Encrypt Element Assertion
The Encrypt Element assertion is used to select message elements to be encrypted in the target message.
gateway83
The
Encrypt Element
assertion is used to select message elements to be encrypted in the target message.- If the target is theresponsemessage, encryption will occur automatically.
- If the target is therequestmessage or amessage context variable, then the Add or Remove WS-Security assertion must be added after the Encrypt Element assertion in the policy to perform the encryption.
You can add an Encrypt Element assertion for each element of the target message that you want encrypted. This assertion supports the W3C XML Signature 1.0 standard.
This assertion can only be used in a web service policy. It should be placed before the routing assertion in a policy.
To learn about selecting the target message for this assertion, see Select a Target Message.
To learn more about selecting the target identity for this assertion, see Select a Target Identity.
To learn more about changing the WSS Recipient for this assertion, see Change the WSS Assertion Recipient.
When multiple signatures are used in a target message, it is mandatory to select a target identity.
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Add an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- Right-click thein the policy window and select<target>:Encrypt ElementEncrypt Element Propertiesor double-click the assertion in the policy window. The assertion properties are displayed. The title of the dialog will show "Request", "Response", or "${variableName}", depending on the target message.
- Specify the XPath and select the target element to be encrypted from the code box. For detailed instructions on using the interface to build your XPath, see Select an XPath.The Policy Manager will not allow you to encrypt the/soapenv:Envelopeelement in the Encrypt Request Element Properties dialog. You can, however, encrypt a child element within the envelope such as/soapenv:Envelope/soapenv:Body.A matching element's own opening and closing tags and tag attributes do not need to be encrypted. To force the encryption of an entire element—including opening and closing tags, attributes, and white space content—match the XPath expression to the parent element of the message. Clicking, or highlighting, an element selects it (and any child code) for the assertion encryption requirement.
- Choose theEncryption Methodfrom the drop-down list:AES 128 CBC(default)AES 192 CBCAES 256 CBCTriple DESAES 128 GCMfor both AES-GCM>AES 256 GCMThe "AES-GCM" encryption options can be selected even if your security provider does not support it. However, this will result in encryption/decryption attempts to fail at runtime.
- ForEncryption Key Reference, select the method to use to include the SSL certificate for theAPI Gateway:
- BinarySecurityToken (BST):Use a SecurityTokenReference containing the BinarySecurityToken (BST).
- SubjectKeyIdentifier (SKI):Use a SecurityTokenReference containing the SubjectKeyIdentifier (SKI).
- Issuer Name/Serial Number:Use a SecurityTokenReference containing the certificates issuer distinguished name and serial number.
- Key Name:Use a SecurityTokenReference containing the Key Name.(1) Using a "Key Name" reference violates the WS-I Basic Security Profile so this reference type should be avoided whenever possible. (2) The "KeyName" element will be added inside a "SecurityTokenReference", e.g.,<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><dsig:KeyName>CN=Bob,OU=OASIS Interop Test Cert,O=OASIS</dsig:KeyName></wsse:SecurityTokenReference></dsig:KeyInfo><
- Click [OK].