Internals of Sign Message Policy Step
The example XML message is nothing but the SOAP response message that is digitally signed by Oracle WSM. The parameters that are selected or that can be selected will affect the message output and hence it is important to understand how Oracle WSM assembles the digitally signed message.
First of all, Oracle WSM was configured to sign the SOAP body message, which in our example is the actual time from the server. In the above example, the SOAP body is referenced by the identifier ishUwYWW2AAthrxhlpv1CA22. Only the SOAP body message should be digitally signed. We understand that in the signature generation process, we should first calculate the digest value of the message and then encrypt the digest value. In the sample XML, there are a few components which are worth explaining.
The Reference element describes what part of the message is hashed and what digest algorithm is used to create the hash value and any transformations applied before the digest was calculated.
Let's consider a portion of our signed response message and in the message below, we will notice that the DigestMethod is SHA1 and, that the DigestValue is also embedded.
<dsig:Reference URI="#ishUwYWW2AAthrxhlpv1CA22"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www. w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>ynuqANuYM3qzhdTnGOLT7SMxWHY=</dsig:DigestValue> </dsig:Reference>
In the above example, there is also an element called Transforms which contains a list of transform elements. The Transform element describes what transformation is applied to the XML message before the digest is calculated. In our example, the Exclusive Canonicalization transformation is used. Note: Since the digest values can differ even when a space is added or removed, canonicalization transformation will transform the data to an accepted format before the digest is calculated.
The SignedInfo element describes the actual signature algorithm and a list of references that contain the digest value of the message. In our case, the signature algorithm is rsa-sha1 and it also contains a reference to the SOAP Body element (Id attribute of the SOAP Body element). In our example of signed SOAP response message, there are actually two reference elements: one that refers to the SOAP Body and an other that refers to the Timestamp element. The SignatureMethod element describes the actual signature algorithm used.
The Signature element is the root element that describes the digital signature. It contains the SignedInfo element, SignatureValue and the KeyInfo element. The SignatureValue element contains the actual signature value and the KeyInfo element contains information about the certificate.
Signature Generation and Verification Example
In an earlier section, we learned how the sign message policy step can be configured to digitally sign the message and also the internals of how Oracle WSM creates the signed SOAP response message. In this section, I walk through the signature generation and verification process within Oracle WSM by means of an example.
In this example, I have the same time web service which will be registered within Oracle WSM Gateway. Oracle WSM will validate the incoming signed SOAP message and then will respond with a signed SOAP message. In this example I demonstrate how:
- To register web service with Oracle WSM
- Oracle WSM can be confi gured to validate the signature in SOAP request
- A Microsoft .NET application can digitally sign the SOAP request
- Oracle WSM can be confi gured to sign the response SOAP message
- A Microsoft .NET application can validate the signature of the SOAP message
Registering Web Service with Oracle WSM
To protect a web service within Oracle WSM, the first step is to register the web service within Oracle WSM and then edit the policy associated with it. The following steps describe how to register the service:
Login to Oracle Web Service Manager Console at:
Click on Policy Management and then Manage Services; you will see the List of Gateways that are vailable as shown in the following screenshot.
On the right side of the screen, if you click on the Services hyperlink, you see the list of registered services (refer to the following screenshot).
To add a new service, click on Add New Service on the right side panel.
The previous screenshot show the details that can be added while adding the new service. The * after each label makes those fields mandatory. The screen asks for typical information such as:
- Name of the service
- Version of the service
- Any description of the service
- WSDL URL of the service
- Protocol in which service will accept messages
It also asks for additional information such as Service Groups, groups that are part of Oracle WSM with the right to view and with the right to update.
In our example, we are registering time service that will validate the signature of the web service request and then will sign the response message. The time service is registered with the following information:
- Service Name: VerifyAndSign
- Service Version: 1
- Service Description: Verify Incoming message and Sign Outgoing message
- WSDL URL: http://owsm.packtpub.com:3115/ccore/TimeService.wsdl
- Service Protocol: HTTP(S)
- Service Groups: Select the default that has full permissions
Once the information is filled out, click Next on New Service registration. This will take you to the next screen which will display the actual URL of the service (refer to the following screenshot).
The URL in this page comes from the WSDL URL. You just have to make sure that the service is enabled and check if it is SOAP service or not.
You can then click Finish to register the service. Once you click Finish, the Oracle WSM internally generates a new service ID and now the client applications can use that service ID to communicate.
The previous screenshot show that the Oracle WSM registered the time service and created a new service ID.
Click OK to get back to the main screen that lists all the services.
We have only added the new service, but it hasn't been committed yet. You can now click OK to commit the policy.