Hi All,
We need to expose a SOAP web service endpoint to
an external partner.
The web service will need to be secured using WS-Security X.509 certificate.
Can you please confirm whether Apigee can handle the WS-Security header and
perform the authentication and pass the request through to a target internal
SOAP endpoint that is not secured.
Please advise.
Thanks, Mohan
@Dino Could you please suggest me with above issue? Thanks.
Hi Mohana
Yes. Let me explain.
Apigee Edge is a smart proxy. There are 30+ builtin "policies" that you can configure on an API proxy, to do things like
The designers of Apigee Edge recognize that there will always be cases that cannot be handled by the builtin policies. So Edge includes a way to extend the function. You can build your own policies.
For example, a customer a while ago asked for way to verify an HMAC on some of the inbound request. An HMAC is just a keyed hash - basically you use a hash function like SHA256, and combine it with a digital signature, and that's an HMAC. There are various APIs that use HMACs to provide integrity verification of requests - a big example is the various AWS APIs. They use HMAC extensively. But many other APIs do as well.
Apigee Edge didn't include an HMAC verification policy right out of the box, so we built one using the extensibility mechanism. You can find it here. It's free to use, open source, and easy to employ in your API proxies.
ok, but you didn't ask about HMAC. You asked about WS-Security and signatures based on X.509 certificates. And that's another one of those capabilities that is currently supported via an extension policy. The WS-Sec policy is here.
That policy can be used to verify a SOAP signature and then strip off the signature. If you employ it in a Proxy, then the backend system would receive the unsigned SOAP message.
The configuration for this is like so:
<JavaCallout name='Java-VerifySignature'> <Properties> <Property name='alias'>{private.keyalias}</Property> <Property name='password'>{private.keypassword}</Property> <Property name='jks-base64'>{private.jks-base64}</Property> </Properties> <ClassName>com.google.apigee.callout.wssec.SOAPVerifier</ClassName> <ResourceURL>java://edge-wssec-sign-x509-1.0.4.jar</ResourceURL> </JavaCallout>
This policy will implicitly read the message content, verify the signature, and then transform the message to strip the signature out.
There's a newer callout available which is more configurable, and may be better suited to your needs:
https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature-2
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |