I am trying to use the out of the box capabilities of Datapower to validate a SOAP message using WS-Security. All messages have been digitally signed. We have the public keys to validate against stored in the Valcred. The selected option on the AAA Authenticate tab is "Validate the Signer Certificate for a Digitally Signed Message."
The challenge is the client can use any of these four Key Identifier Types in their signature:
- Issuer Name and Serial Number
- x509 Certificate
- Subject Key Identifier
Datapower seems to by default accept the Binary and Subject Key Identifier but it fails AAA because it can't find the tokens for Issuer Name and Serial Number, and x509 Certificate. I have the Xpath definition empty at this point for the test of all four types. Two types work and two types fail.
Can Datapower using the standard AAA options on the Authenticate Tab validate options #1, or #3?
Why does Datapower seem to accept #2 and #4 by default? There is no indication on the screen which of the four Key Identifier Types are available or will be used.
If you have SOAPUI these are also seen as the four options if you send a SOAP message with a signature.
Would the only solution be to set up a custom AAA where the type of Keys are first determined before attempting the signature validation.