CICS support for encrypted SOAP messages
For inbound messages, CICS can decrypt any encrypted elements in the SOAP body, and encrypted SOAP header blocks where the body is also encrypted. For outbound messages, CICS encrypts the entire SOAP body.
A SOAP message is an XML document, consisting of an <Envelope>
element,
which contains an optional <Header>
element, and
a mandatory <Body>
element.
The WSS: SOAP Message Security specification allows
some of the contents of the <Header>
element and
all of the contents of the <Body>
element to be
encrypted at the element level. That is, in a given message, individual
elements can have different levels of encryption, or can be encrypted
using different algorithms. For example, in a SOAP message used in
an online purchasing application, it is appropriate to encrypt an
individual's credit card details to ensure that they remain confidential.
However, to avoid the overhead of encrypting the entire message, some
information might safely be encrypted using a less secure (but faster)
algorithm and other information might safely remain unencrypted.
<Body>
,
and can decrypt elements in the SOAP <Header>
if
the SOAP body is also encrypted. The security message handler always
decrypts these elements:- Elements it encounters in the
<Header>
element in the order in which the elements are found. - Elements in the SOAP
<Body>
element. If you want to reject a SOAP message that does not have an encrypted<Body>
, configure the handler to expect an encrypted body using the<expect_encrypted_body>
element.
For outbound messages, the security message handler supports encryption
of the contents of the SOAP <Body>
only; it does
not encrypt any elements in the <Header>
element.
When the security message handler encrypts the <Body>
element,
all elements in the body are encrypted with the same algorithm and
using the same key. The algorithm, and information about the key,
are specified in the configuration information about the handler.