Securing system settings

Canonicalization is a process for converting data that has more than one physical representation into a standard format that is known as Canonical XML.

XML canonicalization (c14n) of an XML document defines the physical changes that can be made to the document without changing the logical representation of the document. Canonicalization is recommended when you use an XML digital signature.

In AS4 Microservice you can select an appropriate c14n algorithm so information is canonicalized based on this algorithm. Digital signatures require that the contents covered by the signature must be identical when the signature is applied and verified. Otherwise, the digital signature is invalid. However, slight changes to the signed XML fragments are tolerable, if the message contents are identical from the perspective of an XML parser. For example, if you add XML comments or spaces between element attributes, these changes are not significant to an XML parser. And, these types of minor modifications do not immediately invalidate the signature. Canonicalization is defined by the XML Signature specification as a set of operations on the signed XML contents before signature application or verification. The canonicalization hides irrelevant character-level modifications of the underlying XML document.

You must have system administrator privileges to add or delete c14n content types. You can view c14n content types if you have either system administrator or Master Account administrator privileges.

The recommended c14n algorithm, Exclusive XML Canonicalization, removes white space within tags, uses specified character encoding, sorts namespace references (eliminating redundant ones), removes XML and DOCTYPE declarations, and transforms relative URIs into absolute URIs.

Exclusive XML Canonicalization (EXC-C14N) determines which namespaces the message actually uses and just copies those namespaces to the output. Specifically, it copies the namespaces that are actually a part of the XML syntax. However, it does not look into attribute values or element content, so the required namespace declarations are not copied. With Exclusive Canonicalization, you can create a list of the namespaces that must be declared so that the declarations are included for the namespaces that are not visibly used.

Exclusive Canonicalization is especially useful when you have a signed XML document that you want to insert into other XML documents. The use of Exclusive Canonicalization ensures that the signature is verified correctly.

Using namespaces can cause potential security risks for your organization. The WS-Security specification strongly recommends that you use the Exclusive XML Canonicalization algorithm or another canonicalization algorithm for protection from Signature Wrapping Attacks. This XML-specific attack pattern misuses the referencing flexibility of the XML Signature. It forces the processing application to treat the XML data of the attacker as if it was signed by a legitimate user.