Policy Sets and Policy Set Bindings editor: Message Part Protection panel

Use this panel, which is in the Policy Sets section of the editor, to define the parts of a message that encryption and signature apply to. Encrypted parts are used to protect message confidentiality. Signature parts are used for message integrity.

Create a row in this table for each part of the message that is to be encrypted or signed.
Field Description and valid options
Name Enter a user-defined name for the part. You can replicate the name to group several parts together; previously defined names are given as options.
Security type Either:
  • Encryption
  • Signature
SOAP Message Either:
  • Request: a message from the client to the server.
  • Response: a message from the server to the client.
Message Body Determines that the whole message body is to be either encrypted or signed.

If the whole message body is not to be encrypted or signed, further configuration is needed in one of the subsequent panels: Aliases, Qname, or Xpath.

Aliases

Use this panel to refer to an alias identified in a SOAPInput, SOAPRequest, or SOAPAsyncRequest node. The message flow with which this policy set will be associated in the BAR editor must contain one of these nodes with an alias defined.

When developing a message flow containing one of these nodes, the developer might decide to identify a part of the message for which encryption or signature applies. This identification is done in the WS Extension properties panel of the node, by defining an XPath expression that refers to the part of the message and an associated alias name. The administrator then refers to that alias name by using this panel, and sets the correct security type for the alias on the corresponding Message Part Protection panel.

You can edit the Aliases panel only if Message level protection is selected on the Message Level Protection panel, and a part has been added in the Message Part Protection panel.

Field Description and valid options
Name Select a name from the list. All names created in the corresponding Message Part Protection panel are displayed.
Alias Enter the alias value defined on the SOAP node property panel.

Qname

Use this panel to define namespaces, and optional elements within those namespaces, within the SOAP message header for which encryption or signature applies.

Namespaces are used primarily when WS-Addressing headers exist. If no local part name is specified to refer to specific elements, all elements in the SOAP message header for the specified namespace apply.

To use the QName selection method, the SOAP header elements must be the immediate children of the SOAP header. You cannot select header elements that are subelements of other elements in the SOAP header that is using QName. To select such elements, you must use an XPath expression.

You can edit the Qname panel only if Message level protection is selected on the Message Level Protection panel, and a part has been added in the Message Part Protection panel.

Field Description and valid options
Name Select a name from the list. All names created in the corresponding Message Part Protection panel are displayed.
Local part An optional local part name within the namespace. In the following example, securitybinding is the namespace; within that namespace, securityOutboundBindingConfig and securityInboundBindingConfig are local parts.
<securitybinding:securityBindings 
     xmlns:securitybinding="http://www.example.com/xmlns/ws-securitybinding">
  <securitybinding:securityBinding name="application">
    <securitybinding:securityOutboundBindingConfig/>
    <securitybinding:securityInboundBindingConfig>
      <securitybinding:encryptionInfo name="con_myMPPToken">
        <securitybinding:keyEncryptionKeyInfo reference="con_myToken_encmyMPPToken_keyinfo"/>
        <securitybinding:encryptionPartReference reference="request:myMPPToken"/>
      </securitybinding:encryptionInfo>
      <securitybinding:keyInfo classname="com.ibm.ws.wssecurity.wssapi.CommonContentConsumer" 
             name="con_auth_keyinfo" type="STRREF">
NameSpace The namespace of the SOAP message headers for which encryption and signature apply.

Xpath

Use this panel to define an XPath expression that refers to an element in the message to which encryption or signature applies.

Use this panel as an alternative, or in addition to, specifying XPath expressions and aliases directly on the nodes.
You cannot edit the first table in the Xpath panel, which shows five different prefix and namespaces values (based on the SOAP 1.1 specification). The second table allows the administrator to paste a fully qualified XPath expression directly into the XPath column, or select one from the list:
  • Envelope, Header, Security, Timestamp
  • Envelope, Header, Security
  • Envelope, Header, Security, Signature
Selecting one of the preceding options, causes the appropriate XPath expression to be created for both SOAP 1.1 (http://schemas.xmlsoap.org/soap/envelope/) and SOAP 1.2 (http://www.w3.org/2003/05/soap-envelope/). For example, selecting Envelope, Header, Security, Timestamp results in the following XPath expressions being added to the policy set:
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
     and local-name()='Envelope']
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
     and local-name()='Header']
/*[namespace-uri()=
     'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
     secext-1.0.xsd' and local-name()='Security']
/*[namespace-uri()=
     'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
     utility-1.0.xsd' and local-name()='Timestamp']

/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
     and local-name()='Envelope']
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
     and local-name()='Header']
/*[namespace-uri()=
     'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
     secext-1.0.xsd' and local-name()='Security']
/*[namespace-uri()=
     'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
     utility-1.0.xsd' and local-name()='Timestamp']
Line breaks have been added to enhance readability; in the IBM® App Connect Enterprise Toolkit each expression is pasted on a single line. The preceding expressions show the format of the fully qualified XPath expression syntax required by the integration node. If you paste your own XPath expressions into the XPath column, ensure that they adhere to this syntax. When you paste your own XPath expressions, the prefix and namespace table is unavailable for substitution of values, and only a single expression is added to the policy set, instead of both a SOAP 1.1 and SOAP 1.2 variant.

You can edit the Xpath panel only if Message level protection is selected on the Message Level Protection panel, and a part has been added in the Message Part Protection panel.

Field Description and valid options
Name Select a name from the list. All names created in the corresponding Message Part Protection panel are displayed.
XPath A user-defined value that the administrator assigns to an element in the SOAP message for encryption or signing.