Page History
WS-Security is an extension to the SOAP standard which adds security related features to SOAP messages. This enables messages to be (partially) encrypted and decrypted, their content signed using a digital signature and/or timestamped, in order to guard against request tampering and replay attacks of SOAP messages. Blueriq provides support for this standard in both its exposed SOAP services (using Blueriq as a Service) and the AQ_SoapServiceClient service call, allowing you to achieve end-to-end security for all SOAP processing.
Configuration for AQ_SoapServiceClient
The configuration of AQ_SoapServiceClient allows for the exact same properties as documented above for BAAS webservices, however the request and response properties have been swapped.
Registering an interceptor
An interceptor has to be registered by name using properties, as follows:
Code Block | ||
---|---|---|
| ||
blueriq.soap.interceptors.security.MyInterceptorName.request.encryption.enabled=false blueriq.soap.interceptors.security.MyInterceptorName.request.signature.enabled=false blueriq.soap.interceptors.security.MyInterceptorName.request.timestamp.enabled=false blueriq.soap.interceptors.security.MyInterceptorName.response.accept-unsecured-messages=false blueriq.soap.interceptors.security.MyInterceptorName.response.decryption.enabled=false blueriq.soap.interceptors.security.MyInterceptorName.response.signature.enabled=false blueriq.soap.interceptors.security.MyInterceptorName.response.timestamp.enabled=false |
In the above example you can see how each WS-Security profile can be enabled/disabled. A profile is disabled by default, so the above enabled
properties are redundant and are only shown to clarify the configuration. Properties that are marked as
Status | ||||||
---|---|---|---|---|---|---|
|
General properties
Property name | Default value | Description |
---|---|---|
Incoming response processing | ||
response.accept-unsecured-messages | false | Whether or not an incoming response without WS-Security headers should be accepted. |
Encryption/Decryption
Property name | Default value | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Outgoing request processing | ||||||||||
request.encryption.enabled | false | Indicates whether the request will be encrypted. | ||||||||
request.encryption.key-alias |
| The name of the public key in the configured keystore (see Keystore chapter below) which should be used to encrypt the message. The corresponding private key has to be used when decrypting the message. | ||||||||
request.encryption.algorithm | http://www.w3.org/2001/04/xmlenc#aes128-cbc | The symmetric encryption algorithm to use. Allowed values: http://www.w3.org/2001/04/xmlenc#aes128-cbc, http://www.w3.org/2001/04/xmlenc#tripledes-cbc, http://www.w3.org/2001/04/xmlenc#aes256-cbc, http://www.w3.org/2001/04/xmlenc#aes192-cbc | ||||||||
request.encryption.key-identifier | IssuerSerial | The key identifier type to use. Allowed values: IssuerSerial, X509KeyIdentifier, DirectReference, Thumbprint, SKIKeyIdentifier | ||||||||
request.encryption.parts | Empty, to encrypt full response | The parts that should be encrypted. By default, the content of the SOAP body is encrypted. Please refer to the Parts configuration chapter below for syntax details. | ||||||||
Incoming response processing | ||||||||||
response.decryption.enabled | false | Whether or not an incoming response should be decrypted. |
Signing
Property name | Default value | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Outgoing request processing | ||||||||||
request.signature.enabled | false | Indicates whether the request will be signed. | ||||||||
request.signature.key-alias |
| The name of the private key in the configured keystore (see Keystore chapter below) which should be used to sign the message. The corresponding public key can be used to verify the signature. | ||||||||
request.signature.key-identifier | IssuerSerial | The key identifier type to use. Allowed values: IssuerSerial, DirectReference | ||||||||
request.signature.parts | Empty, to sign full request | The parts that should be signed. By default, the content of the SOAP body is signed. Please refer to the Parts configuration chapter below for syntax details. | ||||||||
Incoming response processing | ||||||||||
response.signature.enabled | false | Whether or not the signature of an incoming response should be verified. |
Timestamp
Property name | Default value | Description |
---|---|---|
Outgoing request processing | ||
request.timestamp.enabled | false | Indicates whether a creation and expiration timestamp will be added to the request. |
request.timestamp.precision-in-milliseconds | true | Whether the timestamps should include milliseconds. |
Incoming response processing | ||
response.timestamp.enabled | false | Indicates whether the creation and expiration timestamp should be verified. |
response.timestamp.time-to-live | 300 | Maximum number of seconds that may have passed since the message's created timestamp. If the message is older then it is rejected. |
response.timestamp.future-time-to-live | 60 | Maximum number of seconds that the message's created timestamp may be in the future, to account for potential clock drift between systems. |
Anchor | ||||
---|---|---|---|---|
|
Keystore configuration
Since WS-Security is based on symmetric cryptography operations, a public/private key pair is used to encrypt/decrypt and to perform signing and signature validation. These keys have to be stored in a keystore in JKS format (Java KeyStore, .jks extension) or PKCS #12 format (.p12 extension) , which has to be configured as follows:
Code Block |
---|
blueriq.security.keystore.location=file://client.jks blueriq.security.keystore.password= |
Info | ||
---|---|---|
| ||
The configured passwords can be encrypted using the property encryption tool. |
Anchor | ||||
---|---|---|---|---|
|
Parts configuration
Some WS-Security aspects can be applied to only a subset of the message. The relevant profiles provide a parts
property to configure this, which requires the following syntax:
- multiple part configurations must be separated by a semi-colon
each value may be preceded by a mode specifier, either
{Content}
or{Element}
. If not specified it defaults to{Content}
the mode specifier may be followed by a namespace specifier. If omitted, it defaults to the SOAP namespace.
- the value must contain the name of the element which must be encrypted
For example, the value {Content}{http://example.org/paymentv2}CreditCard;{Element}{None}Username
has the following meaning:
- the content of the
CreditCard
element in the http://example.org/paymentv2 namespace will be encrypted. TheCreditCard
element itself is not encrypted, so any attributes on this element will be in plain text - the
Username
element with no namespace is encrypted. The element itself is also encrypted, so any attributes will not be visible in plain text.