Following the solution provided by Stephen_Hughes in the post Consuming SOAP web service in CA API Gateway , I was able to add WS-Security Headers to a incoming Soap request. I am now having some difficulties creating the WS-Security headers similar to those generated by the legacy application.
We are trying the remove the generation of WS-Addressing and WS-Security from client application (written in Java using CXF 2.7.7) and move to handling to gateway. Application is now expected to send only simple payload and gateway service would add the required WS-* Headers. Sample message which our application currently generates is attached (forCA_soapRequestFromApplication.xml).
I have created a Soap service and added the two assertions, “Configure WS-Security Decoration Assertion” and “Apply WS-Security Assertion”. Security header is added, however is quite different from the one generated by the CXF Framework. I have tried changing the few settings on the above two assertion, still unable to resolve the mismatches in the following Security sections:
1) <BinarySecurityToken>: Token generated by the Application and Gateway are different, as we are only signing the request with the Private key, using same private key is generating the value in the Gateway. I am not sure where in assertion I need to select the Private key. a) “Configure WS-Security Decoration Assertion”-> Right Click, “Select Private Key” or b) “Apply WS-Security Assertion” à Use selected certificate for default recipient”, or both places?
2) <KeyInfo>: Application is sending <BinarySecurityToken> and <KeyInfo> which contains the SHA1 thumbprint of the certificate (as below).
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-8BB84B0E7E429B22FA154587081374711">
MIIDXTCCAkWgAwIBAgIEPUHL8Su0bTVDa+<Truncated to fit the page>+SJGtOw==
</wsse:BinarySecurityToken>
<ds:KeyInfo Id="KI-8BB84B0E7E429B22FA15458708137479">
<wsse:SecurityTokenReference wsu:Id="STR-8BB84B0E7E429B22FA154587081374710">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">
p0VXEq8R+d5S41U1szlgaMVRCi4=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
Now in Gateway, if I select “Configure WS-Security Decoration Assertion à Signing à Key Reference à BinarySecurityToken”, then the <KeyInfo> is populated with the reference URI as below (not our requirement, attached file forCA_soapRequestFromGateway_withKeyRefAsBST.xml ).
<ds:KeyInfo>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#id-0-0cf64fb8031c33bc853d63857a6a162c"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
I tried selecting “Configure WS-Security Decoration Assertion --> Signing --> Key Reference --> ThumbprintSHA1”, it generate the KeyInfo in the correct format but now <BinarySecurityToken> is missing in the WS-Security Headers (refer attached file forCA_soapRequestFromGateway_withKeyRefAsSHA1.xml).
<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-5-b38fe061d4b22f7ebb3bac533c7193dc">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">
p0VXEq8R+d5S41U1szlgaMVRCi4=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo> No <BinarySecurityToken>
3) Can we sign the specific WS-Addressing Headers, not all? Selecting the “Configure WS-Security Decoration Assertion -->Signing --> Sign WS-Addressing Headers” checkbox signs all WS-Addressing Headers but our requirement is to sign only <To> header not <ReplyTo> or <MessageID> etc.
<To xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns="http://www.w3.org/2005/08/addressing"
wsu:Id="Id-1889306702">https://XXXX-DEV1-MAR-VMD/***.tpa/account.svc
</To>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
4) Is “Configure WS-Security Decoration Assertion” is the super set of other related assertions such as “Add Signed Timestamp”, Add Signed Security Token Assertion” etc? Or they need to be used together.
Would really appreciate any guidance.
Thanks