How to sign documents at TN

Hello to all, does anybody know how to sign documents at Wm 6.1 using a certificate?

Any help will be appreciate.

Thanks in advance,



Very timely post. I am working on this issue today as well. I found a reference to an example package called XMLSEC that is available upon request by sending an email to security{ at }webmethods{ dot }com.

Although not directly related, you can also download a sample security utilities package from Advantage in the Best Practices->Utilities and Samples->Integration Server 6.x area. This package contains a few examples of RSA signatures, password-based encryption (pbe) and message digest creation.




I found this MSDN article on Understanding XML Digital Signature to be useful.

The task at hand is to digitally sign the body of a soap message placing the XML digital signature inside a wsse:Security element in the Soap header (or adding it to an existing wsse:Security element if one already exists)

So far, I have created a Flow service in IS 6.5 (this should also work in IS 6.1). The Flow does the following:

  1. Extracts the body of a valid soap message using pub.soap.utils:getBody
  2. Extracts the XML source of the body using pub.xml:queryXMLNode with the XQL query “/*/source()”
  3. Converts the source text to a byte array using the pub.string:stringToBytes service as a transformer
  4. Creates a message digest from the byte array using the 6.x built-in service
  5. Base64 encodes the message digest using pub.string:base64Encode
  6. Initializes a ds:Signature document type created from a document reference generated from the XML Digital Signature schema using values of "" for the “Algorithm” attribute of the “CanonicalizationMethod” element and "" for the “Algorithm” element of the “DigestMethod” element.
  7. Added a “ds:Reference” element to the “SignedInfo” element in this document type setting its “Id” attribute to an arbitrary value, the “Algorithm” attribute of the “DigestMethod” to "" and mapping the base64-encoded message digest to the DigestValue element.
  8. Mapped the ds:Signature record inside of a document named wsee:Security
  9. Converted the wsee:Security document to a string, then to a node
  10. Added the resulting node to the soap message header using pub.soap.utils:addHeaderEntry

This should work but needs some error checking to see if there is already an existing wsse:Security header in the soap message and potentially to add and ID reference to the “Body” element of the soap message to match the ID element in the ds:Reference element of the Signature.

The resulting soap message is:


<?xml version="1.0" encoding="UTF-8"?>

<SOAP-ENV:Header xmlns:SOAP-ENV=“”>
xmlns:ds=“” SOAP-ENV:mustUnderstand=“1”>
<ds:CanonicalizationMethod Algorithm=“”/>
<ds:SignatureMethod Algorithm=“”/>
<ds:Reference Id="#IDRef1">
<ds:DigestMethod Algorithm=“”/>
<SOAP-ENV:Body ID=“IDRef1”>
<ns:order xmlns:ns=“urn:foo”>


: This approach has not yet been fully tested and may be incorrect. Do not use this approach without sufficient unit and interoperability testing.

Easy as pie, right?



Thank you very Much Mark, this will be very useful for me. And as you mention this will be Easy as Pipe :wink:

King Regards,


I forgot the link to the MSDN article on Understanding XML Digital Signature.

It is


Nearly got that to work…
However when I come to call pub.soap.addHeaderEntry I get the error “not valid xml”.

I have added the ns for ds to pub.xmlStringToDocument… but still to no avail.

Does anybody know if it’s possible to define the namespace for either wsee or ds when I call create SoapData ? Ie define the namesapce in the soap envelope rather than in the header?

Nearly as easy as pie…


It should not matter where you define the namespace. Check your nsdecls to be sure that the namespace you are associating with the ds and wsee prefixes match exactly what you are using in your signature.

The error message would suggest that there is a mismatch in either the prefix or the namespace.


Could you please let me know how to sign and encrypt SOAP request message and then decrypt SOAP response.
Any help in this regard is highly appreciated.