Signing of SOAP messages

For inbound messages, CICS supports digital signatures on elements in the SOAP body and on SOAP header blocks. For outbound messages, CICS signs all elements in the SOAP body.

A SOAP message is an XML document, consisting of an <Envelope> element, which contains an optional <Header> element and a mandatory <Body> element.

The WSS: SOAP Message Security specification permits the contents of the <Header> and the <Body> to be signed at the element level. That is, in a given message, individual elements can be signed or not, or can be signed with different signatures or using different algorithms. For example, in a SOAP message used in an online purchasing application, it is appropriate to sign elements that confirm receipt of an order, because these elements might have legal status. However, to avoid the overhead of signing the entire message, other information might safely be left unsigned.

For inbound messages, the security message handler can verify the digital signature on individual elements in the SOAP <Header> and the <Body>:

Signed elements it encounters in the <Header>.
Signed elements in the SOAP <Body>. If the handler is configured to expect a signed body, CICS rejects any SOAP message in which the body is not signed and issues a SOAP fault.

For outbound messages, the security message handler can sign the SOAP <Body> only; it does not sign the <Header>. The algorithm and key used to sign the body are specified in the handler configuration information.

dfhws_soapsigning.html | Timestamp icon

Last updated: Thursday, 27 June 2019

Signing of SOAP messages

Subtopics