Adding a sign action

How to define a sign action that attaches a digital signature to the document.

About this task

The sign action is available for all services.

Procedure

  1. Drag the Sign icon to the configuration path.
  2. Double-click the Sign icon.
  3. In the Input field, specify the context of the message to process.
  4. From the Envelope method list, select the signature method.
    For more information about envelope methods, see the W3C Recommendation XML-Signature Syntax and Processing.
    Enveloped method
    The signature is over the XML content that contains the signature as an element. The content provides the root XML document element.
    Enveloping method
    The signature is over the XML content in an Object element or the signature itself. The Object is identified with a Reference. The contents of the Object is identified with a URI fragment identifier or transform.
    SOAPSec method
    The signature is included in a SOAP header entry.
    WSSec method
    (Default) The signature is included in a WS-Security security header.
  5. From the Message type list, select the type of document to sign.
    SOAP message
    (Default) The message conforms to the SOAP schema.
    SOAP with attachments
    The message conforms to the SOAP with Attachments schema. The signature method must be WS-Security.
    Raw XML document including SAML for Enveloped
    The message is in raw XML format. Enveloped and enveloping signature methods are supported. If the target is a SAML element for Enveloped signing method, the SAML enveloped signing is not applied.
    Selected elements (field-level)
    Sign select elements of a SOAP message or an XML message. This action requires a document map. The Operation property of the map must agree with the signature method.
  6. Set the Asynchronous property to indicate whether to process asynchronously. When enabled, the action does not need to complete before the rule starts processing its next action.
  7. When the envelope method is enveloped or enveloping and the message type is SOAP message or Raw XML document including SAML for Enveloped:
    1. Select the key from the Key list.
    2. Select the certificate from the Certificate list.
  8. When the message type is Selected elements (field-level), from the Document crypto map list, select the document map to identify the message fields to encrypt.
  9. The following fields apply only when the envelope method is WSSec method.
    1. In the WS-Security version field, select the version of WS-Security.
    2. In the Use asymmetric key field, specify whether to use an asymmetric key for RSA/DSA signing or whether to use a symmetric key for HMAC signing.
      This setting affects the signing algorithm and the KeyInfo output. It is on by default to indicate that the RSA/DSA key is needed as the default behavior for WS-Security signing. Otherwise, a symmetric key is needed for WS-Security HMAC signing.
      With an asymmetric key
      Select the signing algorithm from the Signing algorithm list, the key from the Key list, and the certificate from the Certificate list.
      Without an asymmetric key
      Select the HMAC signing algorithm from the list.
    3. In the Symmetric Key Type field, select the type of the symmetric key for HMAC signing.
    4. For a symmetric key that uses a random key and encrypts it for the recipient, from the Certificate of the encrypted key's recipient list, select the certificate with the public certificate of the intended recipient. The recipient verifies the signed message.
    5. For a symmetric key that uses an existing Derived Key Token (DKT), in the Name of the base DKT to derive a key field, enter the name of the DKT.
    6. For all symmetric key types, except Use static SharedSecret object, set Use WS-SC key derivation to determine whether the HMAC signing key is a derived key.
    7. For the Use static SharedSecret object type of symmetric key, in the Shared secret key field, select the name of the shared secret key to use. This value overrides the setting for any alternative shared secret keys.
  10. In the XPath expression field, enter the XPath expression that identifies the elements on which to sign.

    This field is available only when the signature method is enveloped and the message type is Raw XML document including SAML for Enveloped.

    • Click Add to add the expression to the ones in the map. Without an XPath expression, the entire XML document is signed.
    • Click XPath tool to use the utility to construct the message. Upload an example document.
  11. In the Output field, specify the context of the message after processing.
  12. Optional: Click the Advanced tab to define greater control of X.509 compatibility, WS-Security version and timestamp settings, and other advanced features.
    • To generate signature confirmation (front end), change the Include SignatureConfirmation to on (response side).
    • To verify signature confirmation, change the Expect verifier to return wsse11:SignatureConfirmation to on (request side).

      This setting saves the generated value. A verify action can process the response to verify the returned WS-Security 1.1 SignatureConfirmation.

    For more information, see the online help.
  13. Click Done.

What to do next

If this action is the last one for the rule, click Apply policy. Otherwise, drag another icon to the configuration path.