CA API Gateway 9.1

9.4 9.1

XML Security Cluster Properties

The following cluster properties are used to configure XML security on the .
gateway
The following cluster properties are used to configure XML security on the 
API Gateway
.
Refer to "Time Units" under Cluster Properties for a list of the valid time units that you can use for time-related properties.
Property
Description
security.xml.dsig.idAttributeNames
Attribute names that are recognized as ID attributes for locating Signature Reference URI targets during WS-Security processing. The special prefix 'local:' matches the namespace URI against the owning element rather than the attribute. All other prefixes are ignored.
Default:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Id
{http://schemas.xmlsoap.org/ws/2002/07/utility}Id
{http://schemas.xmlsoap.org/ws/2003/06/utility}Id
{urn:oasis:names:tc:SAML:1.0:assertion}local:
AssertionID
{urn:oasis:names:tc:SAML:2.0:assertion}local:ID
Id
id
ID
This property is for WSS processing and affects all WSS processing across the cluster after a
API Gateway
 restart.
security.xml.dsig.
permittedDigestAlgorithms
Message digest algorithm names that are respected when verifying XML digital signatures. DigestMethod and SignatureMethod references that require algorithms not on this list are not respected. Separate each entry with a comma.
Default:
MD5,SHA,SHA-1,SHA-256,SHA-384,SHA-512
When using this cluster property, observe the following:
  • If the
    API Gateway
     - XML VPN Client is involved in any message sending, ensure that SHA is enabled in the cluster property.
  • If the
    API Gateway
     - XML VPN Client will be decorating messages for the
    API Gateway
     -, SHA-1 must be enabled; otherwise, all WS-Security decorated messages fails.
Requires a
API Gateway
 restart for changes to take effect.
security.xml.dsig.
permittedTransformAlgorithms
Transform algorithm URIs that are permitted when verifying XML digital signatures. Transforms that require algorithms not on this list fail. Separate each URI with a comma.
The following signature transforms are accepted by default when this cluster property is not populated:  
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform," +
"http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Transform," +
"http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Only-Transform," +
"http://www.w3.org/2000/09/xmldsig#enveloped-signature," +
"http://www.w3.org/2001/10/xml-exc-c14n#," +
"http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
security.xml.xenc.
blacklist.capacity
Number of entries permitted in the decryption key blacklist.
Default:
50000
security.xml.xenc.
blacklist.enabled
Controls whether symmetric keys are blacklisted. Value is a Boolean.
  • true
     = Symmetric keys that fail to successfully decrypt XML (in the number of times specified by the
    security.xml.xenc.blacklist.maxFailures
     property) are blacklisted on this node for a period of time (set in the security.xml.xenc.blacklist.maxAge property). This makes it more difficult to use the
    API Gateway
     as a decryption oracle. This setting is the default.
  • false
     = Symmetric keys are never blacklisted, even upon failure to decrypt XML.
security.xml.xenc.
blacklist.failWhenFull
Controls the response if the blacklist reach capacity. Value is a Boolean.
  • true
     = All XML decryption attempts fails immediately once the blacklist has reached its capacity (as set in the security.xml.xenc.blacklist.capacity property).
  • false
     = XML decryption continues even if the blacklist is full. This setting is the default.
security.xml.xenc.
blacklist.maxAge
Minimum time a blacklisted key must remain on the blacklist. Value is a time unit.
Default:
7d
The blacklist is cleared when a node is restarted. Blacklisted keys are released, regardless of whether the blacklist period has been observed.
security.xml.xenc.
blacklist.maxFailures
Maximum number of XML decryption attempts that can fail before a key is blacklisted on a node.
Default:
5
security.xml.xenc.
decryptionAlwaysSucceeds
Controls whether XML decryption should appear to succeed after the
API Gateway
 has obtained the symmetric key and attempted to decrypt the CipherValue. Value is a Boolean.
  • true
     = Decryption is always successful. XML that cannot be decrypted is replaced with a dummy element named L7xenc:DecryptionFault in the namespace http://layer7tech.com/ns/xenc/decryptionfault. This makes it more difficult to use the
    API Gateway
     as a decryption oracle. This setting is the default.
  • false
     = The
    API Gateway
     returns its normal response for decryption success and failure. The dummy element is not used.
security.xml.xenc.
encryptEmptyElements
Controls whether the Encrypt Element assertion should encrypt the content of empty elements. Value is a Boolean.
  • true
     = The content of empty elements are encrypted when the assertion is run. This setting is the default.
  • false
     = The empty elements are left unencrypted.

Content feedback and comments