Configuration GuidesPolicy Server Configuration GuideResponses and Response GroupsConfigure Responses for WS‑Security Header ProductionConfigure a WS‑Security Response › Variables for Encrypting/Decrypting WS‑Security Messages

Previous Topic: Variables for Generating SAML Tokens

Next Topic: Variables for Handling WS‑Security Headers
Variables for Encrypting/Decrypting WS‑Security Messages

The following table describes response variable name/value pairs that can be configured to tell the SOA Agent to encrypt message elements or to pass a decrypted version of a message to the recipient web service.

Note: There are two versions of each XML encryption-related name/value pair—use the former for use with messages with username/password or X.509 tokens, use the latter for use with messages with SAML tokens.

Variable Name

Variable Value

Attribute Type

Meaning

TXM_WSSEC_ENCRYPT_PUB_KEY_ROLE

or

TXM_WSSEC_SAML_ENCRYPT_PUB_KEY_ROLE

(required)

name_of_WS‑Security_token_consumer

Static

Specifies the value of a SOAP role attribute that identifies the WS‑Security header element containing the recipient's X.509 certificate. The public key in this certificate is used to encrypt the symmetric key. The corresponding private key must be held by the intended message recipient.

This element is required. If no role is specified, the variable must be declared with a null value; SOA Security Manager will then obtain the key in the WS‑Security header with no role, of which only one is allowed.

TXM_WSSEC_ENCRYPT_ DECRYPT

or

TXM_WSSEC_SAML_ENCR YPT_DECRYPT
  • True
  • False (default)

Static

Specifies whether the SOA Agent should pass an incoming encrypted message to the web service in its encrypted or decrypted form.

If True, the SOA Agent will replace the current message with the decrypted version of the message, if available.

TXM_WSSEC_ENCRYPT_ ELEMENT

or

TXM_WS SEC_SAML_ENCRYPT_ELEMENT
  • UsernameToken
  • Assertion
  • Body

Static

Identifies the message element to be encrypted.

You should add one such name value/pair for each element you want encrypted. For example, configure one name/value pair for the message body and one name/value pair for the token.

For TXM_WSSEC_ENCRYPT_
ELEMENT:

If UsernameToken, Username and Password and Username and Password Digest tokens will be encrypted.

If Body, the message body will be encrypted.

For TXM_WSSEC_SAML_
ENCRYPT_ELEMENT:

If Assertion, SAML assertion token will be encrypted.

If Body, the message body will be encrypted.

TXM_WSSEC_ENCRYPT_ OR_SIGN_FIRST

or

TXM_WSSEC_SAML_ ENCRYPT_OR_SIGN_FIRST
  • Sign (default)
  • Encrypt

Static

Indicates whether encryption or signing should be performed first.

TXM_WSSEC_ENCRYPT_ ALG_KEY

or

TXM_WSSEC_SAML_ENC RYPT_ALG_KEY
  • rsa-1_5
    (default)
  • rsa_oaep

Static

Indicates the encryption algorithm to use to encrypt the symmetric encryption key.

TXM_WSS EC_ENCRYPT_ALG_DATA

or

TXM_WSSEC_SAML_ENC RYPT_ALG_DATA
  • tripledes-cbc (default)
  • aes128-cbc
  • aes256-cbc
  • aes192-cbc

Static

Indicates the encryption algorithm to use to encrypt the data element or elements that have been specified using TXM_WSSEC_ENCRYPT[_SAML]
_ELEMENT variables.