Policy Sets and Policy Set Bindings editor: Message Part Protection panel
Use this panel, which is in the Policy Sets section of the editor, to define the parts of a message that encryption and signature apply to. Encrypted parts are used to protect message confidentiality. Signature parts are used for message integrity.
Field | Description and valid options |
---|---|
Name | Enter a user-defined name for the part. You can replicate the name to group several parts together; previously defined names are given as options. |
Security type | Either:
|
SOAP Message | Either:
|
Message Body | Determines that the whole message body is to be
either encrypted or signed. If the whole message body is not to be encrypted or signed, further configuration is needed in one of the subsequent panels: Aliases, Qname, or Xpath. |
Aliases
Use this panel to refer to an alias identified in a SOAPInput, SOAPRequest, or SOAPAsyncRequest node. The message flow with which this policy set will be associated in the BAR editor must contain one of these nodes with an alias defined.
When developing a message flow containing one of these nodes, the developer might decide to identify a part of the message for which encryption or signature applies. This identification is done in the WS Extension properties panel of the node, by defining an XPath expression that refers to the part of the message and an associated alias name. The administrator then refers to that alias name by using this panel, and sets the correct security type for the alias on the corresponding Message Part Protection panel.You can edit the Aliases panel only if Message level protection is selected on the Message Level Protection panel, and a part has been added in the Message Part Protection panel.
Field | Description and valid options |
---|---|
Name | Select a name from the list. All names created in the corresponding Message Part Protection panel are displayed. |
Alias | Enter the alias value defined on the SOAP node property panel. |
Qname
Use this panel to define namespaces, and optional elements within those namespaces, within the SOAP message header for which encryption or signature applies.
Namespaces are used primarily when WS-Addressing headers exist. If no local part name is specified to refer to specific elements, all elements in the SOAP message header for the specified namespace apply.To use the QName selection method, the SOAP header elements must be the immediate children of the SOAP header. You cannot select header elements that are subelements of other elements in the SOAP header that is using QName. To select such elements, you must use an XPath expression.
You can edit the Qname panel only if Message level protection is selected on the Message Level Protection panel, and a part has been added in the Message Part Protection panel.
Field | Description and valid options |
---|---|
Name | Select a name from the list. All names created in the corresponding Message Part Protection panel are displayed. |
Local part | An optional local part name within the namespace.
In the following example, securitybinding is the
namespace; within that namespace, securityOutboundBindingConfig and securityInboundBindingConfig are
local parts.
|
NameSpace | The namespace of the SOAP message headers for which encryption and signature apply. |
Xpath
Use this panel to define an XPath expression that refers to an element in the message to which encryption or signature applies.
Use this panel as an alternative, or in addition to, specifying XPath expressions and aliases directly on the nodes.- Envelope, Header, Security, Timestamp
- Envelope, Header, Security
- Envelope, Header, Security, Signature
http://schemas.xmlsoap.org/soap/envelope/
) and SOAP 1.2
(http://www.w3.org/2003/05/soap-envelope/
). For example, selecting
Envelope, Header, Security, Timestamp results in the following XPath expressions
being added to the policy
set:/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Envelope']
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Header']
/*[namespace-uri()=
'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd' and local-name()='Security']
/*[namespace-uri()=
'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
utility-1.0.xsd' and local-name()='Timestamp']
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Envelope']
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Header']
/*[namespace-uri()=
'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd' and local-name()='Security']
/*[namespace-uri()=
'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
utility-1.0.xsd' and local-name()='Timestamp']
Line
breaks have been added to enhance readability; in the IBM® App Connect
Enterprise Toolkit each
expression is pasted on a single line. The preceding expressions show the format of the fully
qualified XPath expression syntax required by the integration node. If
you paste your own XPath expressions into the XPath column, ensure that they adhere to this syntax.
When you paste your own XPath expressions, the prefix and namespace table is unavailable for
substitution of values, and only a single expression is added to the policy set, instead of both a
SOAP 1.1 and SOAP 1.2 variant.You can edit the Xpath panel only if Message level protection is selected on the Message Level Protection panel, and a part has been added in the Message Part Protection panel.
Field | Description and valid options |
---|---|
Name | Select a name from the list. All names created in the corresponding Message Part Protection panel are displayed. |
XPath | A user-defined value that the administrator assigns to an element in the SOAP message for encryption or signing. |