Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space FUNCTDEV and version SVC2024.1

...

Table of Contents
maxLevel2
minLevel2

Image RemovedImage Added

General Settings

...

Key Store

Select the Key Store used to verify your identity and to sign the XML data from the Key Store menu. The Key Stores available in this menu are dependent on the Key Stores you added at the test or Responder suite level.For more information on adding Key Stores, see Adding Global Key Stores in SOAtest and Adding Global Key Stores in Virtualize.

AlgorithmSpecifies the unique algorithm used for defining the certificate keys.
Digest methodChoose a message digest algorithm for signing the data.
Canonical formSpecifies the algorithm used to create a canonicalized form of the information being signed.
KeyInfo form

KeyInfo is an optional element within the signature; it contains public key information needed to validate the signature. It is only applicable when performing an enveloped signature on POX or SAML (with WS-Security mode off). Select which options should be included within the KeyInfo element. The following options are available:

  • X509 Certificate: Includes a X509Data/X509Certificate element containing the base64-encoded certificate. This is the recommended default.
  • X509 IssuerSerial: Includes a X509Data/X509IssuerSerial element containing the X.509 name/serial number pair.
  • X509 SKI: Includes a X509Data/X509SKI element containing the base64 encoded subject key identifier. The certificate must be X.509 version 3.
  • X509SubjectName: Includes a X509Data/X509SubjectName element containing the X.509 subject name.
  • Public KeyValue: Includes a KeyValue/RSAKeyValue element containing the base64-encoded public key.
  • STR X509 Certificate: Includes a wsse:SecurityTokenReference/wsse:KeyIdentifier element containing the base64-encoded certificate.
  • STR X509 SKI:  Includes a wsse:SecurityTokenReference/wsse:KeyIdentifier element containing the base64 encoded subject key identifier.
WS-Security mode

Enables signing SOAP messages according to OASIS WS-Security. The version of the OASIS standard can be configured in the Emulation Options Settings. By default, the content of the entire SOAP body will be automatically signed as configured in the Target Elements Settings. When this mode is disabled, an enveloped signature is performed on target elements.

Choose a setting from the Security header layout menu to specify which layout rules to apply when adding items to the WS-Security header. The following settings are available:

  • Lax: Items are added to the security header in any order that conforms to WSS: SOAP Message Security.
  • LaxTimestampFirst: Same as Lax, except that the first item in the security header MUST be a wsse:Timestamp.
  • LaxTimestampLast: Same as Lax, except that the last item in the security header MUST be a wsse:Timestamp.
  • Strict: Items are added to the security header following the numbered layout rules described below according to a general principle of 'declare before use'.

Enable Sign security token using STR Dereference Transform (STRDT) to automatically include the security token in the signature by referencing a security token reference (STR) using the STR Dereference Transform (STRDT) algorithm. By default, the signature will reference the STR that is automatically generated in the signature under the KeyInfo element. If a different STR should be referenced, such as an STR from the Security header, then include the STR in the Target Elements configuration.

Perform SAML signature

Enable this option to sign a SOAP message based on the OASIS SAML Token profile or to perform an enveloped signature on a SAML assertion.

If the WS-Security mode option is disabled, an enveloped SAML signature will be formed on the SAML assertions selected under Target Elements Settings. SAML assertions using the holder-of-key confirmation method should typically have an enveloped signature.

If the WS-Security mode option is enabled, the SOAP envelope will be signed based on the OASIS SAML Token profile. You must choose the correct Emulation Option, otherwise the signature will not be successful:

  • For SAML 1.1, select WSS4J 1.5 or later or OASIS 1.1 or later.
  • For SAML 2, select WSS4J 1

    .

    6 or OASIS 1.1.1.

    User Key Store

    Enable this option to reference the requester's keystore. This option is only applicable for SAML assertions using the holder-of-key confirmation method. This option should be disabled when the assertion does not have an enveloped signature, which is typical for sender-vouches confirmation.

    If the WS-Security mode is disabled, the keystore can optionally be used to add the user's public KeyInfo into the assertion's subject confirmation before performing an enveloped signature on the SAML assertion. This is applicable for the holder-of-key scenario where the assertion holds the user's key and is signed by the assertion issuer.

    If the WS-Security mode is enabled, the following requirements must be met in order for the signature on the SOAP message to be successful:

      1. The holder-of-key assertion must hold the user's certificate referenced by this keystore. 
      2. The assertion in the SOAP header must already have an enveloped signature.

    You can chain two XML Signers together to facilitate holder-of-key confirmation. Configure the first signer to add the public KeyInfo to the assertion's subject confirmation, then perform an enveloped signature on the assertion with the WSS mode off. Next, the second signer can sign the SOAP envelope containing the SAML assertion based on the OASIS SAML token profile with the WSS mode on.

    ...

    1. Disable SOAP body/entire document and click the Tree tab.
    2. Choose an element and click Extract. A row will appear in the Selected Element list.
    3. Click Modify to make any changes to the XPath expression you want to sign. The following extraction options are available:
      1. Entire element will sign the entire XPath.
      2. Content Only will sign only the text content.
    4. Click Evaluate XPath to verify your changes.
    5. Click OK.

    Emulation Options Settings

    Info

    Emulation options for the XML Signer tool is deprecated and will be removed in a future version.

    Configuring the emulation settings is only applicable if WS-Security Mode is enabled in the General Settings

    1. Choose your application server from the Emulate menu to automatically configure the emulation options. 
    2. Choose the appropriate version of your application server from the Version menu.

    You can also configure the emulation options manually by choosing Custom from the Emulate menu. The following options will be available:

    ...

    1. .

    Input Type Tab

    The Input Type tab is only available if the XML Signer tool is added as a standalone tool and not chained to another tool. The following options are available from the Input Type tab:

    ...