Security Sample Policies

• Overview
• Signature Verification
• Encryption and Decryption

Overview

The security sample policies demonstrate digital signature verification and cryptographic operations (encryption and decryption). This topic describes the sample policy circuits, and explains how to run these samples.

Signature Verification

The Signature Verification sample policy sends a digitally signed version of the StockQuote request to the Enterprise Gateway. The message carries the signature into the Web Service header. A sample certificate/key pair (Samples Test Certificate) is used to sign the message and verify the signature. Signature verification is used for authentication purposes, and therefore an HTTP 403 error code is returned if a problem occurs.

Signature Verification Policy
The Signature Verification policy circuit is as follows:

The Signature Verification policy performs the following tasks:

1. The signature contained in the request is verified. The signature must be located in a WS Security block.
2. If the verification is successful, the StockQuote demo service is invoked.
3. The response body is signed and returned to the client.
4. If the verification fails, an HTTP 403 error code is returned to the client.

Running the Signature Verification Sample
You can call the sample service using the Send Request (sr) command or the Service Explorer GUI:

SR Command
Enter the following command:

sr -f GW_INSTALL/samples/SamplePolicies/Security/SignatureVerification/Request.xml 
http://localhost:8081/signatureverification

For more details, see the topic on Stress Testing with Send Request (SR).

Service Explorer
Perform the following steps:

1. Specify the following URL in the Request Settings:

   http://hostname:8081/signatureverification

2. Select POST as the Verb.
3. Click the Close button.
4. Select File -> Load, and browse to the following file as input for the request:

   GW_INSTALL/samples/SamplePolicies/Security/SignatureVerification/Request.xml

5. Click the Send Request button.

For more details, see the topic on Sending a Request using Service Explorer.

Encryption and Decryption

This sample uses XML decryption on the request and applies encryption on the response. The sample policy includes a Main policy, which chains together the calls that decrypt the request, the invocation of the back-end service, and the encryption of the response.

Main Policy
The Main policy circuit is as follows:

The Main policy performs the following tasks:

1. Decrypt Request is a policy shortcut, which invokes another policy that takes the inbound request and decrypts it.
2. The decrypted request is routed to the back-end service.
3. The Encrypt Response policy shortcut invokes a policy that encrypts the response from the back-end service.

Decrypt Policy
The Decrypt policy circuit is as follows:

The Encrypt policy performs the following tasks:

1. The decryption settings are defined: what to decrypt and which key to use.
2. The XML decryption is executed based on the defined settings.

Encrypt Policy
The Encrypt policy circuit is as follows:

The Encrypt policy performs the following tasks:

1. The encryption settings are defined: what to encrypt, which symmetric key to use, which certificate to use, and how to encrypt (algorithm and where to place the encryption information).
2. The XML encryption is executed based on the defined settings.

Running the Encryption and Decryption Sample
You can call the sample service using the Send Request (sr) command or the Service Explorer GUI:

SR Command
Enter the following command:

sr -f GW_INSTALL/samples/SamplePolicies/Security/Encryption/Request.xml 
http://localhost:8081/encryption

For more details, see the topic on Stress Testing with Send Request (SR).

Service Explorer
Perform the following steps:

1. Specify the following URL in the Request Settings:

   http://hostname:8081/encryption

2. Select POST as the Verb.
3. Click the Close button.
4. Select File -> Load, and browse to the following file as input for the request:

   GW_INSTALL/samples/SamplePolicies/Security/Encryption/Request.xml

5. Click the Send Request button.

For more details, see the topic on Sending a Request using Service Explorer.