Topic
  • 12 replies
  • Latest Post - ‏2019-08-18T09:30:58Z by HermannSW
M@yurGharat
M@yurGharat
96 Posts

Pinned topic PKCS7 Digitaly Sign data using xslt

‏2019-07-11T10:49:44Z |

Hi ,

I have requirement where we need to digital sign data  using pkcs-7 format where backend expect data in query pram .

Kindly help how we can do this .

I have search some  article but didn't get more info .  https://www.ibm.com/developerworks/community/forums/html/topic?id=0485c875-90aa-4ee4-9a34-5da2e7739479

Regards 

  • HermannSW
    HermannSW
    8692 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-07-11T11:53:41Z  

    > I have requirement where we need to digital sign data  using pkcs-7 format where backend expect data in query pram .
    >
    You have to use cryptobinary action:
    https://www.ibm.com/support/knowledgecenter/SS9H2Y_7.6.0/com.ibm.dp.doc/action_signingpkcs7documents.html

    If you look into store:///pkcs7-sign.xsl you will see internal function "dp:pkcs7-sign(., $pkcs7-sign-args)" that is only available if licensed.
    That function is not documented in knowledge center, since it is internal.

    So you can try to mimic what the stylesheet does, but that is not supported.

    Hermann.

  • M@yurGharat
    M@yurGharat
    96 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-07-11T12:45:37Z  
    • HermannSW
    • ‏2019-07-11T11:53:41Z

    > I have requirement where we need to digital sign data  using pkcs-7 format where backend expect data in query pram .
    >
    You have to use cryptobinary action:
    https://www.ibm.com/support/knowledgecenter/SS9H2Y_7.6.0/com.ibm.dp.doc/action_signingpkcs7documents.html

    If you look into store:///pkcs7-sign.xsl you will see internal function "dp:pkcs7-sign(., $pkcs7-sign-args)" that is only available if licensed.
    That function is not documented in knowledge center, since it is internal.

    So you can try to mimic what the stylesheet does, but that is not supported.

    Hermann.

    how  would i know this the  licensed. one or not .

    i have attache a file of pkcs7_sign file .

    if you have any sample  kindly share.

    Regards .

    mayur

    Updated on 2019-07-11T13:44:13Z at 2019-07-11T13:44:13Z by HermannSW
  • HermannSW
    HermannSW
    8692 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-07-11T13:43:31Z  

    how  would i know this the  licensed. one or not .

    i have attache a file of pkcs7_sign file .

    if you have any sample  kindly share.

    Regards .

    mayur

    Just look whether you have the DataGlue license:

    idg# show license
    
     Feature            Enabled Available 
     ------------------ ------- --------- 
     MQ                 Yes     Yes       
     TAM                Yes     Yes       
     DataGlue           Yes     Yes       
     ...
    

    Hermann.

     

    P.S:
    Please do not attach copyrighted licensed material to forum postings, I had to delete your attachment.

    Updated on 2019-07-11T13:45:03Z at 2019-07-11T13:45:03Z by HermannSW
  • M@yurGharat
    M@yurGharat
    96 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-07-11T18:24:48Z  
    • HermannSW
    • ‏2019-07-11T13:43:31Z

    Just look whether you have the DataGlue license:

    <pre class="javascript dw" dir="ltr">idg# show license Feature Enabled Available ------------------ ------- --------- MQ Yes Yes TAM Yes Yes DataGlue Yes Yes ... </pre>

    Hermann.

     

    P.S:
    Please do not attach copyrighted licensed material to forum postings, I had to delete your attachment.

     thanks for your reply

    when i used Crypto Binary option   my MPGW policy obj  goes down .

    need to check  license .

    Regards ,

    Mayur

  • M@yurGharat
    M@yurGharat
    96 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-07-12T05:22:56Z  

     thanks for your reply

    when i used Crypto Binary option   my MPGW policy obj  goes down .

    need to check  license .

    Regards ,

    Mayur

    Hi Hermann ,

    i have checked We don't have dataglue  license.

     

    idg# show license

     Feature       Enabled Available
     ------------- ------- ---------
     MQ            Yes     Yes
     TAM           Yes     Yes
     JAXP-API      Yes     Yes
     PKCS7-SMIME   Yes     Yes
     WebSphere-JMS Yes     Yes
     RaidVolume    Yes     Yes
     AppOpt        Yes     Yes
     IPv6          Yes     Yes
     Virtual       Yes     Yes
     Language      Yes     Yes
     IDG           Yes     Yes
     RaidFSModify  Yes     Yes
     

    Regards ,

    Mayur .

  • HermannSW
    HermannSW
    8692 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-07-12T06:28:19Z  

    Hi Hermann ,

    i have checked We don't have dataglue  license.

     

    idg# show license

     Feature       Enabled Available
     ------------- ------- ---------
     MQ            Yes     Yes
     TAM           Yes     Yes
     JAXP-API      Yes     Yes
     PKCS7-SMIME   Yes     Yes
     WebSphere-JMS Yes     Yes
     RaidVolume    Yes     Yes
     AppOpt        Yes     Yes
     IPv6          Yes     Yes
     Virtual       Yes     Yes
     Language      Yes     Yes
     IDG           Yes     Yes
     RaidFSModify  Yes     Yes
     

    Regards ,

    Mayur .

    Hi,

    please contact your IBM sales representative.

    You will have to buy that license, without you cannot do PKCS7 encryp/decrypt/sign/verify with DataPower.

    In case you want to verify that the license provides the functionality you want, you might install free DataPower developer edition.
    To my knowledge that contains DataGlue license and you can use it for dev/test (not prod).

    Hermann.


    https://hub.docker.com/r/ibmcom/datapower/

    This image is made available free of charge without IBM support for developer usage. IBM offers other licenses with support for this image, contact IBM for details.

    Updated on 2019-07-12T06:32:02Z at 2019-07-12T06:32:02Z by HermannSW
  • M@yurGharat
    M@yurGharat
    96 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-07-14T15:03:32Z  
    • HermannSW
    • ‏2019-07-12T06:28:19Z

    Hi,

    please contact your IBM sales representative.

    You will have to buy that license, without you cannot do PKCS7 encryp/decrypt/sign/verify with DataPower.

    In case you want to verify that the license provides the functionality you want, you might install free DataPower developer edition.
    To my knowledge that contains DataGlue license and you can use it for dev/test (not prod).

    Hermann.


    https://hub.docker.com/r/ibmcom/datapower/

    This image is made available free of charge without IBM support for developer usage. IBM offers other licenses with support for this image, contact IBM for details.

    Hi Hermann ,

    I have install data power in my local system as you said also done pkcs sign data configuration the data is coming like :-

    <data contentType="application/octet-stream" contentLength="3409"><![CDATA[MIME-Version: 1.0
    Content-Disposition: attachment; filename="smime.p7m"
    Content-Type: application/x-pkcs7-mime; smime-type=signed-data; name="smime.p7m"
    Content-Transfer-Encoding: base64

    MIIJGwYJKoZIhvcNAQcCoIIJDDCCCQgCAQExCzAJBgUrDgMCGgUAMBIGCSqGSIb3
    DQEHAaAFBAMzDQqgggY9MIIGOTCCBSGgAwIBAgIEAN6/QDANBgkqhkiG9w0BAQsF
    ADCBkzELMAkGA1UEBhMCSU4xKjAoBgNVBAoTIWVNdWRocmEgQ29uc3VtZXIgU2Vy
    dmljZXMgTGltaXRlZDEdMBsGA1UECxMUQ2VydGlmeWluZyBBdXRob3JpdHkxOTA3
    ................................................................
    KoZIhvcNAQEBBQAEggEArM0NlxuwJTYO7NTgl49Mpb1MpL+yG8zg49LmdFwQlS88
    TojQjoeOqUASLUeECAPN2/s+kJAkjfHspnAZ0/CJIxhUgZH61s8d0EdSLESGu4L2
    E5/4cKduCJWMGRneS5Bi+2/iH5GlbuAHtpcgZ73nmD4Re0rCkUgKqglZwZjzAxRz
    7IRXSxs8r5AkC9npFaQ5hNbI0SktOcTSQsJt8z4JyATc1ewtQr8cMWMCB9wBWz2m
    wIm/roG+rCCHxk0nvKeipzNYz7OqMHAk7MGLjgVFB8wTb6XyPUScizStR/CQdCE6
    DxLu4bMknMxDFI2JSB68jphy3ZORjA5em62VnRFrcA==

    ]]></data>

     

    but my requirement is like to digitaly sign the data as consumer is hitting as query param and  my backed also  expected as a query param digitally sign 

    Regards ,

    Mayur

     

     

    Updated on 2019-07-14T15:27:37Z at 2019-07-14T15:27:37Z by M@yurGharat
  • M@yurGharat
    M@yurGharat
    96 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-07-15T05:54:33Z  

    Hi Hermann ,

    I have install data power in my local system as you said also done pkcs sign data configuration the data is coming like :-

    <data contentType="application/octet-stream" contentLength="3409"><![CDATA[MIME-Version: 1.0
    Content-Disposition: attachment; filename="smime.p7m"
    Content-Type: application/x-pkcs7-mime; smime-type=signed-data; name="smime.p7m"
    Content-Transfer-Encoding: base64

    MIIJGwYJKoZIhvcNAQcCoIIJDDCCCQgCAQExCzAJBgUrDgMCGgUAMBIGCSqGSIb3
    DQEHAaAFBAMzDQqgggY9MIIGOTCCBSGgAwIBAgIEAN6/QDANBgkqhkiG9w0BAQsF
    ADCBkzELMAkGA1UEBhMCSU4xKjAoBgNVBAoTIWVNdWRocmEgQ29uc3VtZXIgU2Vy
    dmljZXMgTGltaXRlZDEdMBsGA1UECxMUQ2VydGlmeWluZyBBdXRob3JpdHkxOTA3
    ................................................................
    KoZIhvcNAQEBBQAEggEArM0NlxuwJTYO7NTgl49Mpb1MpL+yG8zg49LmdFwQlS88
    TojQjoeOqUASLUeECAPN2/s+kJAkjfHspnAZ0/CJIxhUgZH61s8d0EdSLESGu4L2
    E5/4cKduCJWMGRneS5Bi+2/iH5GlbuAHtpcgZ73nmD4Re0rCkUgKqglZwZjzAxRz
    7IRXSxs8r5AkC9npFaQ5hNbI0SktOcTSQsJt8z4JyATc1ewtQr8cMWMCB9wBWz2m
    wIm/roG+rCCHxk0nvKeipzNYz7OqMHAk7MGLjgVFB8wTb6XyPUScizStR/CQdCE6
    DxLu4bMknMxDFI2JSB68jphy3ZORjA5em62VnRFrcA==

    ]]></data>

     

    but my requirement is like to digitaly sign the data as consumer is hitting as query param and  my backed also  expected as a query param digitally sign 

    Regards ,

    Mayur

     

     

    Hi ,

    Any update how to do customize  PKCS#7 sign of data .

    Regards ,

    Mayur

  • M@yurGharat
    M@yurGharat
    96 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-07-17T13:50:00Z  

    Hi ,

    Any update how to do customize  PKCS#7 sign of data .

    Regards ,

    Mayur

    Hi Hermann ,

    Need a help to implement this kindly suggest .

    Regards ,

    mayur

  • HermannSW
    HermannSW
    8692 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-07-18T10:10:25Z  

    Hi Hermann ,

    Need a help to implement this kindly suggest .

    Regards ,

    mayur

    > but my requirement is like to digitaly sign the data as consumer is hitting as query param and  my backed also  expected as a query param digitally sign 
    >
    So as first step you extract the query parameters into a context (eg. with Convert Query Parameters action).
    Then you transform the context into a context you want to sign.
    Then you use a crypto binary action for PKCS7 signing.

    Finally you put the signed result context into the needed backend query format.

    If you start one step after the other you should make quick progress.

    I am not aware of builtin functionality for putting context into backend URL, so you have to do that (in XSLT or GatewayScript).

    Hermann.

    Updated on 2019-07-18T10:11:19Z at 2019-07-18T10:11:19Z by HermannSW
  • M@yurGharat
    M@yurGharat
    96 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-08-14T05:34:15Z  
    • HermannSW
    • ‏2019-07-18T10:10:25Z

    > but my requirement is like to digitaly sign the data as consumer is hitting as query param and  my backed also  expected as a query param digitally sign 
    >
    So as first step you extract the query parameters into a context (eg. with Convert Query Parameters action).
    Then you transform the context into a context you want to sign.
    Then you use a crypto binary action for PKCS7 signing.

    Finally you put the signed result context into the needed backend query format.

    If you start one step after the other you should make quick progress.

    I am not aware of builtin functionality for putting context into backend URL, so you have to do that (in XSLT or GatewayScript).

    Hermann.

    Hi ,

    Does PKCS#7 digital signing of data can we do using gatewayscript .

    Regards ,

    Mayur

  • HermannSW
    HermannSW
    8692 Posts

    Re: PKCS7 Digitaly Sign data using xslt

    ‏2019-08-18T09:30:58Z  

    Hi ,

    Does PKCS#7 digital signing of data can we do using gatewayscript .

    Regards ,

    Mayur

    Only way to do so is to call a rule with crypto binary action using GatewayScript multistep module:
    https://www.ibm.com/support/knowledgecenter/en/SS9H2Y_7.5.0/com.ibm.dp.doc/multistep_js.html

    Hermann.