Layer7 API Management

  • 1.  EndorsingSupportingTokens

    Posted Dec 06, 2017 11:08 AM

    How to configure "EndorsingSupportingTokens" requirement on the API Gateway? No direct assertion is available to configure. Do we have to use the sign assertion on the signature element in the WSS header?



  • 2.  Re: EndorsingSupportingTokens

    Broadcom Employee
    Posted Dec 06, 2017 12:23 PM

    Endorsing Tokens can be UsernameToken or X509Token which can be used through the standard WS-Security policies in the gateway. Do you have an example of what the payload is expected to look like to help point you in the right direction in policy?

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: EndorsingSupportingTokens

    Posted Dec 06, 2017 12:52 PM

    Hi Stephan

    I don't have one example in hand. The endorsing token is a X509 token. After applying WS-Security (signing the body & encrypting the body) the endorsing token must sign the WSSE signature element in the header. WS-Policy contains SymmetrincBinding with:

          <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">        <wsp:Policy>          <sp:X509Token            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">            <wsp:Policy>              <sp:RequireThumbprintReference />              <sp:WssX509V3Token10 />            </wsp:Policy>          </sp:X509Token>        </wsp:Policy>      </sp:EndorsingSupportingTokens>

    That is I understood the standard. I use the sign and encrypt assertion to adhere to the symmetric binding and afterwards I apply the WS-Security assertion. However, what's missing is applying the Signature element in the WS securtiy header.

     

    I tried to use the sign assertion a second time.... Do you you other ideas?

     

    Thanks in advance!

    richard

     

    WS- Policy of the Service Provider looks like that:

    <wsp:Policy wsu:Id="X509SymmetricAndEndorsing">  <wsp:ExactlyOne>    <wsp:All>      <sp:SymmetricBinding>        <wsp:Policy>          <sp:ProtectionToken>            <wsp:Policy>              <sp:X509Token                sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">                <wsp:Policy>                  <sp:RequireDerivedKeys />                  <sp:RequireThumbprintReference />                  <sp:WssX509V3Token10 />                </wsp:Policy>              </sp:X509Token>            </wsp:Policy>          </sp:ProtectionToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic128 />            </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />            </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />          <sp:OnlySignEntireHeadersAndBody />        </wsp:Policy>      </sp:SymmetricBinding>      <sp:EncryptedParts>        <sp:Body />      </sp:EncryptedParts>      <sp:SignedParts>        <sp:Body />      </sp:SignedParts>      <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">        <wsp:Policy>          <sp:X509Token            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">            <wsp:Policy>              <sp:RequireThumbprintReference />              <sp:WssX509V3Token10 />            </wsp:Policy>          </sp:X509Token>        </wsp:Policy>      </sp:EndorsingSupportingTokens>      <sp:Wss11>        <wsp:Policy>          <sp:MustSupportRefThumbprint />          <sp:MustSupportRefEncryptedKey />          <sp:RequireSignatureConfirmation />        </wsp:Policy>      </sp:Wss11>    </wsp:All>  </wsp:ExactlyOne></wsp:Policy>


  • 4.  Re: EndorsingSupportingTokens

    Broadcom Employee
    Posted Dec 06, 2017 04:31 PM

    Richard,

     


    I believe this is what you are looking for in terms of payload returned. I have not seen the ws-security element signed but the BinarySecurityToken. It would be good to understand completely what the expect result is required.

     


    Payload sent into the gateway:

     

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://warehouse.acme.com/ws">
       <soapenv:Header/>
       <soapenv:Body>
          <ws:listProducts>
             <ws:delay>?</ws:delay>
          </ws:listProducts>
       </soapenv:Body>
    </soapenv:Envelope>

     


    Payload returned:

     

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://warehouse.acme.com/ws">
       <soapenv:Header>
          <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
             <wsu:Timestamp wsu:Id="id-1-3957db90d4760b363b68c814d1fc3e9d">
                <wsu:Created>2017-12-06T21:26:00.216504675Z</wsu:Created>
                <wsu:Expires>2017-12-06T21:31:00.216Z</wsu:Expires>
             </wsu:Timestamp>
             <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
                <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                   <wsse:SecurityTokenReference>
                      <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">bN6eqyzK3uvSvBRraYRWxHM9tk4=</wsse:KeyIdentifier>
                   </wsse:SecurityTokenReference>
                </dsig:KeyInfo>
                <xenc:CipherData>
                   <xenc:CipherValue>hiJYXZiZQHRiK36SRC7VMGeBNVmCzPOMA/EznngrLCaP8vAIE9ESBE3FLhz1Bwp7obhD5Vg1SAIyaM6gJzoV0kd9q1Xlq3gdz3BYw7Xaj7i3TzGnmmlYDs2VFQLUJd3X6iRJlJL7nQTaTj5bqThO5OctxMBlXaLaShxMB/tajxfvHPXyCB1mLIXSQddStZsaCG3QRZFcq2RhORiCN8Cv9SlXzQmU3jVAFieLh2ICxp9R34sR10swy6KtK0W/4t8TdJxzGjZwMuuZeq4kzQpvyRRJHHqC/2IS012tabucPzpHnYOae531noyUh1Hg3fjhQPRAgReCSH5bQmFJzQ1/8g==</xenc:CipherValue>
                </xenc:CipherData>
                <xenc:ReferenceList>
                   <xenc:DataReference URI="#id-3-887b83cbf8d56945adf64a14a1e45dd6"/>
                </xenc:ReferenceList>
             </xenc:EncryptedKey>
             <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                   <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                   <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                   <ds:Reference URI="#id-0-998157dd49d2844bfba10b2a5c5aa673">
                      <ds:Transforms>
                         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                      </ds:Transforms>
                      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                      <ds:DigestValue>1QzHs7NEJCKoPyrSjh1Nl0UBbkY=</ds:DigestValue>
                   </ds:Reference>
                   <ds:Reference URI="#id-1-3957db90d4760b363b68c814d1fc3e9d">
                      <ds:Transforms>
                         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                      </ds:Transforms>
                      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                      <ds:DigestValue>L/ZuIj0IW1/qSTy0stVFGLVmavI=</ds:DigestValue>
                   </ds:Reference>
                   <ds:Reference URI="#id-2-7e4adede8b37bb81ab75a5ce1bbe56df">
                      <ds:Transforms>
                         <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                            <wsse:TransformationParameters>
                               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </wsse:TransformationParameters>
                         </ds:Transform>
                      </ds:Transforms>
                      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                      <ds:DigestValue>avfjwqDZtdp1wGou9E+dZPJc/pA=</ds:DigestValue>
                   </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>yziVH6nY9TQtUdWoWEqlWnvzyaKzlXL2DMi2VB2dBpfqoHvwJnBG3ShTph8m4WO10GxD/Gp5UR2yY0XaxOjbqBZU01L5k2lxMZ6MXGg+doL0YckWlWtOH7QESjURhdbFXArkzpWJeMsRkKw6CH3d/Ni1bU+eLKgPp0RPNZ8bW1ZUg+nHNYJlXqccht7F1QGt58tkpxqqsrWl4HBXblZMr4raU3HwW6R+qCLyF+M1Jylp+RGCzTWxYZnhcCbB/Ww2LQxMdQnqYpbypairGmQ3ojHn9WXHogX2gN5YUhyDzEFLfiQBgpkZTMeLnLfSl5+jquaPZYUAAm/erhK/TQqLSw==</ds:SignatureValue>
                <ds:KeyInfo>
                   <wsse:SecurityTokenReference wsu:Id="id-2-7e4adede8b37bb81ab75a5ce1bbe56df">
                      <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">bN6eqyzK3uvSvBRraYRWxHM9tk4=</wsse:KeyIdentifier>
                   </wsse:SecurityTokenReference>
                </ds:KeyInfo>
             </ds:Signature>
          </wsse:Security>
       </soapenv:Header>
       <soapenv:Body wsu:Id="id-0-998157dd49d2844bfba10b2a5c5aa673" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <EncryptedData Id="id-3-887b83cbf8d56945adf64a14a1e45dd6" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns="http://www.w3.org/2001/04/xmlenc#">
             <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
             <CipherData>
                <CipherValue>bUcNjHPVcU1Vfg72eH3YBnJYiCTOC/OJpvWmkvCkzMe1hjt0wrBf2RKOY0md0CR9lqT/jn1wnoXQ2/icz0XDsEDx9CUV16wYsbWD4dAwGtDq6wxaYxB7WDO2QtUNFtkAktz0g0Nwu85aioe1XXFv0A==</CipherValue>
             </CipherData>
          </EncryptedData>
       </soapenv:Body>
    </soapenv:Envelope>

     

    Policy Used:

     


    <?xml version="1.0" encoding="UTF-8"?>
    <wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
        <wsp:All wsp:Usage="Required">
            <L7p:WssSignElement>
                <L7p:ProtectTokens booleanValue="true"/>
                <L7p:Target target="REQUEST"/>
                <L7p:XpathExpression xpathExpressionValue="included">
                    <L7p:Expression stringValue="/soapenv:Envelope/soapenv:Body"/>
                    <L7p:Namespaces mapValue="included">
                        <L7p:entry>
                            <L7p:key stringValue="s"/>
                            <L7p:value stringValue="http://schemas.xmlsoap.org/soap/envelope/"/>
                        </L7p:entry>
                        <L7p:entry>
                            <L7p:key stringValue="soapenv"/>
                            <L7p:value stringValue="http://schemas.xmlsoap.org/soap/envelope/"/>
                        </L7p:entry>
                        <L7p:entry>
                            <L7p:key stringValue="ws"/>
                            <L7p:value stringValue="http://warehouse.acme.com/ws"/>
                        </L7p:entry>
                    </L7p:Namespaces>
                    <L7p:XpathVersion xpathVersion="XPATH_1_0"/>
                </L7p:XpathExpression>
            </L7p:WssSignElement>
            <L7p:WssEncryptElement>
                <L7p:Target target="REQUEST"/>
                <L7p:XpathExpression xpathExpressionValue="included">
                    <L7p:Expression stringValue="/s:Envelope/s:Body"/>
                    <L7p:Namespaces mapValue="included">
                        <L7p:entry>
                            <L7p:key stringValue="s"/>
                            <L7p:value stringValue="http://schemas.xmlsoap.org/soap/envelope/"/>
                        </L7p:entry>
                    </L7p:Namespaces>
                    <L7p:XpathVersion xpathVersion="XPATH_1_0"/>
                </L7p:XpathExpression>
            </L7p:WssEncryptElement>
            <L7p:WssConfiguration>
                <L7p:EncryptionKeyReference stringValue="ThumbprintSHA1"/>
                <L7p:KeyReference stringValue="ThumbprintSHA1"/>
                <L7p:Target target="REQUEST"/>
                <L7p:UseDerivedKeys booleanValue="true"/>
            </L7p:WssConfiguration>
            <L7p:WsSecurity>
                <L7p:RecipientTrustedCertificateGoid goidValue="e70adf7e1f6a7bc1d5dc04178b99cf99"/>
            </L7p:WsSecurity>
            <L7p:EchoRoutingAssertion/>
        </wsp:All>
    </wsp:Policy>

     

     

     

    Sincerely,

     


    Stephen Hughes

     

    Director, CA Support



  • 5.  Re: EndorsingSupportingTokens

    Posted Dec 07, 2017 12:02 PM

    Hi Stephen

     

    Thank you for your effort. I do understand your configuration. I have three question:

     

    1) The WS PolicySecurity Standard (WS-SecurityPolicy 1.2 ) defines the tag EndorsedSupportingToken as follow:

    8.3 EndorsingSupportingTokens Assertion

    Endorsing tokens sign the message signature, that is they sign the entire ds:Signature element produced from the message signature and MAY OPTIONALLY include additional message parts to sign and/or encrypt. The diagram below illustrates how the endorsing signature (Sig2) signs the message signature (Sig1):

     

    I don't know how to achieve that with the out-of-the-box means of the gateway (like checkbox, etc.).

     

    2) How did you configure the "Configure WS-Security Decoration Assertion" to achieve that the SecurityTokenReference in the Encryption Element is a reference:

             <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
                <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                   <wsse:SecurityTokenReference>
                      <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">bN6eqyzK3uvSvBRraYRWxHM9tk4=</wsse:KeyIdentifier>
                   </wsse:SecurityTokenReference>

    I checked the Checkbox 'Use Derived Keys Whenever Possible:'. In the signature part it worked.

     

    3) Currently I get two wsse:Security elements in the SOAP header, one for the signature and one for the encryption. The WS security decoration (Add or Remove WS-Security Assertion) is applied after the sign & encrypt assertion. Any ideas so that the encryption element is in the signature wsse:Security element included?

     

    Sorry, I'll upload a sample policy tomorrow.

     

    Cheers,
    richard



  • 6.  Re: EndorsingSupportingTokens

    Broadcom Employee
    Posted Dec 07, 2017 03:48 PM

    1) I've not been able to find a way right away on this. The best thing is still to see what the backend request would look like.

    2) On the "Configure WS-Security Decoration Assertion", there is a key reference drop down on both the signing and encrypting tabs to control this.

    3) The sample policy I included should only produce one wsse:Security element for both the signing and encrypting.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 7.  Re: EndorsingSupportingTokens

    Posted Dec 14, 2017 06:24 AM

    Hi Stephen, 

     

    Thanks for your help so far. I continue the work on Richards request, and I managed to get a sample request which I will attach to the message. Can you give any specific advice on how to configure the Assertions in order to produce a message with the same structure as this sample request?

     

    Thanks,

    Matthias

     

     

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
    <Action xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_68DE2C0EBCA2A0507215132466458747">http://tempuri.org/INathanGAPService/GetInformationsForCoordinate</Action>
    <MessageID xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_68DE2C0EBCA2A0507215132466458746">urn:uuid:d3d695a6-e139-4de6-a786-372897676b4d</MessageID>
    <To xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_68DE2C0EBCA2A0507215132466458744">http://gapwebservice.munichre.com/NathanService/NathanGAPService.svc/Java</To>
    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_68DE2C0EBCA2A0507215132466458745">
    <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
    </ReplyTo>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="true">
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-68DE2C0EBCA2A05072151324664589611">MIIFDjCCAvagAwIBAgIUKF6ak7kDLELg4ahhh1r+t9o6UyYwDQYJKoZIhvcNAQEFBQAwPzEYMBYGA1UEChMPTXVuaWNoIFJlIEdyb3VwMSMwIQYDVQQDExpNUkcgSW50ZXJuYWwgSXNzdWluZyBDQSAwMTAeFw0xNzA2MDgwOTI3MDNaFw0xOTA2MDgwOTI3MDNaMIGVMRgwFgYDVQQKEw9NdW5pY2ggUmUgR3JvdXAxOjA4BgNVBAsTMUhlbHZldGlhIFNjaHdlaXplcmlzY2hlIFZlcnNpY2hlcnVuZ3NnZXNlbGxzY2hhZnQxGzAZBgkqhkiG9w0BCQITDFRvYmlhcyBXaWxkaTEgMB4GA1UEAxQXT2sxMDc1MDAwMUBtcncya2Rtei5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcJ/4il7Ib/ouqESh9rXURgxstSIELvPlgld24S/+7S0Hx/8tEFCG2ph/UixtqUhv2iCrej+yA5N/cydXDF3m2OhRJic7+i7xlhkpWrLbqvcLZQwC+dJQ2In08fd2QITZwOLfnLBCw3C5zPT0YsSL8Sm+R5XsQvAMLQvv+oHliEl2MA0eDkTpBOZ5GCskTCeJYJq/EZWiGR41nOTCCHY0HSug3ZB40k7GUDH4puByTLR119MGEz8Np6alaSvyYwz7seF2d4Ui34o2p0+VxY4cI/dDRMJtu5LoBfz6WeJeDuHLqagH1YmaCtHZmpKIHbmYmTTvsMTSTfWBld3CVcEzPAgMBAAGjgaowgacwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCB4AwGQYDVR0gBBIwEDAOBgwrBgEEAcMMAxRaAgEwIwYDVR0RBBwwGoEYdG9iaWFzLndpbGRpQGhlbHZldGlhLmNoMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSfkbIBRHgyM5ceBgP1CrHpVXelEjANBgkqhkiG9w0BAQUFAAOCAgEAL7KGx6ch/P4qIhcXLQfzja7V/0c8XS98iQpX4JEEusMnhOLyg9AK0jvOWPVaK7Bta6k3OhkaOJCYQp9lhuXf+jyeN5x678v5ztXsBPbvV2+lRa2mgILhnaW3Oe8bCSQzV8EdH9SP9rOQHy54EgpSn+yKa0gZbS4uMLcCNH214+FVQuSI0nxu61dE5f1ZKdxkp0gVIfWkRiH02XZwSFeIjyiFjD3npmw1IR2OBHWHjeuMdd1Oe6HUVnHsmiHMhOHg5YrA0Zy7SqnBT2HYYCb6Ck1I/WuZgl1UkSWDbY2j1GCGr7yrxek+G4T/mIhmj4Q31eavVrfrT8O8NWrAPpuoc18jqPasGpmd8W/fs2AaDWG6bz6KKyXB6D629HhXVtUrdXoAtHBIUBEMHWfB74sDYoNPFVvdhodBwFd5zkS426Y36tnivV1R44uBfq8nNm+Wil94CjVxu5yUiWHx7T8Kaf0zP4OeiZqHUvJIewlJ/NDiwuCpvlVsEV/e+dGxoqtUeo/Q3euc3v9hV2r/YEnCvKFr4qowxlig1klbzGBiNFcXSf6d0ofbFq8Ye8w0HCyzWVrxDhuc1Q+ri2SqG/9aYGYu+hkqF/OHvWUtYgdRvz4Kx1tpkp/S6rrsEWUWrN1rUPuIWfIjI1G50zxPk/VBf8s6mDh65CqeM5AVMy3iTho=</wsse:BinarySecurityToken>
    <wsu:Timestamp wsu:Id="TS-68DE2C0EBCA2A0507215132466456411">
    <wsu:Created>2017-12-14T10:17:25.637Z</wsu:Created>
    <wsu:Expires>2017-12-14T10:22:25.637Z</wsu:Expires>
    </wsu:Timestamp>
    <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-68DE2C0EBCA2A0507215132466458622">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">MfZZwNvd/NN5fSPNTXrhfd3t04s=</wsse:KeyIdentifier>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    <xenc:CipherData>
    <xenc:CipherValue>G2vy4sykej7YGjldw0XLf96yS0SL4FHZNbGXxP7mbZ5CS/xJjgO/IAAoiwbscNgDSBUiJ2ZswfRKrpxW0V9yhdAxPlEm1AQq4rV5YRmPzzA26VeIMsE+8aTVdc66pYMzue+mMP6SwNiLuGHSvZW11I+z6XqLFhapd01PgqNc6yJG92OFUZT/WG+q6Oyjso3plvG3cHNlzDiqq+7RkBeY7IJVVvpPjIB1EtEehm+NbrSRexUdPns6r0XXEXj+aFKKi8cPhrNFC7Yjhtchc1Y70niqvrwWOGBlu9uDMa3A6ObxhYf9bZU6HLwOt/XqT5r+U0mj4clFj3gjejDVma58PQ==</xenc:CipherValue>
    </xenc:CipherData>
    </xenc:EncryptedKey>
    <wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" wsu:Id="DK-68DE2C0EBCA2A05072151324664699912">
    <wsse:SecurityTokenReference xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" wsu:Id="STR-68DE2C0EBCA2A05072151324664699913">
    <wsse:Reference URI="#EK-68DE2C0EBCA2A0507215132466458622" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
    </wsse:SecurityTokenReference>
    <wsc:Offset>0</wsc:Offset>
    <wsc:Length>16</wsc:Length>
    <wsc:Nonce>ec/EiCUd5GcrG39t5rRIhg==</wsc:Nonce>
    </wsc:DerivedKeyToken>
    <wsc:DerivedKeyToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" wsu:Id="DK-68DE2C0EBCA2A05072151324664707718">
    <wsse:SecurityTokenReference xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" wsu:Id="STR-68DE2C0EBCA2A05072151324664707719">
    <wsse:Reference URI="#EK-68DE2C0EBCA2A0507215132466458622" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
    </wsse:SecurityTokenReference>
    <wsc:Offset>0</wsc:Offset>
    <wsc:Length>16</wsc:Length>
    <wsc:Nonce>HuGR1sCw43qz7/QmIi3GkQ==</wsc:Nonce>
    </wsc:DerivedKeyToken>
    <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <xenc:DataReference URI="#ED-68DE2C0EBCA2A05072151324664709020"/>
    <xenc:DataReference URI="#ED-68DE2C0EBCA2A05072151324664712721"/>
    <xenc:DataReference URI="#ED-68DE2C0EBCA2A05072151324664713022"/>
    </xenc:ReferenceList>
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-68DE2C0EBCA2A05072151324664712721" Type="http://www.w3.org/2001/04/xmlenc#Element">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:Reference URI="#DK-68DE2C0EBCA2A05072151324664707718" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk"/>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    <xenc:CipherData>
    <xenc:CipherValue>VjqM38zzmB8y2GrJ4k8I2cPxu3LV/0QU6RZzK2c4aIHHFrMvZP2voiiIB+F4NQZYCO2GfWxuVg44rb0ettNIjHat2MVYgvAdmFuNb33yzaKxGMThZfpGyI2O8UaZsefyyVVoAEAhcRYH9A2bdUzh8ACw4+doWNa6iNMDcE8CHdBFOjLlCdBJ9aMehIu3T1GPW2LuHBU9wEkzFa1yGtvqAAs+NCTmgTllfXYeN5GpPZhqsspPEYAp7MG4DLEzJZu2huatL5RgYtlEZFwqoFWGQZxPx5ezZ9S/DXeJiEVJi9Bft8WkGQ6PJLynqb7OBfrTT26Jj9KB0AZEr7B/bgrNiSm9+xs2D3Ra2tglvZo7R7TUdGCPmKsaBztLCF/Sl6sGZ3i6NrudQiHEaSq7RTglAhtzG2rVW7ETfRD3BDPr4NjJgRuaoCs9H3mLBMgGv3532HympsG6phaygDmcRAiYCYX5LxmGn6vIUITmBk2pNXQ8DYt7k69DIKByRKmsRTx0K/N1SHNxPDgKqoY9XEwhDniXrUSP3ibCmgq+Y++HJhREKtWXRdvRvGkAaW/IcQyDjSdyYJCNFWcJPp0Dc1F8eMo2LvHnxYKCF9KGW4h+4SK3eshv6+beQrktP+EMxfXNLAs7cNhCfPeL5pzVgMRIBPGB3f1NCYZTrNCdBMeIHFssSoNsjGjtI5Z5UoThHNEtLyBYyXYfNywFru0Oid0Ak/YXoSvga8OYoPo2TCOiXpiuK0P8OK6FW9dwZTdJUeRRru8ok58Wkj2B274bqTYWrGV5Rm96eN4zGWgqvflYPp2/RfrxcTu8hVto0Dox7mrzc3sz6ZQML3qebbEJStdHlIFgvvCDUmx+IhccHB0M2L2yxYIKxR+Acmb4CeggrU33xotN0c/8G4KB54vNxQBvy/9n5YB3MOxtyEAjZ8OzB63M2VOP3LerqYoSVtZ50kFa2ZLvPphVcAIAX3s382F8/KewhqYcAM7Sxq06Tny+W7Ht2lRdDFn8QK/2AvG/v/b7X3GmnT6YqJknm1ZxDzUpdWFUkJZLhfI3IexYStIU7rz72gIRxeDgj1GSeeN63iwkbZtJFXPNToFLMUSAoqC9evKZxErhrZZTlTSNvfH7LHWBysV70rKpHMl7FwcEHNscITBS/GnCPdCewgCSJVn1mXol1mqRvauT5sVeS8sPvZwj1x0JUyh3B5W9rXEdJEyTLfXDKRyMDjcyAd7Eq3+8cwHXtCymEFr6H9xMdlsJQHHBd51munuEc19KFBNXJv2Uzf6EX2A64lzjh4MWMzcS4FyEi75YVtVv/mqFiJrJsHljif6y8+dxjonU7vN8i38W1SWwofjQRqpftT5PJW0nZbSFTqDmHhOx2nBRFKWd2W/hX62R9po1u6q26KZgLPbZKkuoH4xT/MSI9BedNbYQt5W6ZzYmKlODmPBOClYp91OCfj9qmuAjji/n8pNnmCcarhTmv2fdHS8zUYkv8Yv0JBWn5YCmhwbrXbM3hCplOAdn9uf2LiuDiftGWh7gBlsVkPcHqHSCirIBY4rduZp06AY4c4xhvTUGqZ54RIKYL7epfOOzXoiGkAxuS3Y/4gnb7h6iquBJB/vHoQ3GSBKGf60FN3ZKQscrCyTE1Ix3VFrkOvnWZmEP8c3M7tFKks7R0ksjPEJLbzab2XYsG2d+A8gRd0nAqv8HVDYbYrEelgHsfiu644PbMRUnnM03O0fCBw3fZqsH6UGWPkV75fAl6iSsuwGPeuhtP1f/JQ23jLOJFqtNbXKtz1N3GAk0omq660Mbup52KRvGx0A6zG2nU1LN9XQsy1Ltc+FgLOxCGFg8cqsERLsqXuMMqjPfagVz2DVpRGYzgBvlHqtXvj2toJAecP4S1SMhdNBAXjkZMzewPEkBpLNqYs8XtwBSJaNxGLvHg3odZxssf4MSs5X5PL5qimZSrJROWC4+7+OtdteHXmllhZHbY5nujS+a0ok2U6dQmNhYMPzT3VtONtHpeDDVWO/ZGTNmCf/FYOeXHI32e54E2V4LqeJjnCJyfvwuGy6NqAk+WnfZNTFecJDAwjU3oBxsyUNRxWjY3jpjGaiYrnNe/aaJ/PDIfuLXfRRMrePBlPdMA7J0UrBTsu5I60c7RST09WfJPuXeRsLZZCG1Up7KNVuODLf0o7xm6AfP0xdhAL+4E40fnTtDmzy9+DmhmHyJVMEj42V8OQy6actdJzOTPlxPBkyoSvKlmoRPgvCUF3tZVH66/IGiknpvQAyGDd2lweA7VRNdtz1mzkfFusymSAUZ4ZFohOyPiqAsZz8YnM5x7Jjbh47+V8tRHo8iMXP2TgK3/4QCjSFTFig7AjxYVNEQj1rFnFVgTZXQoUBk2wl2L7jg85GMJawgofR0W3wxU9qeNIPPm+GyVIlmIZgyhPsTYd/gCojSqLjpqPWDUHP7HNyXn3omB9YJotAxy58s/PLGIFiY+fVOSImnKVdtovgKjO3AdkXFipPpfdnXFL+SVshP8WnLVLxFt5ZPQtc+AC007i7shbNNuStuM/7u+7YbETIFORa0r0amacZb0zZ3Gu9Mz9EJQrTUFzXfrn4VIXoAr3NtmebUMhM2LcalwBzM4+G6G0DkWVs2as05z0QEHgYMN/zRiPrRNVSDQkm/AY2zExzAZKZkWy8hKVJw0jMhWkdsRP9MkOMonhAWgbBp8U2QJSLpDIdEk/jnI39GPbd5EuU2tsoqXAoe2hoGTuunn0qxLKbVOMahf8mE2L5Hbd/jyb9aFLjJZ3wbDKzaH8s9K/N4P687ZCYQRnC6F0Qww2UhQXjtwDNVKuGoQwOknQNt7ZxbSgh1Zk2fOVQMaAWWbUOyLQH2XHxZ9quqccNffjNL2MRGnhMrV0BBSc6C76KXkXhnWaBum43Aa0F9XmWbZ+OBh42cnnWtxPHDB9UIgqfIxFsBcXHwta/0LafQpv0DzIssSjh8+VOZ9XVCFDT+VNpj1NYAMJT2DSBCmiQdAGKZzpgr5sKSdiOXTLF7Jcf1jfnlzRUq8xQ8dLQqkVtUXuaOnABVDIC3V/oZ6ysshPmCvczR1UK/DhTyNOIcppSvUsEEoD2pb/GDBE0pkCB99uWp7kW/O3rI8D+Nv8WR08J+4k2F0WBWVR8pMhU3TlbSmNbAp4KRfBr5+uUGYFHwmKcDmwu0nJVFKAQZLQ2UhwzX+z1YGYsqZ4TlULuW3SHHBAYoUsHeFcN+2QdX1h28GPW3Ivf9***7X1f7QhzAnivhMEGrQdYV7cDgIPjR+DmPd451vGuX9+9eflsvOs0xPlLYqTWIrLIlx1BLtw5fV/bXz/adfWYLMHcVBwIEa8dQ5K6jUWuTcMEt1sq1L/HmCAL8kycMfqbCjXFabDFjU0/YoEwc4o7dfX8lbwcaUOob+bwhrrdCLwMN6zMKV4DRR0ufw7hmRuLpiRpIoPAsQBzKe/9xf2NoiGg6Culq/0cKuQsDjIWHMYpHwErL4+YSqmkImHsvCCFPui84qtyP1dku/G7qohJJ4Iwg1RaG434OPnldsTGqz81X2AownZF5ryJci8nj96P1SvjVNg7XJvrqZHOMd4hRY6Afdb06FDk6alBSgDNkOiehB7PfeHlVuocqdYBwTDLHvmzdQitgIXqwJ4jtFNRKCPj87KQ2j34okugUOX65pJayFikLb4b2WeWf7zTO/bV4hqdYbaa3GGjxDqFHnKMJyl4IYeZfttPJR9Zgcs9bq+GL7iiIGG+J23eiSfVCpPxF4oljcMByZ3Ac3jAwtfjAv76szCc+bk3nfMXQOJOQgGIIb01oXCCvQkKeYNx8aSybcGHspCfFdx98P1wwNyv+/7Z2orWYkWJPYiBCaZ6gwhir2vYneyqbk/HJn4WjSV9F/rXinxAKSgQS3enKARhGP0heUPjlzmtYoLDt9z4MfBjIGCkRUvS0VZuD+vS5W5q4WRWQti/mVZH6LvOnzY6TC2r45VuBDzSPpMhxNlaeA4q604hxCjivdnIFyWU9OCZVmtiBw+cBnowGOlJYNVIUTCjEDI//VsxKb5McemLV+XwNGjJ9Lo0yKxnZfhUY2hpwvtFIRq62gcRnLj2PUZuyMhOS8sQuO6E/kankA/lLeV2nkq8LhcgKILT99+zCshIF2PtEduQ6SCZMaom99QoHHcsVEowx5qKyOjbTJ/Pkk7rFOa4G41R9xDlhi81CoUoD28R1YM6U8Na5PPmyaW+dFXDIQlgy7Ml0vTkxohaldXeVf4GIfyouUXeARgl8ltu9BksUx6gqgpMhPYQ2RBLKKjXMKQNQtuIQc4v5OxzZCM4KY85xJTxEu8TWNIzpMeptWrsp8Yes2EKayrcPZTtmPTOPbT6ma6co/pM+Xh8uo3pyJLH8LQ7RtJq7r+TjguWNT8B1+9fM+stwF9Q06DMyPCz1Hlwz2x8AOvEaybKOrnScAw9hirNVjwIo+pj+ZKqZOLGbFbyOQF7TCIwkN3vjKSCUHmyhjTHdlZDAns5xfQ0E5YrSuJhTNaOgxsUpeJ3Uzm0UDmw9oWh5GOfX7yFHEI1/CedyLu3NirAgymWeYziqTDrTI0ZkssDiccDjHEODn7ha4mtyKubzQKsDREd4TY8SRUH1q8hYCoQ1Nnjn+19q42y+KKroXHSl+cQ42U29oJN77z+DWgjeHfQ5vv06WqvH5WOtV/Tq0tDaMWfiOsDeD7S92PPsNTCeXXt0/T84HpPGvSGRJJ0J/qPDI3H9</xenc:CipherValue>
    </xenc:CipherData>
    </xenc:EncryptedData>
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-68DE2C0EBCA2A05072151324664713022" Type="http://www.w3.org/2001/04/xmlenc#Element">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference URI="#DK-68DE2C0EBCA2A05



  • 8.  Re: EndorsingSupportingTokens

    Broadcom Employee
    Posted Jan 21, 2019 05:50 PM

    Matthias,

     

    Were you able to get a resolution to your request? If so can you share what the outcome was?

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support