Using Require Encryption Policy in Mediator

Transcription

1 Using Require Encryption Policy in Mediator Contents Require Encryption in webmethods Mediator Usage of Require Encryption in webmethods Mediator Creating a New Require Encryption Policy Creating a New Virtual Service Deploying a Virtual Service to Mediator Invoking the Virtual Service Deployed in Mediator Creating a Client in SOAP UI Securing Configurations in SOAP UI Require Encryption in webmethods Mediator webmethods Mediator supports Require Encryption policy that enforces certain paths in the request should be encrypted. The scope of this document is to explain how to work with Require Encryption policy in Mediator. Require Encryption policy takes as input the XPath of the paths that are supposed to be encrypted in the request. Usage of Require Encryption in webmethods Mediator This section gives examples of how you can use the Require Encryption with webmethods Mediator. Prerequisite: Before you start, ensure that you have the integration server and mediator configured as described Overview of WS-Security policies in Mediator To configure and use the Require Encryption Policy in Mediator, you perform the following high-level steps: Create a Require Encryption policy in CentraSite. For procedures, see Creating a New Require Encryption Policy. Create a new virtual service in CentraSite. For procedures, see Creating a Virtual Service. 3. Deploy the new virtual service to Mediator. For procedures, see Deploying the Virtual Service to Mediator. 4. Invoke the virtual service deployed in Mediator. For procedures, see Invoking the Virtual Service Deployed in Mediator. Creating a New Require Encryption Policy Perform these steps to create a Require Encryption policy and save it to CentraSite. To create a Require Encryption policy 3. In CentraSite Control, go to Policies > Run-Time. Click Add Policy. In the Policy Informationpanel, specify the following fields: In this field... Name Specify... A name for the new policy. A policy name can contain any character (including spaces).

2 Description Version Optional. A description for the new policy. This description appears when a user displays a list of policies in the user interface. Optional. A version identifier for the new policy. 4. In the Scope panel, specify the following fields. Scoperefers to the set of properties that determine the target type, organization and asset type to which the policy applies. In this field... Target Type Organization Asset Types Specify... The target type to which the policy will be deployed. Choose webmethods Integration Server (i.e., the webmethods Mediator target type). The organization to which the policy applies. Choose Virtual Service Click Next. In the Available Actions dialog, choose the Require Encryption action to include in the policy. CentraSite requires the XPath of the element encrypted in the request. All namespaces in the XPath should be specified. It is mandatory that the XPath's should always start with "//". In this example, let us encrypt the sayhello content as //soapenv:envelope/soapenv:body/axis:sayhello Click Finish to save the new policy. Activate the policy when you are ready to put it into effect. Creating a New Virtual Service

3 Perform these steps to create a virtual service and save it to CentraSite. To create a virtual service 3. In CentraSite Control, go to Asset Catalog > Browse. Click the Add Asset button. In the Add Asset dialog, specify the following attributes: In this field... Do the following... Type Choose Virtual Service. Name Description Organization A name for the new virtual service. Optional. A description for the virtualized service. Specify the organization to which this virtualized service will be added. 4. Click OK to save the new virtual service. Deploying a Virtual Service to Mediator Perform these steps to deploy the new virtual service to Mediator: To deploy a virtual service In CentraSite Control, create a target webmethods Integration Server (i.e., the webmethods Mediator target type) for deploying to the Mediator if not already available. Choose the new virtual service (that you created in the previous step) and deploy to the Mediator. The following fragment shows the deployed VSD having the encryption. Request with Encryption

4 <policy id="wssecuritypolicy"> <wsp:policy xmlns:wsp=" xmlns:wsu=" ility-0.xsd" wsu:id="wssecuritypolicy"> <wsp:exactlyone> <wsp:all> <sp:asymmetricbinding xmlns:sp=" <sp:initiatortoken> <sp:x509token sp:includetoken=" etoken/alwaystorecipient"> <sp:wssx509v3token10 /> </sp:x509token> </sp:initiatortoken> <sp:recipienttoken> <sp:x509token sp:includetoken=" etoken/never"> <sp:wssx509v3token10 /> </sp:x509token> </sp:recipienttoken> <sp:algorithmsuite> <sp:tripledesrsa15 /> </sp:algorithmsuite> <sp:layout> <sp:strict /> </sp:layout> </sp:asymmetricbinding> <sp:wss10 xmlns:sp=" <sp:mustsupportrefkeyidentifier /> <sp:mustsupportrefissuerserial /> </sp:wss10> <sp:encryptedelements xmlns:sp=" <sp:xpath xmlns:axis=" xmlns:soapenv=" penv:body/axis:sayhello</sp:xpath> </sp:encryptedelements> </wsp:all> </wsp:exactlyone> </policy>

5 The significance of the policy structure is with the <sp:encryptedelements> tag which contains the element that is to be encrypted. In this example, it is the sayhello element in the request. Invoking the Virtual Service Deployed in Mediator For the sake of simplicity, SOAP UI will be used as a client to invoke the virtual service deployed on the Mediator. To invoke the virtual service deployed on the Mediator, you perform the following steps: Create a Client in SOAP UI Securing Configurations in SOAP UI Creating a Client in SOAP UI Perform these steps to create a client in SOAP UI: To create a client in SOAP UI On the Task bar in SOAPUI, navigate to *File? New Soap UI Project{*}. Enter the WSDL for the virtual service. The Virtual service WSDL can be found at Summary Tab in CentraSite Click OK. You will find a sample request named 'EncryptMyRequest' to the virtual service is created. Securing Configurations in SOAP UI Perform these steps to secure configurations in SOAP UI: To secure configurations in SOAP UI Click on the project 'EncryptMyRequest' that was created in the previous step and navigate to Security Configurations.

6 Import the keystore for SOAP UI (to encrypt). Remember this should be the same keystore file that is configured in the server.

7 Check to make sure that the keystore is imported successfully. Create an outgoing WS-Security configuration.

8 Apply the security configuration to the request. Right click on the request *Outgoing WSS?Apply "MySecurity"{*}.

9 The plain request before encryption for an Echo service: Request before Encryption <soapenv:envelope xmlns:soapenv=" xmlns:axis=" <soapenv:header/> <soapenv:body> <axis:sayhello> <axis:name>test</axis:name> </axis:sayhello> </soapenv:body> </soapenv:envelope> After applying the configuration the request would look similar to this:

10 Request after Encryption <soapenv:envelope xmlns:axis=" xmlns:soapenv=" xmlns:xenc=" <soapenv:header> <wsse:security xmlns:wsse=" cext-0.xsd"> <wsse:binarysecuritytoken EncodingType=" ge-security-0#base64binary" ValueType=" ofile-0#x509v3" wsu:id="718b5a188813ba " xmlns:wsu=" ility-0.xsd">... </wsse:binarysecuritytoken> <xenc:encryptedkey Id="EncKeyId-718B5A188813BA "> <xenc:encryptionmethod Algorithm=" <ds:keyinfo xmlns:ds=" <wsse:securitytokenreference> <wsse:reference URI="#718B5A188813BA " ValueType=" ofile-0#x509v3"/> </wsse:securitytokenreference> </ds:keyinfo> <xenc:cipherdata>... <xenc:ciphervalue> </xenc:ciphervalue> </xenc:cipherdata> <xenc:referencelist> <xenc:datareference URI="#EncDataId-198"/> </xenc:referencelist> </xenc:encryptedkey> </wsse:security> </soapenv:header> <soapenv:body> <xenc:encrypteddata Id="EncDataId-198" Type=" <xenc:encryptionmethod Algorithm=" <ds:keyinfo xmlns:ds=" <wsse:securitytokenreference xmlns:wsse=" ecext-0.xsd"> <wsse:reference URI="#EncKeyId-718B5A188813BA "/> </wsse:securitytokenreference> </ds:keyinfo> <xenc:cipherdata> <xenc:ciphervalue>... </xenc:ciphervalue> </xenc:cipherdata> </xenc:encrypteddata> </soapenv:body> </soapenv:envelope>

11 From the above request, you will note that: Only the <axis:sayhello> element (highlighted) is encrypted in the request. The key used to encrypt the data is included in EncyptedKey in the header. This encryption is done using the public key of the recipient. To decrypt the message, Mediator first decrypts the key using the private key and then uses this key for decryption of messages. The <wsse:binarysecuritytoken> element includes certificate that was used to encrypt the symmetric key. It is not mandatory to add this to the request unless a require X.509 token policy is enforced along with encryption or signing policy. It is not possible to encrypt the entire body as such. Only parts inside the body can be encrypted.