Message security process

Message-level security (securing web services at the message level), addresses security requirements, including identity, authentication, authorization, integrity, confidentiality, nonrepudiation, and basic message exchange. The AS4 Microservice message-level security process includes digital certificates, encryption, and digital signatures.

To provide message level security with digital certificates, you must obtain the requisite certificates in a secure manner. Then, the message producer sends the message with certificate information. AS4 Microservice implements the message-level security that you configure when you are the message producer through this process:

  1. When you are the producer of a message, AS4 Microservice accesses the appropriate digital certificate and private key. It uses the private key to sign message. The certificate is used to provide the message consumer with the public key and any other information that is required for authentication.
  2. AS4 Microservice attaches your digital certificate to the request message.
  3. AS4 Microservice uses the private key to sign the message, which is based on your specifications. You can choose to sign one or more parts of the message, such as the address header or the message body. At a minimum, sign the message body, security, and addressing headers. A signature is created with a signature algorithm that computes a hash value from the data to be signed. Then, the signature algorithm encrypts the hash value with your private key. When the signature is validated, the data that is used to create the signature is also validated to provide data origin authentication.
  4. AS4 Microservice encrypts all or parts of the message with the public key from the digital certificate you received from the message consumer. At a minimum, ensure that the signature used to sign the encrypted data is encrypted to help protect it against offline attacks. When message data is encrypted with certificate information, AS4 Microservice also adds the certificate identifier to the message. If the certificate contains a subject key identifier, it is included to identify the certificate in the message. The owner of the certificate knows all the necessary information for it to access the appropriate private key and decrypt the message. Encrypting the request in this way protects sensitive data if the message consumer is deceived into calling an illegitimate service. In this way, only the organization for which the message is intended can decrypt the message with its private key.
  5. After the message is signed and encrypted, AS4 Microservice sends the message to the configured business application.

AS4 Microservice implements the message-level security that you configure when you are the message consumer through this process:

  1. First, AS4 Microservice validates the certificate that is attached to the message and checks the validity period of the certificate. This validation ensures that it does not process a request that was secured with an expired digital certificate.
  2. AS4 Microservice verifies the integrity of the certificate contents to ensure that they were not tampered with after the certificate authority (CA) issued it. The integrity of the certificate contents is verified with the signature of the issuing CA, which is also included in the certificate. If the certificate contents cannot be validated against the digital signature of its issuer, the certificate is rejected as invalid.
  3. If applicable, AS4 Microservice verifies the trust chain of certificates. AS4 Microservice must be able to recognize an issuing CA as trusted to verify the certificate trust chain for the certificate. An issuing CA is recognized as trusted based on the X.509 certificate that endorses the certificate.
  4. AS4 Microservice checks the revocation status of the certificate by verifying whether the certificate is on a certificate revocation list (CRL) that the CA publishes. You can specify the URL where the CRL is located (when you add the certificate to AS4 Microservice). Alternatively, you can obtain the CRL by downloading it from a CA and then importing it into a local certificate store where AS4 Microservice can access it.
    Important: To check the revocation status of the certificate online, you must specify the URL for the online revocation service (CRL). There is also a performance cost that is associated with checking the revocation status online. For this reason, consider downloading the CRL instead if you can frequently update the cached CRL.
  5. When AS4 Microservice receives an encrypted message, it determines with private key it must use to decrypt the message and then decrypts it.
  6. AS4 Microservice verifies the digital signature on the message with the public key that was sent with the message. If the message data is digitally signed, it also validates the message producer as the message originator to provide data origin authentication.