gateway | Request sent from API Gateway to native API |
---|---|
< soapenv:Envelope xmlns:soapenv = "
|
<
EmployeeFName
>Tom</
EmployeeFName
>
<
EmployeeLName
>Hardy</
EmployeeLName
>
<
EmployeeAge
>34</
EmployeeAge
>
</
soapenv:Envelope
>
|<?
xml
version
=
'1.0'
encoding
=
'utf-8'
?>
<
soapenv:Envelope
xmlns:soapenv
=
"
xmlns:soap
=
"
>
<
wsse:Security
xmlns:wsse
=
"
xmlns:wsu
=
"
soapenv:mustUnderstand
=
"1"
>
<
ds:Signature
xmlns:ds
=
"
Id
=
"SIG-9"
>
<
ds:CanonicalizationMethod
Algorithm
=
"
>
<
ec:InclusiveNamespaces
xmlns:ec
=
"
PrefixList
=
"soap soapenv"
/>
</
ds:CanonicalizationMethod
>
<
ds:SignatureMethod
Algorithm
=
"
/>
<
ds:Reference
URI
=
"#Id-1251913679"
>
<
ds:Transform
Algorithm
=
"
>
<
ec:InclusiveNamespaces
xmlns:ec
=
"
PrefixList
=
"soap"
/>
<
ds:DigestMethod
Algorithm
=
"
/>
<
ds:DigestValue
>EHmgBmBsDns2OPWb62/v7rmox9Y=</
ds:DigestValue
>
<
ds:KeyInfo
Id
=
"KI-ED1F77457C995F208E148912705022526"
>
<
wsse:SecurityTokenReference
wsu:Id
=
"STR-ED1F77457C995F208E148912705022527"
>
<
ds:X509SerialNumber
>1411550803</
ds:X509SerialNumber
>
</
wsse:SecurityTokenReference
>
<
soapenv:Body
xmlns:wsu
=
"
wsu:Id
=
"Id-1251913679"
>
<
EmployeeFName
>Tom</
EmployeeFName
>
<
EmployeeLName
>Hardy</
EmployeeLName
>
<
EmployeeAge
>34</
EmployeeAge
>
Use Case 3 - Encrypting the Outbound SOAP Message
The native API is enforced with require encryption policy.This is the wsdl of the native API. API Gateway will encrypt the SOAP body using the public key of the native API and sends the SOAP request.
In this use case the native API is residing in Integration Server. API Gateway will use partner2 certificate to encrypt the SOAP request.
Step 1: Add the keystore and truststore in the Integration Server where the native API is residing by following the steps in the “Prerequisite” section.
Step 2: Configure Certificate Settings in the Integration Server where the native API is residing with the following values.
Decryption Key
-
Keystore Alias : NativeAPIKeystore
-
Key Alias : partner2
Step 3 : Create an API in API Gateway with the native API’s WSDL
Step 4: Configure “Outbound Authentication - Message” policy action with the following values
Authentication scheme: None
Encryption Configurations
-
Keystore Alias : APIGatewayKeystore
-
Key Alias : partner2
Step 6: Using a SOAP client with gateway endpoint send the SOAP request.
Request sent From SOAP client to API Gateway | Request sent from API Gateway to native API |
---|---|
< soapenv:Envelope xmlns:soapenv = "
|
<
EmployeeFName
>Tom</
EmployeeFName
>
<
EmployeeLName
>Hardy</
EmployeeLName
>
<
EmployeeAge
>34</
EmployeeAge
>
</
soapenv:Envelope
>
|<?
xml
version
=
'1.0'
encoding
=
'utf-8'
?>
<
soapenv:Envelope
xmlns:soapenv
=
"
xmlns:soap
=
"
>
<
wsse:Security
xmlns:wsse
=
"
xmlns:wsu
=
"
soapenv:mustUnderstand
=
"1"
>
<
wsse:BinarySecurityToken
EncodingType
=
"
ValueType
=
"
wsu:Id
=
"ED1F77457C995F208E148912856634329"
>MIIDTjCCAjagAwIBAgIEVCLGLzANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVBAoMCndlYk1ldGhvZHMxCzAJBgNVBAsMAmxoMRUwEwYDVQQDDAx3ZWJNIFRFU1QgQ0EwHhcNMTQwOTI0MTMyNzA5WhcNMjQwOTI0MTMyNzA5WjBnMQswCQYDVQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVBAoMCndlYk1ldGhvZHMxCzAJBgNVBAsMAmxoMREwDwYDVQQDDAhwYXJ0bmVyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJywF9GHsl6xSFoyZ6BqjMzHUUSnRvlKyq6A3yOrTNapLRZ6Bu7htFAQNKTfhB/rsDjIqQw0HbBoUqc4lQqrVGKV15osB29a7SmBYOvBB2j+8v01i/pQbQYg2d4Ub9N+uGPalXzD9cCctQ9TrfZwp82Ke9tAkhcX1dM1FBWrbkWx7XpOv1ybHu/WUw7RmXd/P1mNKYs6LkD1OtRI8rRJMTlQ1bUjttSv0Ulr55RS00LwQXFUzuathM7EzLPWP08O/FBxngjgjR23YDD0AGgiXnZ2T21fvMkokLUDQyKuLBseKF/nk4illIEdJfWHaNZaZNQfD7DM6svGQuvzRNn2V18CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACWJrbR0zHQOdwTOMxQuBt9V9WJyHgGCPNfNQE5PdVgqKjot02O82m0D4VnDHR1F8kQjVgkBGfvmzpEkf4Uv8AyumpCFDt7LI5P5zGvj6D3eDxWWTWtBYQ+pna1wRQPYPeZ5IJfYJz7wiubVTPjRpvCqNMCu9GKXEMi7+YxhBK7lIrf/wBCU7536hqHEJ3J0sTr82+c+48Kwh68BFiC+KWE00SotP0kzeLRFbUX9LvASp71ZDsgLU36EVTv9CFEKnrStLFg2vHw7R0FWHCfcx+s5mdGaasbW5blrADvk3s4ugefuUpaRGJ2PekGjfCyr+DZjS57biKkx7OrW8okdt5Q==</
wsse:BinarySecurityToken
>
<
xenc:EncryptedKey
xmlns:xenc
=
"
Id
=
"EK-ED1F77457C995F208E148912856634328"
>
<
xenc:EncryptionMethod
Algorithm
=
"
/>
<
wsse:SecurityTokenReference
>
<
wsse:Reference
URI
=
"#ED1F77457C995F208E148912856634329"
ValueType
=
"
/>
</
wsse:SecurityTokenReference
>
<
xenc:ReferenceList
xmlns:xenc
=
"
>
<
xenc:DataReference
URI
=
"#ED-10"
/>
<
soapenv:Body
xmlns:wsu
=
"
wsu:Id
=
"Id-560719255"
>
<
xenc:EncryptedData
xmlns:xenc
=
"
Id
=
"ED-10"
Type
=
"
>
<
xenc:EncryptionMethod
Algorithm
=
"
/>
<
wsse:SecurityTokenReference
xmlns:wsse
=
"
xmlns:wsse11
=
"
wsse11:TokenType
=
"
>
<
wsse:Reference
URI
=
"#EK-ED1F77457C995F208E148912856634328"
/>
</
wsse:SecurityTokenReference
>
Use Case 4 - Adding X509 Token in the Outbound SOAP Message
The native API is enforced with require X509 token policy.This is the wsdl of the native API. API Gateway will add X500 token in the SOAP header and sends the SOAP request to the native API.
In this use case the native API is residing in Integration Server. API Gateway will use policygateway X509 certificate to be added in the SOAP header.
Step 1: Create an API in API Gateway with the native API’s WSDL
Step 2: Configure “Outbound Authentication - Message” policy action with the following values
Authentication scheme: None
Encryption Configurations
-
Keystore Alias: APIGatewayKeystore
-
Key Alias : policygateway
Step 3: Using a SOAP client with gateway endpoint send the SOAP request.
Request sent From SOAP client to API Gateway | Request sent from API Gateway to native API |
---|---|
< soapenv:Envelope xmlns:soapenv = "
|
<
EmployeeFName
>Tom</
EmployeeFName
>
<
EmployeeLName
>Hardy</
EmployeeLName
>
<
EmployeeAge
>34</
EmployeeAge
>
</
soapenv:Envelope
>
|<?
xml
version
=
'1.0'
encoding
=
'utf-8'
?>
<
soapenv:Envelope
xmlns:soapenv
=
"
xmlns:soap
=
"
>
<
wsse:Security
xmlns:wsse
=
"
xmlns:wsu
=
"
soapenv:mustUnderstand
=
"1"
>
<
wsse:BinarySecurityToken
EncodingType
=
"
ValueType
=
"
wsu:Id
=
"X509-ED1F77457C995F208E148913554250778"
>MIIDTzCCAjegAwIBAgIEVCLI9TANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVBAoMCndlYk1ldGhvZHMxCzAJBgNVBAsMAmxoMRUwEwYDVQQDDAx3ZWJNIFRFU1QgQ0EwHhcNMTQwOTI0MTMzNzE1WhcNMjQwOTI0MTMzNzE1WjBoMQswCQYDVQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVBAoMCndlYk1ldGhvZHMxCzAJBgNVBAsMAmxoMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2Ee+qImmOZQL5U+Nh50C6IYhUe4Aa301T/k27ckQT2p5oVB5Gy8I/vvPn4A8U3LZ/NKp+x0oEs5UjQWza4gAtN8j3JDsYwFvstKmchy5jn5APG0MWR/KOOtmEd0cvXG3t9SqDMIzcL4mXd7ebTc9H/JAMUJPTwSCe8z8m1rj1NTsNr84vfJlsnI45O/DrUP95aY/nf4IYyHZeEnrNRIsHyF7Wxa/eDEMweo5V3ILSvuhtipqUuKOb3b8HlU6L5OgnsMRpqrABJ3MpjBRM8OPl7zMgEsYFtHjIAYkJy0o9tGUMy02krks4psC9HdZQTeb4dMthKP6solZwWrVP+JJfAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAK9AmerN0jU1AfWZXp5e13HEIxbko/I2P1DlOLoWR/C8vZM2bSz10X8rPBpDfrl+7CUQIBEvh5kKsAN6FhLwR19bBnlkM+EM1SJLRbJfktkZpGBV/qItCjrykJMV7VNR7t8FwYfuqwc9yX0Lp5WEeawy8L/4XiD8lq7mlALATNd3DafZHrkNYV0YC+uxZPMVt7Qr1OY/9Cl/5TaMcnsjmE4a/eFNYGPtTPLbOMYKzPeLKrXcwuQ26q/0ZO1L9XvNrbnw+y8aSAV7lW0NbVRI2hclMh3qj13VNRR1dzu+WoSx4TyvsMZjwC/DHcKzZHvXuePZ4Z6dCGdZ4r/5KRjgSdQ=</
wsse:BinarySecurityToken
>
<
EmployeeFName
>Tom</
EmployeeFName
>
<
EmployeeLName
>Hardy</
EmployeeLName
>