Configure Outbound Authentication Message Policy Action

Supported Versions: 10.0 & above

Introduction

Using the “Outbound Authentication - Message” policy action , API Gateway can sign the outgoing SOAP message, encrypt the outgoing SOAP message, add X509 token to the SOAP message ,add username token to the SOAP message , add time stamp to the SOAP message, add kerberos token to the SOAP message, add SAML token to the SOAP message based on the web service security policies enforced at the native API.

Prerequisite

We need to configure keystore and truststore in integration server and select the same in API Gateway which can be used to sign and encrypt the outgoing SOAP message to the native API.

Keystore
KeyStore is a repository private key and its corresponding public certificate. We are going to use this keystore. This keystore contains 3 private keys(partner1,partner2,policygateway) and its corresponding public certificates.

Truststore
TrustStore is a repository of trusted public certificates. We are going to use this truststore. This truststore contains multiple trusted public certificates

Step 1: Create Keystore Alias in Integration Server with the following values

Alias : APIGatewayKeystore

Location : packages\WmAPIGateway\config\resources\security\pgkeystore.jks

Password : password

Step 1.1: Configure 3 private keys present in the keystore.

Password: password

Step 2: Configure Truststore Alias in Integration Server with the following values

Alias : APIGatewayTruststore

Location : packages\WmAPIGateway\config\resources\security\cacerts

Password : changeit

NOTE

  • Install the native service package in Integration server 10.0 or later
  • API Gateway installation and Native Service integration server installation should be different
  • The native services that are used in this tutorial are given below,
    1. SOAPnativeService.employeeService:EmployeeService_WSS_Username
    2. SOAPnativeService.employeeService:EmployeeService_Sign
    3. SOAPnativeService.employeeService:EmployeeService_Encrypt
    4. SOAPnativeService.employeeService:EmployeeService_X509
  • The WSS policies that used in this tutorial should be placed in “{IS Installation Directory}\IntegrationServer\instances\default\config\wss\policies” location
  • The API Gateway assets used in this tutorial are given below,
    1. Employee_API_WSS_Username
    2. Employee_API_Sign
    3. Employee_API_Encrypt
    4. Employee_API_X509

Use Case 1 - Adding WSS Username Token in the Outbound SOAP Message

The native API is enforced with requiring WSS Username token policy. This is the wsdl of the native API. API Gateway will add the username token in the outgoing SOAP header to the native API. The username we specify must be an IS user in the Integration Server where the native API is residing.
In this use case the native API is residing in Integration Server.

Step 1: Create an API in API Gateway with the native API’s WSDL

Step 2: Configure “Outbound Authentication - Message” policy action with the following values

Authentication scheme: WSS username

Authenticate using : Custom credentials

Username : Administrator

Password : manage

Step 3: Using a SOAP client with gateway endpoint send the SOAP request.

Request sent From SOAP client to API Gateway Request sent from API Gateway to native API
< soapenv:Envelope xmlns:soapenv = "

xmlns:soap = " >

< soapenv:Header />

< soapenv:Body >

< soap:addEmployeeFS >

< Position >SoftwareEngineer</ Position >

< EmployeeFName >Tom</ EmployeeFName >

< EmployeeLName >Hanks</ EmployeeLName >

< EmployeeAge >68</ EmployeeAge >

</ soap:addEmployeeFS >

</ soapenv:Body >

</ soapenv:Envelope > |<? xml version = '1.0' encoding = 'utf-8' ?>

< soapenv:Envelope xmlns:soapenv = "

xmlns:soap = " >

< soapenv:Header >

< wsse:Security xmlns:wsse = " xmlns:wsu = " soapenv:mustUnderstand = "1" >

< wsse:UsernameToken wsu:Id = "UsernameToken-4" >

< wsse:Username >Administrator</ wsse:Username >

< wsse:Password Type = " >manage</ wsse:Password >

</ wsse:UsernameToken >

</ wsse:Security >

</ soapenv:Header >

< soapenv:Body >

< soap:addEmployeeFS >

< Position >SoftwareEngineer</ Position >

< EmployeeFName >Tom</ EmployeeFName >

< EmployeeLName >Hanks</ EmployeeLName >

< EmployeeAge >68</ EmployeeAge >

</ soap:addEmployeeFS >

</ soapenv:Body >

</ soapenv:Envelope > |

Use Case 2 - Signing the Outbound SOAP Message

The native API is enforced with require signing policy.This is the wsdl of the native API. API Gateway will sign the SOAP body using the private key and send the SOAP request to native API. If the native API is residing in Integration Server the public certificate of the of the corresponding private key should be mapped to an IS user.

In this use case the native API is residing in Integration Server. API Gateway will use partner1 private key to sign the SOAP request.

Step 1: Add the keystore and truststore in the Integration Server where the native API is residing by following the steps in the “Prerequisite” section.

Step 2: Configure Certificate Settings in the Integration Server where the native API is residing with the following values.

Signing Key

  • Keystore Alias : NativeAPIKeystore

  • Key Alias : partner2

Decryption Key

  • Keystore Alias : NativeAPIKeystore

  • Key Alias : partner1

Step 3: Configure Client Certificates in the Integration Server where the native API is residing with the following values.

Certificate Path: packages\WmAPIGateway\config\resources\security\partner1cert.der

User : Administrator

Usage : Verify

Step 4: Create an API in API Gateway with the native API’s WSDL

Step 5: Configure “Outbound Authentication - Message” policy action with the following values

Authentication scheme: None

Signing Configurations

  • Keystore Alias : APIGatewayKeystore

  • Key Alias : partner1

Step 6: Using a SOAP client with gateway endpoint send the SOAP request.

Request sent From SOAP client to API Gateway Request sent from API Gateway to native API
< soapenv:Envelope xmlns:soapenv = "

xmlns:soap = " >

< soapenv:Header />

< soapenv:Body >

< soap:addEmployeeFS >

< Position >3</ Position >

< EmployeeFName >Tom</ EmployeeFName >

< EmployeeLName >Hardy</ EmployeeLName >

< EmployeeAge >34</ EmployeeAge >

</ soap:addEmployeeFS >

</ soapenv:Body >

</ soapenv:Envelope > |<? xml version = '1.0' encoding = 'utf-8' ?>

< soapenv:Envelope xmlns:soapenv = " xmlns:soap = " >

< soapenv:Header >

< wsse:Security xmlns:wsse = " xmlns:wsu = " soapenv:mustUnderstand = "1" >

< ds:Signature xmlns:ds = " Id = "SIG-9" >

< ds:SignedInfo >

< ds:CanonicalizationMethod Algorithm = " >

< ec:InclusiveNamespaces xmlns:ec = " PrefixList = "soap soapenv" />

</ ds:CanonicalizationMethod >

< ds:SignatureMethod Algorithm = " />

< ds:Reference URI = "#Id-1251913679" >

< ds:Transforms >

< ds:Transform Algorithm = " >

< ec:InclusiveNamespaces xmlns:ec = " PrefixList = "soap" />

</ ds:Transform >

</ ds:Transforms >

< ds:DigestMethod Algorithm = " />

< ds:DigestValue >EHmgBmBsDns2OPWb62/v7rmox9Y=</ ds:DigestValue >

</ ds:Reference >

</ ds:SignedInfo >

< ds:SignatureValue >Sh1ojhj8ZGH0yXWC0l0vKYVGL6pkCN7EyugbGZgIA+33cH+U5Nb+uCz3qIXdtM8SFaD5yg1DECv6ZxTko9wZn0+yu7EsotwxHgpbOPDZ0mzuodfgjO4MMO7GGbFUAdcWLIAizS9ZtAyfhsLJeEpDQbAzmSgjLVcpjbHVqlxBQ/lYhDcH4WWi+e10tos36drC5x8Lycptcx0KdXcfh5+Gs7QgRFqPQAvXvfOmI4dXorWjWsCfdtfCwriG+w7jd0QNZeYruQqYMpnOkbQhQxUnOLfWrLW2kg7CDd3UVGpn/HS9E5dtAZamoe/AVyg8h/37pRt3RQoqJeVkVMZrbloJ1Q==</ ds:SignatureValue >

< ds:KeyInfo Id = "KI-ED1F77457C995F208E148912705022526" >

< wsse:SecurityTokenReference wsu:Id = "STR-ED1F77457C995F208E148912705022527" >

< ds:X509Data >

< ds:X509IssuerSerial >

< ds:X509IssuerName >CN=webM TEST CA,OU=lh,O=webMethods,L=Fairfax,ST=Virginia,C=US</ ds:X509IssuerName >

< ds:X509SerialNumber >1411550803</ ds:X509SerialNumber >

</ ds:X509IssuerSerial >

</ ds:X509Data >

</ wsse:SecurityTokenReference >

</ ds:KeyInfo >

</ ds:Signature >

</ wsse:Security >

</ soapenv:Header >

< soapenv:Body xmlns:wsu = " wsu:Id = "Id-1251913679" >

< soap:addEmployeeFS >

< Position >3</ Position >

< EmployeeFName >Tom</ EmployeeFName >

< EmployeeLName >Hardy</ EmployeeLName >

< EmployeeAge >34</ EmployeeAge >

</ soap:addEmployeeFS >

</ soapenv:Body >

</ soapenv:Envelope > |

Use Case 3 - Encrypting the Outbound SOAP Message

The native API is enforced with require encryption policy.This is the wsdl of the native API. API Gateway will encrypt the SOAP body using the public key of the native API and sends the SOAP request.
In this use case the native API is residing in Integration Server. API Gateway will use partner2 certificate to encrypt the SOAP request.

Step 1: Add the keystore and truststore in the Integration Server where the native API is residing by following the steps in the “Prerequisite” section.

Step 2: Configure Certificate Settings in the Integration Server where the native API is residing with the following values.

Decryption Key

  • Keystore Alias : NativeAPIKeystore

  • Key Alias : partner2

Step 3 : Create an API in API Gateway with the native API’s WSDL

Step 4: Configure “Outbound Authentication - Message” policy action with the following values

Authentication scheme: None

Encryption Configurations

  • Keystore Alias : APIGatewayKeystore

  • Key Alias : partner2

Step 6: Using a SOAP client with gateway endpoint send the SOAP request.

Request sent From SOAP client to API Gateway Request sent from API Gateway to native API
< soapenv:Envelope xmlns:soapenv = "

xmlns:soap = " >

< soapenv:Header />

< soapenv:Body >

< soap:addEmployeeFS >

< Position >5</ Position >

< EmployeeFName >Tom</ EmployeeFName >

< EmployeeLName >Hardy</ EmployeeLName >

< EmployeeAge >34</ EmployeeAge >

</ soap:addEmployeeFS >

</ soapenv:Body >

</ soapenv:Envelope > |<? xml version = '1.0' encoding = 'utf-8' ?>

< soapenv:Envelope xmlns:soapenv = " xmlns:soap = " >

< soapenv:Header >

< wsse:Security xmlns:wsse = " xmlns:wsu = " soapenv:mustUnderstand = "1" >

< wsse:BinarySecurityToken EncodingType = " ValueType = "
wsu:Id = "ED1F77457C995F208E148912856634329" >MIIDTjCCAjagAwIBAgIEVCLGLzANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVBAoMCndlYk1ldGhvZHMxCzAJBgNVBAsMAmxoMRUwEwYDVQQDDAx3ZWJNIFRFU1QgQ0EwHhcNMTQwOTI0MTMyNzA5WhcNMjQwOTI0MTMyNzA5WjBnMQswCQYDVQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVBAoMCndlYk1ldGhvZHMxCzAJBgNVBAsMAmxoMREwDwYDVQQDDAhwYXJ0bmVyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJywF9GHsl6xSFoyZ6BqjMzHUUSnRvlKyq6A3yOrTNapLRZ6Bu7htFAQNKTfhB/rsDjIqQw0HbBoUqc4lQqrVGKV15osB29a7SmBYOvBB2j+8v01i/pQbQYg2d4Ub9N+uGPalXzD9cCctQ9TrfZwp82Ke9tAkhcX1dM1FBWrbkWx7XpOv1ybHu/WUw7RmXd/P1mNKYs6LkD1OtRI8rRJMTlQ1bUjttSv0Ulr55RS00LwQXFUzuathM7EzLPWP08O/FBxngjgjR23YDD0AGgiXnZ2T21fvMkokLUDQyKuLBseKF/nk4illIEdJfWHaNZaZNQfD7DM6svGQuvzRNn2V18CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACWJrbR0zHQOdwTOMxQuBt9V9WJyHgGCPNfNQE5PdVgqKjot02O82m0D4VnDHR1F8kQjVgkBGfvmzpEkf4Uv8AyumpCFDt7LI5P5zGvj6D3eDxWWTWtBYQ+pna1wRQPYPeZ5IJfYJz7wiubVTPjRpvCqNMCu9GKXEMi7+YxhBK7lIrf/wBCU7536hqHEJ3J0sTr82+c+48Kwh68BFiC+KWE00SotP0kzeLRFbUX9LvASp71ZDsgLU36EVTv9CFEKnrStLFg2vHw7R0FWHCfcx+s5mdGaasbW5blrADvk3s4ugefuUpaRGJ2PekGjfCyr+DZjS57biKkx7OrW8okdt5Q==</ wsse:BinarySecurityToken >

< xenc:EncryptedKey xmlns:xenc = " Id = "EK-ED1F77457C995F208E148912856634328" >

< xenc:EncryptionMethod Algorithm = " />

< ds:KeyInfo xmlns:ds = " >

< wsse:SecurityTokenReference >

< wsse:Reference URI = "#ED1F77457C995F208E148912856634329" ValueType = " />

</ wsse:SecurityTokenReference >

</ ds:KeyInfo >

< xenc:CipherData >

< xenc:CipherValue >iO2DQ+E6cApDstZ2xVOA+nxsmBLtMp0CvUAoi6qEHnf9TiQAvXSSeO7Pcb/Z7WN7xZUurx8Hil8oEYa8gg14dtJg6LUIbsi3lJNfqvJK1Nh0M9GaQpn19J9ISCLvG8Ary70qHQlk3x+qUHnwrL0hA+5OlR/nskgjLwXIhUF7AYsxFoVzSBf7WUrWyKFydbQRB+HnC+KVaC+Q1QF8v3HN11f3qqq5SLPNGg7FiZC0MqyQf8glK1HKFWhv7eVgDBS6nZjf0H7kvdInMMWb/emH9RA8igQzP+jyLef2SaKOCIILFAHNN6Vn49YwG8DzRxz/hLtNi5uLMYo7wOJ5zu2SDg==</ xenc:CipherValue >

</ xenc:CipherData >

</ xenc:EncryptedKey >

< xenc:ReferenceList xmlns:xenc = " >

< xenc:DataReference URI = "#ED-10" />

</ xenc:ReferenceList >

</ wsse:Security >

</ soapenv:Header >

< soapenv:Body xmlns:wsu = " wsu:Id = "Id-560719255" >

< xenc:EncryptedData xmlns:xenc = " Id = "ED-10" Type = " >

< xenc:EncryptionMethod Algorithm = " />

< ds:KeyInfo xmlns:ds = " >

< wsse:SecurityTokenReference xmlns:wsse = " xmlns:wsse11 = " wsse11:TokenType = " >

< wsse:Reference URI = "#EK-ED1F77457C995F208E148912856634328" />

</ wsse:SecurityTokenReference >

</ ds:KeyInfo >

< xenc:CipherData >

< xenc:CipherValue >sE88iIdHk4lD+9z7b6ODFq27O/ylBCHfboQlMYMsf5s/Mrq0JK7WcB3OyFh49XUw7Xmv67d6o41Lnah5g22WZs9p5osvWbyBNHcli+GDV+94a9Lxtlo2f/daijb7iKen3WlFxoDofjA50P2GbCGqNWv+Q1gOuaWaX5OYmVt4sg+AgVFhb1w+UQRsAPIff1+hU3zcTztMNbVv/XWAlq7xus9UWa3FPqsFGxvXE86XYgog1ojEspA3a8aT4/1GxQNyd2VarvrSP9NrwtmxwqXYTmnrsbNjiOVeMgRNTvcYtK5UAlDJalg1wQ==</ xenc:CipherValue >

</ xenc:CipherData >

</ xenc:EncryptedData >

</ soapenv:Body >

</ soapenv:Envelope > |

Use Case 4 - Adding X509 Token in the Outbound SOAP Message

The native API is enforced with require X509 token policy.This is the wsdl of the native API. API Gateway will add X500 token in the SOAP header and sends the SOAP request to the native API.

In this use case the native API is residing in Integration Server. API Gateway will use policygateway X509 certificate to be added in the SOAP header.

Step 1: Create an API in API Gateway with the native API’s WSDL

Step 2: Configure “Outbound Authentication - Message” policy action with the following values

Authentication scheme: None

Encryption Configurations

  • Keystore Alias: APIGatewayKeystore

  • Key Alias : policygateway

Step 3: Using a SOAP client with gateway endpoint send the SOAP request.

Request sent From SOAP client to API Gateway Request sent from API Gateway to native API
< soapenv:Envelope xmlns:soapenv = "

xmlns:soap = " >

< soapenv:Header />

< soapenv:Body >

< soap:addEmployeeFS >

< Position >30</ Position >

< EmployeeFName >Tom</ EmployeeFName >

< EmployeeLName >Hardy</ EmployeeLName >

< EmployeeAge >34</ EmployeeAge >

</ soap:addEmployeeFS >

</ soapenv:Body >

</ soapenv:Envelope > |<? xml version = '1.0' encoding = 'utf-8' ?>

< soapenv:Envelope xmlns:soapenv = " xmlns:soap = " >

< soapenv:Header >

< wsse:Security xmlns:wsse = " xmlns:wsu = " soapenv:mustUnderstand = "1" >

< wsse:BinarySecurityToken EncodingType = " ValueType = " wsu:Id = "X509-ED1F77457C995F208E148913554250778" >MIIDTzCCAjegAwIBAgIEVCLI9TANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVBAoMCndlYk1ldGhvZHMxCzAJBgNVBAsMAmxoMRUwEwYDVQQDDAx3ZWJNIFRFU1QgQ0EwHhcNMTQwOTI0MTMzNzE1WhcNMjQwOTI0MTMzNzE1WjBoMQswCQYDVQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExEDAOBgNVBAcMB0ZhaXJmYXgxEzARBgNVBAoMCndlYk1ldGhvZHMxCzAJBgNVBAsMAmxoMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2Ee+qImmOZQL5U+Nh50C6IYhUe4Aa301T/k27ckQT2p5oVB5Gy8I/vvPn4A8U3LZ/NKp+x0oEs5UjQWza4gAtN8j3JDsYwFvstKmchy5jn5APG0MWR/KOOtmEd0cvXG3t9SqDMIzcL4mXd7ebTc9H/JAMUJPTwSCe8z8m1rj1NTsNr84vfJlsnI45O/DrUP95aY/nf4IYyHZeEnrNRIsHyF7Wxa/eDEMweo5V3ILSvuhtipqUuKOb3b8HlU6L5OgnsMRpqrABJ3MpjBRM8OPl7zMgEsYFtHjIAYkJy0o9tGUMy02krks4psC9HdZQTeb4dMthKP6solZwWrVP+JJfAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAK9AmerN0jU1AfWZXp5e13HEIxbko/I2P1DlOLoWR/C8vZM2bSz10X8rPBpDfrl+7CUQIBEvh5kKsAN6FhLwR19bBnlkM+EM1SJLRbJfktkZpGBV/qItCjrykJMV7VNR7t8FwYfuqwc9yX0Lp5WEeawy8L/4XiD8lq7mlALATNd3DafZHrkNYV0YC+uxZPMVt7Qr1OY/9Cl/5TaMcnsjmE4a/eFNYGPtTPLbOMYKzPeLKrXcwuQ26q/0ZO1L9XvNrbnw+y8aSAV7lW0NbVRI2hclMh3qj13VNRR1dzu+WoSx4TyvsMZjwC/DHcKzZHvXuePZ4Z6dCGdZ4r/5KRjgSdQ=</ wsse:BinarySecurityToken >

</ wsse:Security >

</ soapenv:Header >

< soapenv:Body >

< soap:addEmployeeFS >

< Position >30</ Position >

< EmployeeFName >Tom</ EmployeeFName >

< EmployeeLName >Hardy</ EmployeeLName >

< EmployeeAge >34</ EmployeeAge >

</ soap:addEmployeeFS >

</ soapenv:Body >

</ soapenv:Envelope > |