Versions Compared

Old Version 2

changes.mady.by.user user-50d80

Saved on

compared with

New Version Current

changes.mady.by.user user-50d80

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space FUNCTDEV and version SOAVIRT_9.10.3_CTP_3.1.0

...

  • Key Store: Select the Key Store used to verify your identity and to sign the XML data from the Key Store drop-down menu. The Key Stores available in this menu are dependent on the Key Stores you added at the test or Responder suite level.

    Conditional ContentProduct: (SOAVirt, SOAtest)Product: (SOAVirt, SOAtest)sv-attr:0A010204015A9054C88481D043445E2F0A010204015CF6008A11EEF43AC91334 0A010204015A9054C886C0AC137B8C01Product: (SOAVirt)sv-attr:0A010204015A9054C88481D043445E2F0A010204015CF6008A11EEF43AC91334

    For more information on adding Key Stores, see Adding Global Key Stores is SOAtest.

    Conditional ContentProduct: (SOAVirt)

    For more information on adding Key Stores, see Adding Global Key Stores is SOAtest and Adding Global Key Stores in Virtualize.

  • Algorithm: Specifies the unique algorithm used for defining the certificate keys.
  • Digest method: Choose a message digest algorithm for signing the data. 
  • Canonical form: Specifies the algorithm used to create a canonicalized form of the information being signed.
  • KeyInfo form:  KeyInfo is an optional element within the signature; it contains public key information needed to validate the signature. It is only applicable when performing an enveloped signature on POX or SAML (with WS-Security mode off). Select which options should be included within the KeyInfo element. Available options are:
    • X509 Certificate: Includes a X509Data/X509Certificate element containing the base64-encoded certificate.  This is the recommended default.
    • X509 IssuerSerial: Includes a X509Data/X509IssuerSerial element containing the X.509 name/serial number pair.
    • X509 SKI: Includes a X509Data/X509SKI element containing the base64 encoded subject key identifier. The certificate must be X.509 version 3.
    • X509SubjectName: Includes a X509Data/X509SubjectName element containing the X.509 subject name.
    • Public KeyValue: Includes a KeyValue/RSAKeyValue element containing the base64-encoded public key.
    • STR X509 Certificate: Includes a wsse:SecurityTokenReference/wsse:KeyIdentifier element containing the base64-encoded certificate.
    • STR X509 SKI:  Includes a wsse:SecurityTokenReference/wsse:KeyIdentifier element containing the base64 encoded subject key identifier.

  • WS-Security Mode: Enables signing SOAP messages according to OASIS WS-Security. The version of the OASIS standard can be configured under "Emulation Options."  By default, the content of the entire SOAP body will be automatically signed as configured under "Target Elements." When this mode is disabled, an enveloped signature is performed on target elements.

  • Security header layout: Controls which layout rules to apply when adding items to the WS-Security header. Available options are:
    • Lax: Items are added to the security header in any order that conforms to WSS: SOAP Message Security.
    • LaxTimestampFirst: Same as Lax, except that the first item in the security header MUST be a wsse:Timestamp.
    • LaxTimestampLast: Same as Lax, except that the last item in the security header MUST be a wsse:Timestamp.
    • Strict: Items are added to the security header following the numbered layout rules described below according to a general principle of 'declare before use'.
  • Perform SAML signature: Enable this to sign a SOAP message based on the OASIS SAML Token profile or to perform an enveloped signature on a SAML assertion
    • If WS-Security mode is disabled: An enveloped SAML signature will be formed on the SAML assertions selected under "Target Elements."  SAML assertions using the holder-of-key confirmation method should typically have an enveloped signature.
    • If WS-Security mode is enabled: The SOAP envelope will be signed based on the OASIS SAML Token profile. The correct Emulation Option must be chosen; otherwise, the signature will not be successful.
      • For SAML 1.1, you must select WSS4J 1.5 or OASIS 1.1.
      • For SAML 2, you must select WSS4J 1.6 (also adheres to OASIS 1.1).
  • User Key Store: This optional keystore references the requester's key. This is only applicable for SAML assertions using the holder-of-key confirmation method. This should be disabled when the assertion does not have an enveloped signature, which is typical for sender-vouches confirmation.
    • If WS-Security mode is disabled: This keystore can optionally be used to add the user's public KeyInfo into the assertion's subject confirmation before performing an enveloped signature on the SAML assertion. This is applicable for the holder-of-key scenario where the assertion holds the user's key and is signed by the assertion issuer.
    • If WS-Security mode is enabled: In order for the signature on the SOAP message to be successful, two things are required.
      1. The holder-of-key assertion must hold the user's certificate, referenced by this keystore. 
      2. The assertion in the SOAP header must already have an enveloped signature.
    • For holder-of-key confirmation: You may use two XML Signers: one chained to the other.  The first signer can optionally add the user's public KeyInfo to the assertion's subject confirmation, then perform an enveloped signature on the assertion (WSS mode off). Next, the second signer can sign the SOAP envelope containing the SAML assertion based on the OASIS SAML token profile (WSS mode on).

...

  • Text: Use this option if you want to type or copy the XML document into the UI. Select the appropriate MIME type, enter the XML in the text field below the Text radio button.
  • File: Use this option if you want to use an existing file. Click the Browse button to choose a file.

    • Check the Persist as Relative Path option if you want the path to this file to be saved as a path that is relative to the current configuration file. Enabling this option makes it easier to share tools across multiple machines. If this option is not enabled, the test or Responder will save the path to this file as an absolute path.

Usage Notes

...

...

You can use the XML Signer tool as a standalone tool at the tool level by right-clicking the main test suite node and selecting Add New> Test from the shortcut menu and then selecting XML Signer from the dialog that opens.

...

You may 

...

 also

 chain You may  also chain the XML Signer tool to a messaging tool by right-clicking the desired tool node and selecting Add Output from the shortcut menu and then selecting XML Signer from the dialog that opens. The messaging tool will use the transformed XML.

...

0A010204015CF6008A11EEF43AC91334 0A010204015A9054C886C0AC137B8C01
Info
titleImportant
In order to perform security operations using the XML Signature Verifier, XML Signer, or XML Encryption tools, or if using Key Stores, you will need to download and install the Unlimited Strength Java Cryptography Extension. For details, see JCE Prerequisite.
Conditional Content
Product: (SOAVirt, SOAtest)Product: (SOAVirt, SOAtest)sv-attr:0A010204015A9054C88481D043445E2F

Related Tutorials

The following tutorial lesson demonstrates how to use this tool: