Configuring digital signature and encryption for SOAP connectors
If your application connects to an external SOAP service that requires the WS-Security protocol, you can create a SOAP connector that uses a digital signature and encryption. To use a digital signature and encryption, you configure the connector rule to include the credentials in the SOAP request envelope header.
You create a WS-security profile in Pega Platform and define a keystore. The keystore contains the cryptographic data that is used for authentication and encryption. Requests that use a digital signature are digitally signed using information in the keystore file that you upload. An encryption configuration enables you to encrypt specified parts of an outgoing message, which can then be decrypted by a service.
The request and response messages contain a reference to the security token contained within the keystore and a cipher of the message body content, as shown in the following example.
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-7739053>
<xenc:EncryptedData Id="EncDataId-7739053" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#EncKeyId-urn:uuid:FA106335A882E157EB12586467444374" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
pREpviwoLsfjIUNvvUCQfbIq+6kRcLT5soMa28Vd5BCIstlkACbSLIsg+b+LDLKyaeHyR0IAYaDC
YXhUk9yJ5LQbiaoMuUWIh/u2c9DB2qAnjYeOpkf0Hn6JWQckxlC2OexaUO1DF8oVYINKxLGFcIDh
CgOpcw/yEbthbhzno1TRbvHa/4i7Y/0MnhY00g3I0mNyAATQyIFy0OSkZa3VtdcFwJ+Q0JojfKAC
y6qyfrpxjsFasR+dYJT3Lr51c5EFgbTf/BqF6vgCzzl/o5IqS3fSLUKn+ngwoBADYJiS/BZyiu6rIkr
yUjWB1hda/mlfkDr2FpG5TVvSflKQTaKiZsDM9dPSLVVraLjcuAt3ANeAaDl9ik6H+mK4Kxd+TLp
DUo8Xvwvg0iIYIEhi4LVxOmJxV09NJxyJ6u4JLpt12bQHUhVmPR+D9iI592YZxxSNsQ7vA31EaQL
KC8m+JHqr1drZjaWl9mWb4pIJ76tRjQoTfkTybGDUjDqiXEOyHDe8kYO0Ez6rlV6ZrmaEN0IyNTY
eAeJEPm9jDvzRXfMhWKtIwzYOOYo9biv9tmqFms5xwca0RT+TpP8IAzsgXm4Pvtu77+JvgdVQgkZ
</xenc:CipherValue>
</xenc:CipherData></xenc:EncryptedData></soapenv:Body></soapenv:Envelope>The following tasks explain how to create a WS-Security profile that uses encryption, signature, and timestamp credentials. For more information about using the username credential, see Creating SOAP connectors that use WSS username tokens and timestamps.
Before you begin the following tasks, make sure you create a SOAP connector. For more information, see Creating a SOAP integration.
- Creating a WS-Security profile from a SOAP connector
Create a WS-security profile data instance that uses a digital signature and encryption. Use the WS-Security profile data instance to securely exchange messages between your application and a web service.
- Configuring the keystore for a WS-Security profile
Create a keystore, which contains a collection of cryptographic data used for authentication and encryption. Requests that use a digital signature are digitally signed using information in the keystore file that you upload.
- Defining outbound SOAP messages for WS-Security profile data instances
Create a WS-Security profile to securely exchange messages between your application and a web service. Use the Out Flow tab to configure WS-Security on outbound SOAP messages.
- Defining inbound SOAP messages for WS-Security profile data instances
Create a WS-Security profile to securely exchange messages between your application and a web service. Use the In Flow tab to configure WS-Security on inbound SOAP messages.
Previous topic Creating SOAP connectors that use WSS username tokens and timestamps Next topic Creating a WS-Security profile from a SOAP connector