Topic
  • 13 replies
  • Latest Post - ‏2013-12-23T17:44:17Z by MikeC..
MikeC..
MikeC..
9 Posts

Pinned topic Reject Unencrypted Messages

‏2013-12-19T23:03:05Z |

I have setup an xml firewall which decrypts, verifies signature and passes to my back end web service. I have found that the Datapower accepts unencrypted messages through this firewall. I would like to force messages to be sent encrypted and reject unencrypted. Does anyone have a good solution for this?

 

Thanks.

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts
    ACCEPTED ANSWER

    Re: Reject Unencrypted Messages

    ‏2013-12-20T23:09:55Z  
    • MikeC..
    • ‏2013-12-20T22:56:54Z

    I guess i'm not exactly sure how to do this. The validation rules seemed to want to reference the schema (which wouldnt have the WSSEcurity elements in them).

    Don't use schema validation.  Just add a filter action to your XMLFW processing rule prior to the decrypt that uses a stylesheet to check for the existence of the CiperData, or EncryptedData element... and, if the one you choose isn't present, reject.

    Alternately, you could use an extract action (under advanced) to extract the EncryptedData element into a variable.  Then, if that variable is empty reject.

     

     

  • inestlerode
    inestlerode
    166 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-19T23:20:29Z  

    You could precede the decrypt action with a schema validation action that rejects XML messages that aren't encrypted in the appropriate places.

  • MikeC..
    MikeC..
    9 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-20T16:41:13Z  

    I'm not having much luck with this approach. I'm to be getting schema validation errors on the wssecurity tags even though I've tried creating a schema exception map based of encrypted request. Any one have any examples they could share or other methods to accomplish this?

     

    Thanks.

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-20T19:52:39Z  
    • MikeC..
    • ‏2013-12-20T16:41:13Z

    I'm not having much luck with this approach. I'm to be getting schema validation errors on the wssecurity tags even though I've tried creating a schema exception map based of encrypted request. Any one have any examples they could share or other methods to accomplish this?

     

    Thanks.

    Can you provide a quick example of the message encrypted, then decrypted.

  • MikeC..
    MikeC..
    9 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-20T22:30:54Z  

    Can you provide a quick example of the message encrypted, then decrypted.

    Here is an example of the unencrypted request and below that is the encrypted request.

     

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:per="/ws/MyService">
       <soapenv:Header/>
       <soapenv:Body>
          <per:getList>
             <client>ABCD</client>
             <id>0000000</id>
             <siteName>ABCD</siteName>
             <userID>abcd</userID>
             <password>defg</password>
             <Types>1234AB</Types>
             <requestID>request1234</requestID>
          </per:getList>
       </soapenv:Body>
    </soapenv:Envelope>



    <soapenv:Envelope xmlns:per="/ws/MyService" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><xenc:EncryptedKey Id="EncKeyId-026E0EFAD20AF2DB2C13875777315935"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference><ds:X509Data>
    <ds:X509IssuerSerial>
    <ds:X509IssuerName>CN=MY CA,OU=CERTS,OU=COM,O=My Organization,C=US</ds:X509IssuerName>
    <ds:X509SerialNumber>25700</ds:X509SerialNumber>
    </ds:X509IssuerSerial>
    </ds:X509Data></wsse:SecurityTokenReference>
    </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>g88/FavRmto02sVAnDLi6PvbRNtUR4bhmmk5zdy75ZeFtgGaTGiEUkyzq/rSNbp6FQcn7fmBtcVv07wSt4W381spl+ljebgGAOdr7Ytg4QoQbM1IEAYDy8SQcpj7NUkDtddMn6ims6/8HQTnbG6ZuQwGPQqTNH2HrWwHF8AQqDk2OIGzW1rpt6HsFtzN7CXUYcvnZA3o6gKZJOVZw4QNKWre5sGU5J5oI+bXiX12FWAQFfzXc24DZF+g7YsI9nSXbRsHPaWH8LxNumZ4fZh72ZdT9VFkZ1Iq990cDzdGDnRI0OS2pMM/5vMU04la/mXs44iDgeb5tnZxzKsouU69QA==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#EncDataId-3"/></xenc:ReferenceList></xenc:EncryptedKey><ds:Signature Id="Signature-1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#id-2">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <ds:DigestValue>cjPSFfbg1YiSvnLpNA08Xw81EupUz0hNowUVHyxG4TM=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
    AZwt38i9L9o8s8wI9R2NsmtOL9MbHHIQ3fedk6IUdzlPXAtpLXf7V2NUUnvxTT8cCpeBuAp2XIt5[\n]"
    PD3aKkcnxBthhbZJ2liASfU01ZfSgx3u+qHW0Gbmq016eyypC9Hs3+TinFk0DVCMAIGTKmSAc36P[\n]"
    VPjZXtxwmYHFbZlIre8BemchqYmFFP2j5SiF6f1UaTPkxpDNMCu6l/iKF6n8tGCgPdQ3x9JnoCwa[\n]"
    kf7dTjyzLo52K2lak/s1FyU27clXcw0ebH0pVEzQ3l1tL3VXMyDjlkl4iFAYhmWeHeFHJo3jBB7t[\n]"
    ZRN8hMT8Pkl0I+fBQI0RUraQhNXr28R3kSw/Fw==[\n]"
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-026E0EFAD20AF2DB2C13875777314372">
    <wsse:SecurityTokenReference wsu:Id="STRId-026E0EFAD20AF2DB2C13875777314373" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ds:X509Data>
    <ds:X509IssuerSerial>
    <ds:X509IssuerName>CN=My CA,OU=CERTS,OU=COM,O=My Organization,C=US</ds:X509IssuerName>
    <ds:X509SerialNumber>25700</ds:X509SerialNumber>
    </ds:X509IssuerSerial>
    </ds:X509Data></wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature></wsse:Security></soapenv:Header>
    <soapenv:Body wsu:Id="id-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:EncryptedData Id="EncDataId-3" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference URI="#EncKeyId-026E0EFAD20AF2DB2C13875777315935"/></wsse:SecurityTokenReference>
    </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>bVXk5Jv2dO2Q32yXWDcg6SpQLgA8TMJ0L0xXzt56Ap5TsGqi4gDvHNKDSMpN31rkamsCnt4/dt6G
    oG9pYKn2tlS4aPQwqHDeDC1RkirQ/1ItwlfsbpE1nvK6nLoqlMgy3/fftkDxULMT9Gaj2/GnGc+J
    +BRzza8TBy5PEKaoPje55KZtHYmXuYQmpVdm0qHuSyLgoClr+xpSu/jff7o0M2KyTIJ03W/copXN
    hh2nQ+qaogAbtk5bZ4EWaSYmFUr+eO+jT8Vh62yRaOTLfHWkf2KZsbgxQ9XbgM8fkXsorPXTx0Mt
    Vbb4A0w4PCw8eOKdC+Esczd1q6kOb4/PeILH0iPAqDbsxV4JDUX8nJmz7yLiJVcsDiMe0C864TzU
    pVEfiHc7NStGQfORbx62uWaFFOjdjKCmIBvLs9dcWDQ9ND7FA+GikuSj8pEf2cfTpPtIgtk2LrK1
    WEaKQomiJdzmDQDFdMMaxvrh7sZYhtnRE3IUNVpdsaux4vHIXviMmwmjvjRJ6tHVJQmzzIbc9VCU
    HSFzeP/h3tGnadZ0alUoA20GQQrBxwmBBfJ+qoGcDiLjT4NNXsOSEj/Y2Fe1IlY0uOxLuKMNxBc6
    e8++pTnRk5bfdaVyJQC7Lk9tm3QIk6Tm9foa8oLRpY6A8NFkjuC12m7X6w8fo4nDaMAm0hFccwaa
    k7g0hFYN70v4cn1SCqFwi9vHaYP6s/GRIggAMtDTXBnGTkPF/YzFzuPxgnkbJPU=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body>
    </soapenv:Envelope>




     

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-20T22:49:34Z  
    • MikeC..
    • ‏2013-12-20T22:30:54Z

    Here is an example of the unencrypted request and below that is the encrypted request.

     

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:per="/ws/MyService">
       <soapenv:Header/>
       <soapenv:Body>
          <per:getList>
             <client>ABCD</client>
             <id>0000000</id>
             <siteName>ABCD</siteName>
             <userID>abcd</userID>
             <password>defg</password>
             <Types>1234AB</Types>
             <requestID>request1234</requestID>
          </per:getList>
       </soapenv:Body>
    </soapenv:Envelope>



    <soapenv:Envelope xmlns:per="/ws/MyService" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><xenc:EncryptedKey Id="EncKeyId-026E0EFAD20AF2DB2C13875777315935"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference><ds:X509Data>
    <ds:X509IssuerSerial>
    <ds:X509IssuerName>CN=MY CA,OU=CERTS,OU=COM,O=My Organization,C=US</ds:X509IssuerName>
    <ds:X509SerialNumber>25700</ds:X509SerialNumber>
    </ds:X509IssuerSerial>
    </ds:X509Data></wsse:SecurityTokenReference>
    </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>g88/FavRmto02sVAnDLi6PvbRNtUR4bhmmk5zdy75ZeFtgGaTGiEUkyzq/rSNbp6FQcn7fmBtcVv07wSt4W381spl+ljebgGAOdr7Ytg4QoQbM1IEAYDy8SQcpj7NUkDtddMn6ims6/8HQTnbG6ZuQwGPQqTNH2HrWwHF8AQqDk2OIGzW1rpt6HsFtzN7CXUYcvnZA3o6gKZJOVZw4QNKWre5sGU5J5oI+bXiX12FWAQFfzXc24DZF+g7YsI9nSXbRsHPaWH8LxNumZ4fZh72ZdT9VFkZ1Iq990cDzdGDnRI0OS2pMM/5vMU04la/mXs44iDgeb5tnZxzKsouU69QA==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#EncDataId-3"/></xenc:ReferenceList></xenc:EncryptedKey><ds:Signature Id="Signature-1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#id-2">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <ds:DigestValue>cjPSFfbg1YiSvnLpNA08Xw81EupUz0hNowUVHyxG4TM=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
    AZwt38i9L9o8s8wI9R2NsmtOL9MbHHIQ3fedk6IUdzlPXAtpLXf7V2NUUnvxTT8cCpeBuAp2XIt5[\n]"
    PD3aKkcnxBthhbZJ2liASfU01ZfSgx3u+qHW0Gbmq016eyypC9Hs3+TinFk0DVCMAIGTKmSAc36P[\n]"
    VPjZXtxwmYHFbZlIre8BemchqYmFFP2j5SiF6f1UaTPkxpDNMCu6l/iKF6n8tGCgPdQ3x9JnoCwa[\n]"
    kf7dTjyzLo52K2lak/s1FyU27clXcw0ebH0pVEzQ3l1tL3VXMyDjlkl4iFAYhmWeHeFHJo3jBB7t[\n]"
    ZRN8hMT8Pkl0I+fBQI0RUraQhNXr28R3kSw/Fw==[\n]"
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-026E0EFAD20AF2DB2C13875777314372">
    <wsse:SecurityTokenReference wsu:Id="STRId-026E0EFAD20AF2DB2C13875777314373" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ds:X509Data>
    <ds:X509IssuerSerial>
    <ds:X509IssuerName>CN=My CA,OU=CERTS,OU=COM,O=My Organization,C=US</ds:X509IssuerName>
    <ds:X509SerialNumber>25700</ds:X509SerialNumber>
    </ds:X509IssuerSerial>
    </ds:X509Data></wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature></wsse:Security></soapenv:Header>
    <soapenv:Body wsu:Id="id-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:EncryptedData Id="EncDataId-3" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference URI="#EncKeyId-026E0EFAD20AF2DB2C13875777315935"/></wsse:SecurityTokenReference>
    </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>bVXk5Jv2dO2Q32yXWDcg6SpQLgA8TMJ0L0xXzt56Ap5TsGqi4gDvHNKDSMpN31rkamsCnt4/dt6G
    oG9pYKn2tlS4aPQwqHDeDC1RkirQ/1ItwlfsbpE1nvK6nLoqlMgy3/fftkDxULMT9Gaj2/GnGc+J
    +BRzza8TBy5PEKaoPje55KZtHYmXuYQmpVdm0qHuSyLgoClr+xpSu/jff7o0M2KyTIJ03W/copXN
    hh2nQ+qaogAbtk5bZ4EWaSYmFUr+eO+jT8Vh62yRaOTLfHWkf2KZsbgxQ9XbgM8fkXsorPXTx0Mt
    Vbb4A0w4PCw8eOKdC+Esczd1q6kOb4/PeILH0iPAqDbsxV4JDUX8nJmz7yLiJVcsDiMe0C864TzU
    pVEfiHc7NStGQfORbx62uWaFFOjdjKCmIBvLs9dcWDQ9ND7FA+GikuSj8pEf2cfTpPtIgtk2LrK1
    WEaKQomiJdzmDQDFdMMaxvrh7sZYhtnRE3IUNVpdsaux4vHIXviMmwmjvjRJ6tHVJQmzzIbc9VCU
    HSFzeP/h3tGnadZ0alUoA20GQQrBxwmBBfJ+qoGcDiLjT4NNXsOSEj/Y2Fe1IlY0uOxLuKMNxBc6
    e8++pTnRk5bfdaVyJQC7Lk9tm3QIk6Tm9foa8oLRpY6A8NFkjuC12m7X6w8fo4nDaMAm0hFccwaa
    k7g0hFYN70v4cn1SCqFwi9vHaYP6s/GRIggAMtDTXBnGTkPF/YzFzuPxgnkbJPU=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body>
    </soapenv:Envelope>




     

    So, if the message doesn't have the "CiperData" element, reject it

     

  • MikeC..
    MikeC..
    9 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-20T22:56:54Z  

    I guess i'm not exactly sure how to do this. The validation rules seemed to want to reference the schema (which wouldnt have the WSSEcurity elements in them).

  • MikeC..
    MikeC..
    9 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-20T22:57:11Z  

    So, if the message doesn't have the "CiperData" element, reject it

     

    I guess i'm not exactly sure how to do this. The validation rules seemed to want to reference the schema (which wouldnt have the WSSEcurity elements in them).

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-20T23:09:55Z  
    • MikeC..
    • ‏2013-12-20T22:56:54Z

    I guess i'm not exactly sure how to do this. The validation rules seemed to want to reference the schema (which wouldnt have the WSSEcurity elements in them).

    Don't use schema validation.  Just add a filter action to your XMLFW processing rule prior to the decrypt that uses a stylesheet to check for the existence of the CiperData, or EncryptedData element... and, if the one you choose isn't present, reject.

    Alternately, you could use an extract action (under advanced) to extract the EncryptedData element into a variable.  Then, if that variable is empty reject.

     

     

  • MikeC..
    MikeC..
    9 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-23T15:50:57Z  

    Don't use schema validation.  Just add a filter action to your XMLFW processing rule prior to the decrypt that uses a stylesheet to check for the existence of the CiperData, or EncryptedData element... and, if the one you choose isn't present, reject.

    Alternately, you could use an extract action (under advanced) to extract the EncryptedData element into a variable.  Then, if that variable is empty reject.

     

     

    Thanks Joe. The Filter with the required elements method works great! One last question, the response back to the client currently lists the element that was missing or the required elements rule. What's the best way to provide a custom error (i.e. A required element was not found rather than giving all the specifics) for just the Filter action?

    Thanks for all your help!

     

    Mike

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-23T15:59:54Z  
    • MikeC..
    • ‏2013-12-23T15:50:57Z

    Thanks Joe. The Filter with the required elements method works great! One last question, the response back to the client currently lists the element that was missing or the required elements rule. What's the best way to provide a custom error (i.e. A required element was not found rather than giving all the specifics) for just the Filter action?

    Thanks for all your help!

     

    Mike

    You'd do that via an error rule.  Trap the error code from the reject ( can't recall it exactly right now ), and build whatever error message you want.  For security reasons, maybe should be something simple like, "Invalid message format".

     

  • MikeC..
    MikeC..
    9 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-23T17:03:34Z  

    You'd do that via an error rule.  Trap the error code from the reject ( can't recall it exactly right now ), and build whatever error message you want.  For security reasons, maybe should be something simple like, "Invalid message format".

     

    Thanks. I was able to create an error rule which traps the code (0x00d30003 in this case) and then performs a fetch action to GET an xml page i created that returns "Invalid Message Format" to the client.

    Does that make sense or is there a better way with a results action? I kept getting internal errors when i tried through results. 

     

    Thanks.

     

    Mike

  • JoeMorganNTST
    JoeMorganNTST
    427 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-23T17:38:07Z  
    • MikeC..
    • ‏2013-12-23T17:03:34Z

    Thanks. I was able to create an error rule which traps the code (0x00d30003 in this case) and then performs a fetch action to GET an xml page i created that returns "Invalid Message Format" to the client.

    Does that make sense or is there a better way with a results action? I kept getting internal errors when i tried through results. 

     

    Thanks.

     

    Mike

    The error rule is the right way.  When you reject, it fires an error.  You may now need to write other error rules for other conditions, such as when it *doesn't* decrypt, when the validation after decryption fails, etc., but for now, the problem of not allowing unencrypted messages is solved.

     

  • MikeC..
    MikeC..
    9 Posts

    Re: Reject Unencrypted Messages

    ‏2013-12-23T17:44:17Z  

    The error rule is the right way.  When you reject, it fires an error.  You may now need to write other error rules for other conditions, such as when it *doesn't* decrypt, when the validation after decryption fails, etc., but for now, the problem of not allowing unencrypted messages is solved.

     

    Thanks for all you're help.