In this situation we are dealing with a non WS Security XML Digital
Signature such as a detached or enveloped type. WS Security signatures
have authentication built in to the verification policy and are dealt
with already in the quickstarts which come with Intel SOA Expressway.
When you use an extension function like
soae-xf:verify-x509-enveloped-signature it checks the digests are
correct etc. but does not go on to see whether SOA Expressway trusts
the certificate of the message signature. To do this we must add a BPEL
action to check the chain of trust which has been setup in the security
- To do this, first drop an AAA action into your workflow. The
tokens I'm using here refer to the inbuilt default security config
provided with SOA Expressway. Substitute these for your own tokens
where necessary. The AAA action will need a message to be passed to it.
The inbound request will do.
- Create a policy for this AAA action with the following parameters set:
- Extract Identity
- Identity source: X.509 Certificate from workflow
- Certificate attribute: Full certificate
- Authenticate Identity
- Authenticate using: X.509 Certificate Chain of Trust
- Authentication policy, token name: demo-message-level-authentication-policy
- CA Path: selected
- Security configuration, token name: demo_ca_path
- Update the policy back in the AAA action properties pane. You
will now need to pass a parameter specifying the Source Identity of the
X.509 Certificate. This can be extracted from the message using XPath
similar to this:
The above works for our inbuilt security but to change over to your
Certification Authority you will need to have added your CA certificate
into the Security Config in the SOA Expressway web interface.
If there's a failure of the authentication the following fault will be generated:
Error in checking certificate chain of trust