Encrypting Custom SOAP Headers

Since SOAP data (e.g. the headers above in Custom SOAP Headers) travels across the wire, by default, as plain text, using Rampart to encrypt your IBM Cúram Social Program Management custom SOAP headers is one way to help ensure the security of these credentials. Of course, you should plan a security strategy and implementation for all of your web services and related data based on your overall, enterprise-wide requirements, environment, platforms, etc. The information in this section is just one small part of your overall security picture.

There is additional information on coding your web service clients for Rampart security in Using Rampart With Web Services that will help provide context for the following.

The steps to encrypt these headers are:

  1. Add the following to your client descriptor file:
    <encryptionParts>
  {Element}{http://www.curamsoftware.com}Credentials
 </encryptionParts>

    (See Defining the Axis2 Security Configuration for more information on the contents of this file.)

    Or, add the following to your Rampart policy file:

    <sp:EncryptedElements
  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:sp=
    "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  <sp:XPath xmlns:curam="http://www.curamsoftware.com" >
    /soapenv:Envelope/soapenv:Header/curam:Credentials/Password
  </sp:XPath>
</sp:EncryptedElements>

    (See Defining the Axis2 Security Configuration for more information on the contents of this file.)

  2. Engage and invoke Rampart in your client code as per Using Rampart With Web Services.

With WS-Security applied as per above the credentials portion of the wsse:Security header will be encrypted in the SOAP message as shown in this example below, which you can contrast with Figure 3:

In the following example encryptedParts was used to encrypt the IBM Cúram Social Program Management credentials.

Figure 1. Example Encrypted Custom SOAP Header
...

<?xml version='1.0' encoding='UTF-8'?>
   <soapenv:Envelope
   xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
       xmlns:wsa="http://www.w3.org/2005/08/addressing"
       xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
      <soapenv:Header>
         <wsse:Security
         xmlns:wsse="http://docs.oasis-open.org/wss/
            2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
              soapenv:mustUnderstand="1">
    <xenc:EncryptedKey
     Id="EncKeyId-A5ACA637487ECDA81713059750729855">
       <xenc:EncryptionMethod
       Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
       <ds:KeyInfo
         xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
	  <wsse:SecurityTokenReference>
               ............
       </wsse:Security>

       <!-- Credential data is then encoded in sections
             that follow as illustrated -->
	 <xenc:EncryptedData Id="EncDataId-3"
	 Type="http://www.w3.org/2001/04/xmlenc#Element">
	    <xenc:EncryptionMethod
	      Algorithm="http://www.w3.org/
	          2001/04/xmlenc#aes128-cbc" />
	    <ds:KeyInfo
	    xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
	       <wsse:SecurityTokenReference
		 xmlns:wsse="http://..oasis-
		 200401-wss-wssecurity-secext-1.0.xsd">
		  <wsse:Reference
	 URI="#EncKeyId-A5ACA637444e87ECDA81713059750729855"/>
	       </wsse:SecurityTokenReference>

	    </ds:KeyInfo>
	    <xenc:CipherData>
	       <xenc:CipherValue>
	       eZFRrk6VSncaDanYCjyVD=</xenc:CipherValue>
	    </xenc:CipherData>
	 </xenc:EncryptedData>
       <wsa:Action>urn:simpleXML</wsa:Action>
      </soapenv:Header>
Parent topic: Secure Web Services