Securing web service message flows using WebSphere DataPower, Part 2: Encrypting the security policy

This article series discusses securing web service message flows with the WS security policy to enforce and filter WSDL-defined WS policies using WebSphere® DataPower SOA Appliance with firmware 5.0.0.8 or later. Part 2 of this 3-part article series dives into the encryption part of the security policy and explains how to configure the appliance to enforce and filter encryption requirements.

Christophe Bouchet (christophe.bouchet@fr.ibm.com), IT Specialist, IBM

Photo of Christophe BouchetChristophe Bouchet is an IT Specialist with IBM Software Services for WebSphere. He has worked with the DataPower line of products since 2010, assisting many customers in their integration projects. Christophe has worked on service-oriented architecture and security requirements for more than 8 years.



18 September 2013

Introduction

This article is the second part of a 3-part article series that discusses securing web service message flows with the WS security policy using DataPower SOA Appliance with firmware 5.0.0.8 or later. The article covers a proof of concept that demonstrates the added value of DataPower appliances in terms of filtering and enforcing securities policies as defined in the WS-SecurityPolicy 1.2 specifications. The topology is relatively simple: it consists of a service consumer that consumes services exposed by a service provider.

To set the base to allow for security flow, the service consumer consumes through a DataPower appliance positioned at the edge of the network, and every incoming request intended to the service provider also flows through a DataPower appliance. As in our case, the two participants are supposed to be partners or subsidiaries, communicating through an insecure network. We are listing a set of requirements that need to be matched to have an acceptable level of security.

Part 1 describes the general configuration and different scenarios representing different topologies in which the appliance and the frontend and backend applications have different responsibilities. The requirement responsibility is spread among the components to assess the capacity and performance of each component to address the requirements. DataPower SOA Appliances are fit to serve as a gateway for web services exposition and consumption.

Part 2 (this article) provides the encryption part of the security policy. The signing is made by service consumers and providers.

Part 3 provides all the security measures that are handled by the appliances (signature, encryption).

The appliance supports the WS-Policy, WS-SecurityPolicy, and WS-Security specifications, which are the focus of this article. This article is intended for technical specialists and architects who have a basic knowledge of DataPower concepts.

Prerequisites

The article is based on DataPower SOA Appliance XG45 firmware 5.0.0.5. The article also applies to other DataPower appliances models as long as the firmware is at least 5.0.0.5 (XI50, XI52, XB62, and so on). This article used the following versions of the WS-SecurityPolicy specifications and testing tool:


Scenario 1: Enforcing confidentiality

In this scenario, the end applications are exchanging messages containing a digital signature that is specified in the WS-Security specifications. The creation and verification of the signature are the responsibility of the applications and frameworks. DataPower appliances will apply the message encryption, and both appliances will handle the encryption and decryption of messages, which will make it transparent to the backend applications. Figure 1 shows a visual representation of the message flow.

Figure 1. Scenario 1
Scenario 1

Roles and responsibilities of each actor

Table 1 shows the responsibilities of each actor in the processing flow.

Table 1. Roles and responsibilities
ActorRole
Service consumer This consumes a service exposed by the service provider. The web service operation is getMsgSignChiffr(). The service consumer has to sign the header and body of the SOAP request, as defined in the WSDL's policies requirements. In return, the response will also be signed the same way.
DataPower consumer appliance This serves as a gateway for the service consumer. It exposes the same WSDL than the service provider. It will filter (reject) requests and responses that are not signed or that contain an invalid signature. It will apply message encryption to requests and will decrypt responses.
DataPower provider appliance This serves as a reverse gateway for the service provider. It exposes a WSDL with the "highest" level of security (same WSDL that the service provider plus requirements for encryption on requests and responses). It will reject incoming messages that are not correctly signed and encrypted.
Service provider This provides a service. In that scenario, it serves the getMsgSignChiffr() operation. The request will be signed, and it has to sign the response. The service provider exposes a WSDL file containing only a sign policy for the corresponding operation.

WSDLs used

Two WSDL files are used in this scenario. They are referred to in the WSDL section at the beginning of this article. The consuming appliance and the service provider cleans WSDL of any WS-Policy definitions. The providing appliance exposes WSDL with all the security requirements.


DataPower appliances configuration

This section describes the configuration of the appliances on the consumer side and on the provider side.


Consumer appliance configuration

This section describes the configuration of the consumer appliance.

WebService proxy wsp_casa_cons_noWSS

This section describes the configuration of the wsp_casa_cons_noWSS WebService proxy.

Figure 2 shows a web service proxy with a static backend pointing to the provider appliance. In our example, the provider appliance is simulated locally on a separate application domain.

Figure 2. Web Service Proxy consumer
Web Service Proxy consumer

WS-Policy enforcement mode

The WS-Policy enforcement mode controls the behavior of the DataPower's policy framework regarding the correct application of the policy for inbound and outbound messages

The WS-Policy enforcement mode is set to "filter" at the WSDL level, as shown in Figure 3.

Figure 3. WS-Policy enforcement mode
WS-Policy enforcement mode

The appliance rejects any requests that are not conforming to the WS policy. In our case, any request that was not signed by the service consumer or containing a non-matching signature will be rejected, as shown in Figure 4. Table 2 shows the web service proxy processing rules.

Figure 4. Web service proxy processing rules
Web service proxy processing rules
Table 2. Processing rules
Rule Direction Description
_ruleChiffr Client->Server This rule matches the requests concerning the getMsgSignChiffr webservice operation.
The rule encrypts the message header and body, so that at the end of the processing rule you get a signed and encrypted request to be forwarded to the provider appliance.
_response-rule Server->Client This response rule matches the response of the getMsgSignChiffr webservice operation. It will decrypt the response, and the response decryption is not performed automatically by DataPower.

Figure 5 shows the processing rules that apply to the requests. Figure 5 shows the main processing rule, which is described in Table 3.

Figure 5. Rule 1
Rule 1
Table 3. Actions defined in Rule 1
ActionType Parameters Description
Match icon Match This will match the right webservice operation.
Encrypt icon Encrypt See below for the configuration The incoming message arrives with an embedded signature. This actions encrypts the SOAP message header and body.

For the encrypt action to comply to the WS-Policy requirements of the provider appliance, you will need to apply the configurations shown in Figures 6 to 8.

Figure 6. Encryption configuration (Screen 1 of 3)
Encryption configuration (Screen 1 of 3)
Figure 7. Encryption configuration (Screen 2 of 3)
Encryption configuration (Screen 2 of 3)

In Figure 8, the used cryptomap object specifies the header and body of the request.

Figure 8. Encryption configuration (Screen 3 of 3)
Encryption configuration (Screen 3 of 3)

The response rule is shown in Figure 9 and described in Table 4.

Figure 9. Response rule
Response rule
Table 4. Actions defined in the response rule
ActionType Parameters Description
Match icon Match Xpath matching the getMsgSignChiffr webservice operation. This matches the right web service operation.
Decrypt icon Decrypt The incoming message arrives encrypted in the response to the HTTP connection. Decryption is not performed automatically by the appliance.

At the policy level, the schema validation of the response messages has been deactivated. This is because the incoming response message contains signing and encryption specific XML items that need to be removed if you want the XML validation to be successful, as shown in Figure 10.

Figure 10. Disable response validation
isable response validation

Provider appliance configuration

This section describes the configuration of the appliance on the provider side. The policies are filtered for the request flows and enforced on the response flows.

Figure 11 shows a web service proxy with a static backend pointing to the provider appliance. In our example, the provider appliance is simulated locally on a separate application domain.

Figure 11. Web Service Proxy provider
Web Service Proxy provider

WS-Policy enforcement mode

The WS-Policy enforcement mode is set to "enforce" at the WSDL level as shown in Figure 12. The policy parameter set, as described at the beginning of this article, is specified here.

Figure 12. WS-Policy enforcement mode
WS-Policy enforcement mode

The web service proxy has the rules shown in Figure 13 and described in Table 5.

Figure 13. Processing rules
Processing rules
Table 5. Processing rules
Rule Direction Description
rulesign Client > Server This rule matches the requests of the getMsgSignChiffr webservice operation.
Nothing particular is performed on this processing rule. The transformation performs some routing.
_response-rule Server > Client This response rule matches the response of the getMsgSignChiffr webservice operation. No action is positioned on that rule, as the signature is generated by the service provider and the encryption is automatically enforced by the Policy framework.

Demonstrating the execution flow

In this section, using soapUI and debug probes, we will describe how the messages flow and get modified from the service consumer to the service provider.

  1. Listing 1 shows the request message as it is submitted by the service consumer.
    Listing 1. Request message submitted by the service consumer
    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" 
     xmlns:soap1="http://referentiel.ca.fr/soapHeaderV1" 
     xmlns:poc1="http://www.credit-agricole.fr/interop/POC1/">
       <soap:Header>
          <m:CA_groupHeader IDPortail="" Reseau="" Terminal="" idSessionPortail="" 
           IDPOFO="abcdefghij" IDPTVE="" IDELSTCO="" NMAPPU="" IDOCAP="" TYPRME="" 
           IDOCPM="" NUMCRT="12345" NUMCRE="12345" 
           wsu:Id="Id-88575517-5404-4184-8b5b-c3708672e8dc" 
           xmlns:m="http://referentiel.ca.fr/soapHeaderV1" 
           xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
           oasis-200401-wss-wssecurity-utility-1.0.xsd">
             <m:Consumer nomApplication="" version="1"/>
             <m:userInformation userType="01" userId="" userEntity="12345" 
              userProfile="" userIsVIP="N" lastName="" givenName=""/>
          </m:CA_groupHeader>
          <wsse:Security soap:mustUnderstand="1" xmlns:wsse=
           "http://docs.oasis-open.org/wss/2004/01/
           oasis-200401-wss-wssecurity-secext-1.0.xsd">
             <wsu:Timestamp wsu:Id="Timestamp-52d3d278-cb15-4b01-b98e-408187a89bf8" 
             xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
              oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <wsu:Created>2013-06-20T21:25:52Z</wsu:Created>
                <wsu:Expires>2013-06-20T21:30:52Z</wsu:Expires>
             </wsu:Timestamp>
             <wsse:BinarySecurityToken 
             wsu:Id="SecurityToken-105b0efa-3b05-44c6-89f7-2a42f124eb11" 
             EncodingType="http://docs.oasis-open.org/wss/2004/01/
              oasis-200401-wss-soap-message-security-1.0#Base64Binary" 
              ValueType="http://docs.oasis-open.org/wss/2004/01/
              oasis-200401-wss-x509-token-profile-1.0#X509v3" 
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
              oasis-200401-wss-wssecurity-utility-1.0.xsd"
              >MIIDLDCCAhSgAwIBAgIIVuY+cZ/zyf0wDQYJKoZIhvcNAQELBQAwIj
              EgMB4GA1UEAwwXQUMgRW50aXTDqSBDb25zb21tYXRldXIwHhcNMTIx
              MTI4MjIyODI0WhcNMTUxMTI4MjIyODI0WjAoMSYwJAYDVQQDDB1Ta
              WduQ2hpZmZyIERQVyAtIGNvbnNvbW1hdGV1cjCCASIwDQYJKoZIhvc
              NAQEBBQADggEPADCCAQoCggEBALYAXrCMCnEbWPS95ERb91pYSozs8
              Rj0n1rBqEIrllsmb5+rB5bGaKE+UIJs2xHtmZLm+yTumun5cPLhsQ
              Mrr6LsqaO0J6sOM0DUn+MrrGPRZy2gZSEaNwWsx0kwh2t+xlo4yiL8io
              AKA+Q5B0BcAw6KlJoSmzUljuMP73sLFsatbT6hfNPB4x6uSHYfCB3wmv
              KnKmgmrF9Ipz/C6Dput8DG6+VPjWdY3fLktrY8areqMZDpmQW9hae/
              qP1heXOHChKRTyNs9kou60uCZ+i+R0bxgQvNZC9Mr2Sc9oR2AiEGVtg
              V724QWUoKKSJw0unRTYUQvd4oL3ywscg66M2SBLMCAwEAAaNgMF4w
              HQYDVR0OBBYEFPfyrUQgGcW4m/PQhsah6ZODSwU1MAwGA1UdEwEB/wQ
              CMAAwHwYDVR0jBBgwFoAUeg0LmyL6h6/7yAZMQ+f8li2/cQkwDgYDVR0
              PAQH/BAQDAgRQMA0GCSqGSIb3DQEBCwUAA4IBAQBrHta4DWju/
              PTC+9PbDSff0qlIUqux4Bbs0BKI4pYLbKLzsidyGZ8IShVX1nDoS4YXRdx/
              Z1cL086yCtv2WrjNyqkiH50zdhn8O7pvAuc9PPtH+USql0C4tu9z3BMzq
              MsaEVJSJQCKJiPfgihX5jsAm1Pup+BJFELBfKvPL9ab3/9PNttMJaOkyWc/
              7lPzbfnNp4H+8ANUAvn18xEt/rj6JM1Xl+HS9cp/P5DUY5YxwvPXWtbFC6H1
              NxEQ/LkqvcWFOdwJQeG5eKst5Vi3N6cVdZ6pLzxCHwrAJDlRZXzQRCTDzh
              ShvS483MT/E0+owveY81Twsh4lED7ITf5Mxll1</
              wsse:BinarySecurityToken>
             <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                   <CanonicalizationMethod Algorithm="http://www.w3.org/
                    2001/10/xml-exc-c14n#"/>
                   <SignatureMethod Algorithm="http://www.w3.org/2000/09/
                    xmldsig#rsa-sha1"/>
                   <Reference URI="#Id-88575517-5404-4184-8b5b-c3708672e8dc">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>TfvlgTtvN//+ZVjtM6sMQgNZtm4vWWOnlQX8v42V2Xo=
                       </DigestValue>
                   </Reference>
                   <Reference URI="#Id-e924bdb2-f3c6-4040-a99e-740064bc1290">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>maEd43Oxwsbzmpx16wsjaDx/iAvJVn0EAFht/
                       n8LhD4=</DigestValue>
                   </Reference>
                   <Reference URI="#Timestamp-52d3d278-cb15-4b01-b98e
                     -408187a89bf8">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>EokG1D1/GTJ42tsy6DtqVHg19EOaWQ9Eh7aY6cq6Wsc=
                       </DigestValue>
                   </Reference>
                </SignedInfo>
                <SignatureValue>K0oMMqG3CpboGrjoqJVJmELSEJ4T5xvbBUbD3ZMnk10w2O
                  Kcp5YFpYm0tzJEPGZN9ohr/Pqplvd+/oChE2XOYsLNnjaTrmCZLBlcTGyGWP1GDDl9
                  qB3XtJ1hL4t3Fa5OxefhvsN0KWwT8ynFaoJOZsV2QJgJB4Q8g6fGi4W6q8Lfz/
                  l3fDnc0UbMrQI/60YqUUhRT7LbKhMcEkqz3gcu2RF1nE73za8y72GTcPuSDG0HqJwML1/
                  QmP7JovKYeM84ZCmcsJt8fOgw0ezYD2BU/9lHL7+BS9ck/nFWlYav7xS544td/
                  A7pN8JzDkTWtxBiSewPaXtCkpdAOIT1GYT0vA==</SignatureValue>
                <KeyInfo>
                   <wsse:SecurityTokenReference xmlns="">
                      <wsse:Reference URI="#SecurityToken-105b0efa-3b05-44c6-89f7
                       -2a42f124eb11" ValueType="http://docs.oasis-open.org/wss/2004/
                       01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                   </wsse:!>
                </KeyInfo>
             </Signature>
          </wsse:Security>
       </soap:Header>
       <soap:Body wsu:Id="Id-e924bdb2-f3c6-4040-a99e-740064bc1290" 
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
        oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <poc1:getMsgSignChiffrRequest>
             <poc1:numCompte>?</poc1:numCompte>
          </poc1:getMsgSignChiffrRequest>
       </soap:Body>
    </soap:Envelope>

    You can see the signature included in the message, whereas the business part of the message has been highlighted in bold as shown in Listing 1 above.

  2. Listing 2 shows the request message when it is outputted by the consumer appliance.
    Listing 2. Request message as output by the consumer appliance
    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" 
     xmlns:soap1="http://referentiel.ca.fr/soapHeaderV1" 
     xmlns:poc1="http://www.credit-agricole.fr/interop/POC1/">
       <soap:Header>
          <xenc:EncryptedData Id="G0xb8b5b0b0-5D" Type="http://www.w3.org/2001/
           04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/
              xmlenc#aes256-cbc"/>
             <xenc:CipherData>
    <xenc:CipherValue>WtPXZ7G7rMZOrtx032vkfICauLUHS/cS1QZwHiv/1QmJN2DeLTs
      QpzrQJsKUIpoy4TXHi8kNUaQ7MtPZTAixLhiu3ctqs8aueDZTurTIJJrL0aLPIBQA7xzyCKhq
      h4d04tr3EAIUFq50yHuh4rxlq6Ej/7/wWiqn9IMuR0JPyuoGNAD1KKdgQtc4WlQ1ujM324vg
      WbbgKaeOXBecmsyrvCFKm169NA+aAFdeJLS2JbPeIgYtGWEWnMzSQZ5WblgIVZ2jjpbz5gHF
      SDUnnfmAm4K1U9r1rhic3ahXHmkQ4QfeORK5/lGGpIHO0QgaX/q2jYvv1onE8VdyWkci/
      PVWZ18ceCtJUNlqKRDORmd9jkpDQhjLyWZJpbHW1pNOjbDj4SXWkT9joFIrqextSg9I/
      g1GYfS8/oTjAvGyvaj87svBWlzbtKgQbrKsir6H4HeyP6PCg5/o0Tw+86c8obOekQDA0g
      CMCG8Imht/lw1Y/cT2qjFRuuhUwzESysJa5Cx+m50o+mNuF8wzpdTCeNRY4Ik7TX6umd
      VWEZZ12Y3aFwFIDK+TZuYTCxYPuFNlGqw12t0DsZ7wXw7Dhb2JLDiMuvIJgsyGqCfPqv
      fsKd4rxCPeYyq/m8R7PnWB+IbMZJZM1i6hrErqy8W6uV4HQdhIxF92vc6itO+wS9Dtr
      HMpK286784IaDkb/a3IzbYnGMCun8kja2f2X4xpywtMukKrbyY+QNSoFagRKiXbi9wXK
      H1bUeaXkJsJDIv92VNGAXOKNm8fjspGaJRKibNHWj4dgJeour+vv3GdQPNTw+x7oeHhV
      qUXAI57s4UB/ykPoauDUHT0gYCUAVOYzqU6rlMJxw3tNnuy6t8rVZ4D8S4UMJZlkEIru
      KC2CE9giseB0mZ7E0h4P2DXRRyQ3lNumVcvJlTwVSW+jKo/aj607eD2voZ+n8uV+Cbg2lOjYe/
      u12suNeNZ4QSvpMa6BpSsTMQMgk/OcgZ5OFSujFnO90ozAtNYDcDPHpXQzPsFjYHVw3wZZ
      Upo6kGa1fVRM+CTPrVF2EdhY8KsH1XQPOgIEbsppwrEZiLJdc0ke+zyGQpnKtZv</
      xenc:CipherValue>
             </xenc:CipherData>
          </xenc:EncryptedData>
          <wsse:Security soap:mustUnderstand="1" xmlns:wsse="
           http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
           secext-1.0.xsd">
             <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/
                 xmlenc#rsa-oaep-mgf1p" xmlns:dsig="http://www.w3.org/2000/09/
                 xmldsig#">
                   <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/
                    xmldsig#sha1"/>
                </xenc:EncryptionMethod>
                <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                   <wsse:SecurityTokenReference>
                      <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/
                       wss/2004/01/oasis-200401-wss-x509-token-profile-
                       1.0#X509SubjectKeyIdentifier" EncodingType=
                       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-
                        wss-soap-message-security-1.0#Base64Binary">2U7VibA3e
                        DNHoMltReOjaWmu8tI=</wsse:KeyIdentifier>
                   </wsse:SecurityTokenReference>
                </dsig:KeyInfo>
                <xenc:CipherData xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                   <xenc:CipherValue>JTwCgBsEW6mHB08n1iZ190e2BVybb1ZsCRLMNXY
                    d2LFIQ7ztmcZdrblzS0iaO6/JLMSoYAENV1xJyi/k+EwPiP9DZ5puNlKOz9ZZl2
                    JoaOo+fMjRY7Q78YBl7oUafRq8H/ANdnqK6Sj+EJbjYlWY+uXeFWGpjjbwHGvV
                    xUpS0pvLVAS2cMKcv8L99GaJ1IVMaqqnpEQ5P0hL3lEkozEh3gs1Xe2JY4j/1V/
                    borgb5bgWpYTJE/kREPYnrtxqnNilJ3HE4Vap2480JIhICgxz29PQbhEJ+0a/
                    S+7PPsHZRs6fzffeJnOf6ZMuAxZOwJtxelj3i8RZ0KY0Q25Hg9anZw==</
                    xenc:CipherValue>
                </xenc:CipherData>
                <xenc:ReferenceList>
                   <xenc:DataReference URI="#G0xb8b5b0b0-5D"/>
                </xenc:ReferenceList>
             </xenc:EncryptedKey>
             <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/
                 xmlenc#rsa-oaep-mgf1p" xmlns:dsig="http://www.w3.org/2000/09/
                 xmldsig#">
                   <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/
                    xmldsig#sha1"/>
                </xenc:EncryptionMethod>
                <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                   <wsse:SecurityTokenReference>
                      <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/
                       wss/2004/01/oasis-200401-wss-x509-token-profile-
                       1.0#X509SubjectKeyIdentifier" EncodingType=
                       "http://docs.oasis-open.org/wss/2004/01/
                        oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                        >2U7VibA3eDNHoMltReOjaWmu8tI=</wsse:KeyIdentifier>
                   </wsse:SecurityTokenReference>
                </dsig:KeyInfo>
                <xenc:CipherData xmlns:dsig="http://www.w3.org/2000/09/
                 xmldsig#">
                   <xenc:CipherValue>GKCoo4une0BmY9PjuiDTmQC0+W6sq6PM3m8L
                    DTmwQ58OewLIVM8SWCmMAqhLIAS2iGip0Do3q5mrSBeiz3oXJYVsvq8Z8Rc
                    J4NN8Yr0JcMD7NwT6boTaFeUzezKg821FgCowqk0CrNddZA9AOeTARXr/
                    YfulJCRPAHdG3bndQQ7sGO4nkOi5bzzRr0qHlLUiYyvf6arDqisVbYHOJK
                    RdDrzWQcMtk7fx9P30/raRnmzqn0u+7p7oiRbtBvHE0UNS2PrpQcStbYHnC/
                    gfx7bhG/ygGWBLcjkMyxumq5YFXmHxQckdtj3gpZgSa0QpSHOWeumP4vyCTZ
                    3cMqXCn2HEqg==</xenc:CipherValue>
                </xenc:CipherData>
                <xenc:ReferenceList>
                   <xenc:DataReference URI="#G0xb0e89b10-72D"/>
                </xenc:ReferenceList>
             </xenc:EncryptedKey>
             <wsu:Timestamp wsu:Id="Timestamp-52d3d278-cb15-4b01-b98e-408187a89bf8" 
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
              wss-wssecurity-utility-1.0.xsd">
                <wsu:Created>2013-06-20T21:25:52Z</wsu:Created>
                <wsu:Expires>2013-06-20T21:30:52Z</wsu:Expires>
             </wsu:Timestamp>
    <wsse:BinarySecurityToken wsu:Id="SecurityToken-105b0efa-3b05-44c6-89f7-
     2a42f124eb11" EncodingType="http://docs.oasis-open.org/wss/2004/01/
     oasis-200401-wss-soap-message-security-1.0#Base64Binary" 
     ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
     x509-token-profile-1.0#X509v3" xmlns:wsu="http://docs.oasis-open.org/
     wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     >MIIDLDCCAhSgAwIBAgIIVuY+cZ/zyf0wDQYJKoZIhvcNAQELBQAwIjEgMB4GA1UE
     AwwXQUMgRW50aXTDqSBDb25zb21tYXRldXIwHhcNMTIxMTI4MjIyODI0WhcNMTUxMTI4
     MjIyODI0WjAoMSYwJAYDVQQDDB1TaWduQ2hpZmZyIERQVyAtIGNvbnNvbW1hdGV1cjCC
     ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALYAXrCMCnEbWPS95ERb91pYSozs
     8Rj0n1rBqEIrllsmb5+rB5bGaKE+UIJs2xHtmZLm+yTumun5cPLhsQMrr6LsqaO0J6sO
     M0DUn+MrrGPRZy2gZSEaNwWsx0kwh2t+xlo4yiL8ioAKA+Q5B0BcAw6KlJoSmzUljuMP7
     3sLFsatbT6hfNPB4x6uSHYfCB3wmvKnKmgmrF9Ipz/C6Dput8DG6+VPjWdY3fLktrY8ar
     eqMZDpmQW9hae/qP1heXOHChKRTyNs9kou60uCZ+i+R0bxgQvNZC9Mr2Sc9oR2AiEGVtg
     V724QWUoKKSJw0unRTYUQvd4oL3ywscg66M2SBLMCAwEAAaNgMF4wHQYDVR0OBBYEFPfy
     rUQgGcW4m/PQhsah6ZODSwU1MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUeg0LmyL6h6/
     7yAZMQ+f8li2/cQkwDgYDVR0PAQH/BAQDAgRQMA0GCSqGSIb3DQEBCwUAA4IBAQBrHta4
     DWju/PTC+9PbDSff0qlIUqux4Bbs0BKI4pYLbKLzsidyGZ8IShVX1nDoS4YXRdx/Z1cL0
     86yCtv2WrjNyqkiH50zdhn8O7pvAuc9PPtH+USql0C4tu9z3BMzqMsaEVJSJQCKJiPfgih
     X5jsAm1Pup+BJFELBfKvPL9ab3/9PNttMJaOkyWc/7lPzbfnNp4H+8ANUAvn18xEt/rj6J
     M1Xl+HS9cp/P5DUY5YxwvPXWtbFC6H1NxEQ/LkqvcWFOdwJQeG5eKst5Vi3N6cVdZ6pLzx
     CHwrAJDlRZXzQRCTDzhShvS483MT/E0+owveY81Twsh4lED7ITf5Mxll1</
     wsse:BinarySecurityToken>
             <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                   <CanonicalizationMethod Algorithm="http://www.w3.org/
                    2001/10/xml-exc-c14n#"/>
                   <SignatureMethod Algorithm="http://www.w3.org/2000/09/
                    xmldsig#rsa-sha1"/>
                   <Reference URI="#Id-88575517-5404-4184-8b5b-c3708672e8dc">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>TfvlgTtvN//+ZVjtM6sMQgNZtm4vWWOnlQX
                       8v42V2Xo=</DigestValue>
                   </Reference>
                   <Reference URI="#Id-e924bdb2-f3c6-4040-a99e-740064bc1290">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>maEd43Oxwsbzmpx16wsjaDx/iAvJVn0EAFht/
                       n8LhD4=</DigestValue>
                   </Reference>
                   <Reference URI="#Timestamp-52d3d278-cb15-4b01-b98e-
                    408187a89bf8">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>EokG1D1/GTJ42tsy6DtqVHg19EOaWQ9Eh7
                       aY6cq6Wsc=</DigestValue>
                   </Reference>
                </SignedInfo>
                <SignatureValue>K0oMMqG3CpboGrjoqJVJmELSEJ4T5xvbBUbD3Z
                 Mnk10w2OKcp5YFpYm0tzJEPGZN9ohr/Pqplvd+/oChE2XOYsLNnjaTrmCZL
                 BlcTGyGWP1GDDl9qB3XtJ1hL4t3Fa5OxefhvsN0KWwT8ynFaoJOZsV2QJgJ
                 B4Q8g6fGi4W6q8Lfz/l3fDnc0UbMrQI/60YqUUhRT7LbKhMcEkqz3gcu2RF
                 1nE73za8y72GTcPuSDG0HqJwML1/QmP7JovKYeM84ZCmcsJt8fOgw0ezYD2BU/
                 9lHL7+BS9ck/nFWlYav7xS544td/A7pN8JzDkTWtxBiSewPaXtCkpdAOIT1GY
                 T0vA==</SignatureValue>
                <KeyInfo>
                   <wsse:SecurityTokenReference xmlns="">
                      <wsse:Reference URI="#SecurityToken-105b0efa-3b05-44c6-
                       89f7-2a42f124eb11" ValueType="http://docs.oasis-open.org/
                       wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                   </wsse:SecurityTokenReference>
                </KeyInfo>
             </Signature>
          </wsse:Security>
       </soap:Header>
       <soap:Body wsu:Id="Id-e924bdb2-f3c6-4040-a99e-740064bc1290" 
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
         wss-wssecurity-utility-1.0.xsd">
          <xenc:EncryptedData Id="G0xb0e89b10-72D" Type="http://www.w3.org/
            2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/
            xmlenc#">
             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/
              xmlenc#aes256-cbc"/>
             <xenc:CipherData>
                <xenc:CipherValue>R73k9aDjsQj+ubnmL2ykjnJSobty0IeZJO3it
                 BpQ2vSS4g+oVX81Zon+ucH2Q8PkoV38z/8Ck53YC7+qy4Hp+h+PSJIJ77FzC
                 QMktrP4etBIU2qYuuCP2K4ZN7i3/XhwTEJ2KAfLJpZTBIiHcAEXxq/SX/rXu
                 zFzOUJ99iTCZNx2RFhh5meaPrr9sJNFQmKG0iASxcYyF6MroZSXP6RCBjXYf
                 mSAAAshR4je3G3lF657eQdcfkwkkB+wYMr5wiQRl/WfRF6vyscmVOtGXNGjO
                 7nqiCvp2zRKl8HAzS5don800AQqy7RMOZHogsVq7HqG4qoD/ctf+7kGtcxNY
                 h6wEpcfAZriaU5TJYIAaoyAknu160a1UJcGbVr91Aw8X2OFbod29soDctNz+
                 H2n2TY9NLLMOkXHYDqqavXV7JC9uyMKK+rwL2fd9tutIuno4QGNCwSzrBgSF
                 nUnbPKn5kSmId1aQYIPqEylpcORAmZJVqHQaoaGjYJcUXwU/
                 miD9ZbfmwldH2LL3ku66uzC7n1L/zSedKdc8RfQRpJLJGTmX6Q=</
                 xenc:CipherValue>
             </xenc:CipherData>
          </xenc:EncryptedData>
       </soap:Body>
    </soap:Envelope>

    You can see the encrypted value is included in the message, whereas the business part does not appear anymore. The first encrypted data block corresponds to the SOAP header, and the second block corresponds to the SOAP body.

  3. Listing 3 shows the response message submitted by the service provider. This response message is signed by the service provider.
    Listing 3. Response message as submitted by the service provider
    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" 
    xmlns:ca_erreurs="http://referentiel.ca.fr/ErreursV1">
       <soap:Header>
          <wsse:Security soap:mustUnderstand="1" xmlns:wsse=
           "http://docs.oasis-open.org/wss/2004/01/
           oasis-200401-wss-wssecurity-secext-1.0.xsd">
             <wsu:Timestamp wsu:Id="Timestamp-27f2fda2-3490-4966-8b73-158c9f8abdbd" 
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
              oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <wsu:Created>2013-06-20T22:39:20Z</wsu:Created>
                <wsu:Expires>2013-06-20T22:44:20Z</wsu:Expires>
             </wsu:Timestamp>
             <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                   <CanonicalizationMethod Algorithm="http://www.w3.org/
                    2001/10/xml-exc-c14n#"/>
                   <SignatureMethod Algorithm="http://www.w3.org/2000/09/
                    xmldsig#rsa-sha1"/>
                   <Reference URI="#Id-a6caf813-835d-4c97-a3b8-5978c9fa530b">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>Ohidz0sv+pA7Ji/pzbJPiUFus/
                       Qy7udkChmaXYWRbKw=</DigestValue>
                   </Reference>
                   <Reference URI="#Timestamp-27f2fda2-3490-4966-8b73
                    -158c9f8abdbd">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>HTe3PWTkReROdKu5e3U83l9ihIAtEe3vrbhu9fHlt6U=
                       </DigestValue>
                   </Reference>
                </SignedInfo>
                <SignatureValue>aZmF34LSXiNETmcu7hIN5bReeUkPPmeR/
                 Ty3PL5a02FKO5PNtY7tOzo8To0FAYvngKvJ4VlgAaEhGDyerWGTw6Gfuo2O2GYIC35shi
                 Mdz1EC5kaj3g/nNAPQcKpfd1+1IZmgW/TA7cAsnTCyB2YDoNSQFAOEFcbCWjRyQOrM9q
                 SqUmn1at7nKUBgPuwtjuo7K8eVpFkLPNZ4SVPbBlkCPIidkdpp0Nfs7MmuqqfQcLNZs
                 DQHUwnk0XV9whys9XEPdhrsJDySmXwoITCo4XoSK+STsLPEYNzTHOjt+i0658TeC2qXX
                 bjFCCQvxWntx8gkzxgIGMigCYvIMyvlOWjoRA==</SignatureValue>
                <KeyInfo>
                   <wsse:SecurityTokenReference xmlns="">
                      <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/
                        01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKey
                        Identifier"EncodingType="http://docs.oasis-open.org/wss/2004/01/
                        oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                        >2U7VibA3eDNHoMltReOjaWmu8tI=</wsse:KeyIdentifier>
                   </wsse:SecurityTokenReference>
                </KeyInfo>
             </Signature>
          </wsse:Security>
       </soap:Header>
       <soap:Body wsu:Id="Id-a6caf813-835d-4c97-a3b8-5978c9fa530b" 
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
        oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <poc1:getMsgSignChiffrResponse xmlns:poc1=
            "http://www.credit-agricole.fr/interop/POC1/">
             <poc1:solde date_effet="2001-12-17T09:30:47Z" 
              montant="3.14159E0"/>
          </poc1:getMsgSignChiffrResponse>
       </soap:Body>
    </soap:Envelope>
  4. Listing 4 shows the response message as output by the providing appliance. This response message has been encrypted by the WS Policy framework of the providing appliance from the enforce mode.
    Listing 4. Response message as output by the providing appliance
    <soap:Envelope xmlns:ca_erreurs="http://referentiel.ca.fr/ErreursV1" 
     xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
       <soap:Header>
          <wsse:Security soap:mustUnderstand="1" xmlns:wsse=
            "http://docs.oasis-open.org/wss/2004/01/
            oasis-200401-wss-wssecurity-secext-1.0.xsd">
             <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/
                 xmlenc#rsa-oaep-mgf1p" xmlns:dsig="http://www.w3.org/2000/09/
                 xmldsig#">
                   <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/
                    xmldsig#sha1"/>
                </xenc:EncryptionMethod>
                <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                   <wsse:SecurityTokenReference>
                      <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/
                        wss/2004/01/oasis-200401-wss-x509-token-profile-1.
                        0#X509SubjectKeyIdentifier" EncodingType=
                        "http://docs.oasis-open.org/wss/2004/01/oasis-200401
                        -wss-soap-message-security-1.0#Base64Binary">9/
                        KtRCAZxbib89CGxqHpk4NLBTU=</wsse:KeyIdentifier>
                   </wsse:SecurityTokenReference>
                </dsig:KeyInfo>
                <xenc:CipherData xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                   <xenc:CipherValue>aZxmu0hXuYsP6KS68uz0EZ2up3J1nz7rpw2i541By
                   OOGsOljJ+4uAklI0VqJxFCAFlB6OsMMl3zMIlomJVriFMq4rYpw/RzRxzHL1ygOo
                   UrrliuhBGrZ4kzf02nFx5w89Du/YA2dnA2XsU6ZbszwMZcYDpJIhCc7kPVXxbbD
                   JRvXezk4fKd9a3PEl+kPJUNOfu58Pf27hp/HklbJyXoNv8XzEKrBCCaWHfDy4/
                   2+EuYrOPmFNKrInSzGXZzmmh0pOJUDOrvfsQE0cScGK/Ep/rQ4YhHaFZ5LqjH9/
                   wbbOEjvkgez58vq0kwHsyHqeDa2s9bC2oeJqWSqtANw/q9nOA==</
                   xenc:CipherValue>
                </xenc:CipherData>
                <xenc:ReferenceList>
                   <xenc:DataReference URI="#G0xb8730d80-3fD"/>
                </xenc:ReferenceList>
             </xenc:EncryptedKey>
             <wsu:Timestamp wsu:Id="Timestamp-27f2fda2-3490-4966-8b73-158c9f8abdbd" 
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
              oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <wsu:Created>2013-06-20T22:39:20Z</wsu:Created>
                <wsu:Expires>2013-06-20T22:44:20Z</wsu:Expires>
             </wsu:Timestamp>
             <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                   <CanonicalizationMethod Algorithm="http://www.w3.org/2001/
                    10/xml-exc-c14n#"/>
                   <SignatureMethod Algorithm="http://www.w3.org/2000/09/
                    xmldsig#rsa-sha1"/>
                   <Reference URI="#Id-a6caf813-835d-4c97-a3b8-5978c9fa530b">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>Ohidz0sv+pA7Ji/pzbJPiUFus/Qy7udkChmaXYWRbKw=
                       </DigestValue>
                   </Reference>
                   <Reference URI="#Timestamp-27f2fda2-3490-4966-8b73-
                    158c9f8abdbd">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>HTe3PWTkReROdKu5e3U83l9ihIAtEe3vrbhu9fHlt6U=
                       </DigestValue>
                   </Reference>
                </SignedInfo>
                <SignatureValue>aZmF34LSXiNETmcu7hIN5bReeUkPPmeR/Ty3PL5a02FKO5
                  PNtY7tOzo8To0FAYvngKvJ4VlgAaEhGDyerWGTw6Gfuo2O2GYIC35shiMdz1EC5kaj3g/
                  nNAPQcKpfd1+1IZmgW/TA7cAsnTCyB2YDoNSQFAOEFcbCWjRyQOrM9qSqUmn1at7nKUBg
                  Puwtjuo7K8eVpFkLPNZ4SVPbBlkCPIidkdpp0Nfs7MmuqqfQcLNZsDQHUwnk0XV9whys
                  9XEPdhrsJDySmXwoITCo4XoSK+STsLPEYNzTHOjt+i0658TeC2qXXbjFCCQvxWntx8g
                  kzxgIGMigCYvIMyvlOWjoRA==</SignatureValue>
                <KeyInfo>
                   <wsse:SecurityTokenReference xmlns="">
                      <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/
                       wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509
                        SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/
                        wss/2004/01/oasis-200401-wss-soap-message-security-1.0#
                        Base64Binary">2U7VibA3eDNHoMltReOjaWmu8tI=</
                        wsse:KeyIdentifier>
                   </wsse:SecurityTokenReference>
                </KeyInfo>
             </Signature>
          </wsse:Security>
       </soap:Header>
       <soap:Body wsu:Id="Id-a6caf813-835d-4c97-a3b8-5978c9fa530b" 
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
        oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <xenc:EncryptedData Id="G0xb8730d80-3fD" Type="http://www.w3.org/
            2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/
              xmlenc#aes256-cbc"/>
             <xenc:CipherData>
                <xenc:CipherValue>rXhk1pT8/96qCX4R/9QDu7+nNuBk/d6JapqpmvfLBO
                 FhaAwgrtz82rJJQkFPbXdWwi+QNnUAzjb8o2t3Lm9ETNYXg1WHqKZimM45JKf1KUt
                 5j2Cg1JTid3Utm+Qe9AwZWoCSQXJGE6fDucAMeuvqdOVhrGtS2iqVdrgPtyo3z1Oxu
                 Fq8Lygq0o8sntiDLcm0ZPmU70+NGK1sxgVZ8pJA6euIMjZZkOSpCWkkm40nhnHSAF8
                 DxfA0pz1p59xwYogP+SIaHT+0n0h5NZcLYJLxMOYogZgkpFtXZI6dSEMfIThe52aAb
                 rKvO+67biK+OnjngLKdRVFpbq0QFThx0F8ScQQwoPItAnV78twulmMJoSqGF176scB
                 noD4qRAqZY/FinUjX6PXQq4A6URrUdfCTVDMJb94bIUvstN+NMsCk2hxzc0bGEULaI
                 loEapdttZWR3QqCgr4GeLbWh3lu7npJtsabJdzs69MiSA9et9S7OiZdvwYlEEeXpBW
                 NRm/lIeAFG6G6wn09zhY4XArJGzeauAbKvzhjhTmbqWs7cnjH89dh9faDeZrPWVsgl
                 XLsbqz3</xenc:CipherValue>
             </xenc:CipherData>
          </xenc:EncryptedData>
       </soap:Body>
    </soap:Envelope>
  5. Listing 5 shows the response message received by the service consumer.
    Listing 5. Response message received by the service consumer
    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" 
     xmlns:ca_erreurs="http://referentiel.ca.fr/ErreursV1">
       <soap:Header>
          <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/
           wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
             <wsu:Timestamp wsu:Id="Timestamp-27f2fda2-3490-4966-8b73-158c9f8abdbd" 
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
              oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <wsu:Created>2013-06-20T22:39:20Z</wsu:Created>
                <wsu:Expires>2013-06-20T22:44:20Z</wsu:Expires>
             </wsu:Timestamp>
             <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                   <CanonicalizationMethod Algorithm="http://www.w3.org/2001/
                    10/xml-exc-c14n#"/>
                   <SignatureMethod Algorithm="http://www.w3.org/2000/09/
                    xmldsig#rsa-sha1"/>
                   <Reference URI="#Id-a6caf813-835d-4c97-a3b8-5978c9fa530b">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>Ohidz0sv+pA7Ji/pzbJPiUFus/
                        Qy7udkChmaXYWRbKw=</DigestValue>
                   </Reference>
                   <Reference URI="#Timestamp-27f2fda2-3490-4966-8b73-
                    158c9f8abdbd">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/
                          xml-exc-c14n#"/>
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2001/04/
                       xmlenc#sha256"/>
                      <DigestValue>HTe3PWTkReROdKu5e3U83l9ihIAtEe3vrbhu9fHlt6U=
                       </DigestValue>
                   </Reference>
                </SignedInfo>
    <SignatureValue>aZmF34LSXiNETmcu7hIN5bReeUkPPmeR/Ty3PL5a02FKO5PNtY7tOzo8To
     0FAYvngKvJ4VlgAaEhGDyerWGTw6Gfuo2O2GYIC35shiMdz1EC5kaj3g/nNAPQcKpfd1+1IZmgW/TA7
     cAsnTCyB2YDoNSQFAOEFcbCWjRyQOrM9qSqUmn1at7nKUBgPuwtjuo7K8eVpFkLPNZ4SVPbBlkCPIid
     kdpp0Nfs7MmuqqfQcLNZsDQHUwnk0XV9whys9XEPdhrsJDySmXwoITCo4XoSK+STsLPEYNzTHOjt+i0
     658TeC2qXXbjFCCQvxWntx8gkzxgIGMigCYvIMyvlOWjoRA==</SignatureValue>
                <KeyInfo>
                   <wsse:SecurityTokenReference xmlns="">
                      <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/
                        wss/2004/01/oasis-200401-wss-x509-token-profile-1.
                        0#X509SubjectKeyIdentifier" EncodingType=
                        "http://docs.oasis-open.org/wss/2004/01/
                        oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                        >2U7VibA3eDNHoMltReOjaWmu8tI=</wsse:KeyIdentifier>
                   </wsse:SecurityTokenReference>
                </KeyInfo>
             </Signature>
          </wsse:Security>
       </soap:Header>
       <soap:Body wsu:Id="Id-a6caf813-835d-4c97-a3b8-5978c9fa530b" 
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
        oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <poc1:getMsgSignChiffrResponse xmlns:poc1=
            "http://www.credit-agricole.fr/interop/POC1/">
             <poc1:solde date_effet="2001-12-17T09:30:47Z" 
              montant="3.14159E0"/>
          </poc1:getMsgSignChiffrResponse>
       </soap:Body>
    </soap:Envelope>

    This message has been decrypted by the response rule of the consuming appliance. You can clearly see the business data.


Conclusion

Part 2 described the DataPower configuration necessary to run the first scenario described in Part 1: a service consumer and a service provider are applying message integrity while the DataPower appliances are applying privacy with a message encryption. In the next part, Part 3 will describe the DataPower configuration necessary to run the second scenario: a service consumer and a service provider are not applying any security on the message, whereas the DataPower appliances are applying privacy with a message encryption and integrity with a message signature.

Acknowledgments

The author would like to thank to Shiu-Fun Poon and Joel Gauci for their help with the Proof of Concept that evolved in the creation of this article series.

Resources

Learn

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=945519
ArticleTitle=Securing web service message flows using WebSphere DataPower, Part 2: Encrypting the security policy
publish-date=09182013