Previous Topic: SignatureNext Topic: Encryption/Signature Process for the SOAP Request

Web ServicesInvoke SOAP Method OperatorInput ParametersWS SecurityCommon WS Security ParametersEncryption

Encryption
Add Encryption

Encrypts the SOAP request and adds a new encrypted symmetric key to the SOAP request <wsse:Security> header. CA Process Automation uses a symmetric key to encrypt the content of the SOAP request. The certificate (public key), provided in the keystore, encrypts the symmetric key itself and includes it in the <wsse:Security> header. If this field is selected, then all the fields in the Encryption Parameters are enabled.

Encryption Parameters

The following parameters define the encryption:

Public Key Alias

Defines the certificate (public key) alias with which to encrypt the symmetric key in the keystore.

Canonicalization Algorithm

Defines the canonicalization method with which to serialize the data before applying the encryption. Leave this field blank to use a standard serialization.

Symmetric Encryption Algorithm

Specifies the type of symmetric algorithm with which to encrypt the data.

Values:
  • Tripledes-cbc: Use triple DES. This method uses a key that is 8 bytes - 24 bits long.
  • aes128-cbc: Use AES with a 128-bit key.
  • aes192-cbc: Use AES with a 192-bit key.
  • aes256-cbc: Use AES with 256-bit key.

Default: AES128

Note: If you set this parameter to aes192-cbc or aes256-cbc, the following error can occur:

Illegal key size or default parameters.

If this error occurs, download the following Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from the Oracle web site:

  • US_export_policy.jar
  • local_policy.jar

Overwrite the existing jars of the same name at C:path_to_JRE_used_by_PAM\lib\security with the new ones.

Encrypt the symmetric key?

Encrypts the symmetric key with which the data was encrypted. The product then includes the key in the <wsse:security><xenc:EncryptedKey> header.

Symmetric Key Encryption Algorithm

Defines the algorithm with which to encrypt the symmetric key. This parameter is only applicable if the key is to be encrypted.

Default: RSA15

Public Key Identifier Type

Specifies the key identifier that sets up the certificate (public key) identification elements in the <xenc:EncryptedKey> element. The receiver uses the private key that corresponds to this certificate (public key) to decrypt the symmetric key. The product then uses the symmetric key to decrypt the SOAP request.

Values:
  • 1 (Binary Security Token): The product adds <wsse:SecurityTokenReference> to the <xenc:EncryptedKey> element. The <xenc:EncryptedKey> element uses a URI fragment in a <wsse:Reference> element to reference the certificate (public key). The URI fragment references the public key. The product includes the public key as binary data in the <wsse:Security> header <wsse:BinarySecurityToken> element.
  • 2 (Issuer Name and Serial Number): The product adds <wsse:SecurityTokenReference> to the <xenc:EncryptedKey> element. The <xenc:EncryptedKey> element uses a <ds:X509Data><ds:X509:IssuerSerial> element to reference the certificate (public key). This element uniquely identifies a certificate by its X.509 issuer name and serial number.
  • 3 (X509 Certificate Identifier): The product adds <wsse:SecurityTokenReference> to the <xenc:EncryptedKey> element. The <xenc:EncryptedKey> element uses a <wsse:KeyIdentifier ValueType="oasis-200401-wss-x509-token-profile-1.0#X509v3"> element to reference the certificate (public key).
  • 4 (Subject Key Identifier): The product adds <wsse:SecurityTokenReference> to the <xenc:EncryptedKey> element. The <xenc:EncryptedKey> element uses a <wsse:KeyIdentifier ValueType="#oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"> element to reference the certificate (public key).
  • 8 (Thumbprint SHA1 Identifier): The product adds <wsse:SecurityTokenReference> to the <xenc:EncryptedKey> element. The <xenc:EncryptedKey> element uses a <wsse:KeyIdentifier ValueType="#oasis-wss-soap-message-security-1.1#ThumbprintSHA1"> element to references the certificate (public key).

Default: 0. The operator uses the default key identifier (the Issuer Name and Serial Number) from the implementation.

Parts to Encrypt

Specifies which the parts of the SOAP request to encrypt. Click Add Parameter to enter either a security ID (WSU ID) or a Name/Namespace combination of the element to encrypt.

Values:
  • WSU ID: Defines the wsu:id attribute of the element to encrypt. You can add wsu:id as an attribute of an element in the SOAP request and you can specify your own value. For example: 
       <token wsu:id="123"> </token>

    The following statement shows the definition of the WSU namespace:

       xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
  • Name: Defines the name of the element to encrypt.
  • Namespace: Defines the namespace URI (not the local name of the namespace) of the element to encrypt. For example: 
       http://www.ca.com/pam
  • Encode: Select Content to encrypt the content of the element, or Element to encrypt the entire element.

Note: Leave this field blank to encrypt the body content of the SOAP request. If you specify WSU ID, the product ignores the Name and Namespace values.

Signature First?

Specifies whether to apply the signature before encrypting the data. This parameter is useful if the product encrypts and signs the same data in the SOAP request.

Decrypt and Validate Signature of SOAP Response

Specifies whether to decrypt the SOAP response content and (if applicable) validates the signature. When you select this option, the product enables the Decryption Private Key Password parameter.

Decryption Private Key Password

Defines the password with which to access the decryption private key in the keystore. Use this password to access the private key with which to decrypt an encrypted SOAP response.