Hi Stephen
Thank you for your effort. I do understand your configuration. I have three question:
1) The WS PolicySecurity Standard (WS-SecurityPolicy 1.2 ) defines the tag EndorsedSupportingToken as follow:
8.3 EndorsingSupportingTokens Assertion
Endorsing tokens sign the message signature, that is they sign the entire ds:Signature element produced from the message signature and MAY OPTIONALLY include additional message parts to sign and/or encrypt. The diagram below illustrates how the endorsing signature (Sig2) signs the message signature (Sig1):
I don't know how to achieve that with the out-of-the-box means of the gateway (like checkbox, etc.).
2) How did you configure the "Configure WS-Security Decoration Assertion" to achieve that the SecurityTokenReference in the Encryption Element is a reference:
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">bN6eqyzK3uvSvBRraYRWxHM9tk4=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
I checked the Checkbox 'Use Derived Keys Whenever Possible:'. In the signature part it worked.
3) Currently I get two wsse:Security elements in the SOAP header, one for the signature and one for the encryption. The WS security decoration (Add or Remove WS-Security Assertion) is applied after the sign & encrypt assertion. Any ideas so that the encryption element is in the signature wsse:Security element included?
Sorry, I'll upload a sample policy tomorrow.
Cheers,
richard