How to sign documents at TN

Hermann_Schuster · January 17, 2006, 2:29am

Hello to all, does anybody know how to sign documents at Wm 6.1 using a certificate?

Any help will be appreciate.

Thanks in advance,

Hermann

wMusers.Com1 · January 17, 2006, 4:15am

Hermann,

Very timely post. I am working on this issue today as well. I found a reference to an example package called XMLSEC that is available upon request by sending an email to security{ at }webMethods{ dot }com.

Although not directly related, you can also download a sample security utilities package from Advantage in the Best Practices->Utilities and Samples->Integration Server 6.x area. This package contains a few examples of RSA signatures, password-based encryption (pbe) and message digest creation.

HTH,

Mark

wMusers.Com1 · January 17, 2006, 7:25am

Hermann,

I found this MSDN article on Understanding XML Digital Signature to be useful.

The task at hand is to digitally sign the body of a soap message placing the XML digital signature inside a wsse:Security element in the Soap header (or adding it to an existing wsse:Security element if one already exists)

So far, I have created a Flow service in IS 6.5 (this should also work in IS 6.1). The Flow does the following:

Extracts the body of a valid soap message using pub.soap.utils:getBody
Extracts the XML source of the body using pub.xml:queryXMLNode with the XQL query “/*/source()”
Converts the source text to a byte array using the pub.string:stringToBytes service as a transformer
Creates a message digest from the byte array using the 6.x built-in service pub.security.util:createMessageDigest
Base64 encodes the message digest using pub.string:base64Encode
Initializes a ds:Signature document type created from a document reference generated from the XML Digital Signature schema using values of “http://www.w3.org/2001/10/xml-exc-c14n” for the “Algorithm” attribute of the “CanonicalizationMethod” element and “http://www.w3.org/2000/09/xmldsig#rsa-sha1” for the “Algorithm” element of the “DigestMethod” element.
Added a “ds:Reference” element to the “SignedInfo” element in this document type setting its “Id” attribute to an arbitrary value, the “Algorithm” attribute of the “DigestMethod” to “http://www.w3.org/2000/09/xmldsig#rsa-sha1” and mapping the base64-encoded message digest to the DigestValue element.
Mapped the ds:Signature record inside of a document named wsee:Security
Converted the wsee:Security document to a string, then to a node
Added the resulting node to the soap message header using pub.soap.utils:addHeaderEntry

This should work but needs some error checking to see if there is already an existing wsse:Security header in the soap message and potentially to add and ID reference to the “Body” element of the soap message to match the ID element in the ds:Reference element of the Signature.

The resulting soap message is:

[highlight=xml]

<?xml version="1.0" encoding="UTF-8"?>

<SOAP-ENV:Envelope
xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”
xmlns:SOAP-ENC=“http://schemas.xmlsoap.org/soap/encoding/”
xmlns:xsd=“XML Schema”
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”>
<SOAP-ENV:Header xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”>
<wsse:Security
xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”
xmlns:wsse=“http://schemas.xmlsoap.org/ws/2002/07/secext”
xmlns:ds=“XML-Signature Syntax and Processing” SOAP-ENV:mustUnderstand=“1”>
ds:Signature
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=“Exclusive XML Canonicalization Version 1.0”/>
<ds:SignatureMethod Algorithm=“XML-Signature Syntax and Processing”/>
<ds:Reference Id=“#IDRef1”>
<ds:DigestMethod Algorithm=“XML-Signature Syntax and Processing”/>
ds:DigestValue7FNf6RH6GrmxJsdH4h5/fDCubGk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body ID=“IDRef1”>
<ns:order xmlns:ns=“urn:foo”>
2006-01-16T17:25:00.00-06:00
101-MC
1
100.00
100.00
</ns:order>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

[/highlight]

DISCLAIMER: This approach has not yet been fully tested and may be incorrect. Do not use this approach without sufficient unit and interoperability testing.

Easy as pie, right?

HTH,

Mark

Hermann_Schuster · January 17, 2006, 6:15pm

Thank you very Much Mark, this will be very useful for me. And as you mention this will be Easy as Pipe

King Regards,

Hermann

wMusers.Com1 · January 17, 2006, 9:19pm

I forgot the link to the MSDN article on Understanding XML Digital Signature.

It is [url=“Technical documentation | Microsoft Learn”]Technical documentation | Microsoft Learn

Mark

sam_hehir · April 12, 2006, 2:53pm

Nearly got that to work…
However when I come to call pub.soap.addHeaderEntry I get the error “not valid xml”.

I have added the ns for ds to pub.xmlStringToDocument… but still to no avail.

Does anybody know if it’s possible to define the namespace for either wsee or ds when I call create SoapData ? Ie define the namesapce in the soap envelope rather than in the header?

Nearly as easy as pie…

wMusers.Com1 · April 12, 2006, 10:23pm

Sam,

It should not matter where you define the namespace. Check your nsdecls to be sure that the namespace you are associating with the ds and wsee prefixes match exactly what you are using in your signature.

The error message would suggest that there is a mismatch in either the prefix or the namespace.

Mark

Test4 · March 7, 2007, 6:40am

Hi,
Could you please let me know how to sign and encrypt SOAP request message and then decrypt SOAP response.
Any help in this regard is highly appreciated.