WS-Security for SOAP Requests using X.509 certificate

Hi All,

We need to expose a SOAP web service endpoint to an external partner.
The web service will need to be secured using WS-Security X.509 certificate.

Can you please confirm whether Apigee can handle the WS-Security header and perform the authentication and pass the request through to a target internal SOAP endpoint that is not secured.

Please advise.

Thanks, Mohan

1 3 2,499
3 REPLIES 3

@Dino Could you please suggest me with above issue? Thanks.

Hi Mohana

Yes. Let me explain.

Apigee Edge is a smart proxy. There are 30+ builtin "policies" that you can configure on an API proxy, to do things like

  • transform the inbound message from JSON to XML or vice-versa
  • verify an inbound API Key
  • verify an inbound OAuthV2 token
  • verify or generate a JWT signed with HMAC or RSA
  • perform a cache lookup or cache population
  • transform an XML with XSLT
  • inject headers or query params, or remove same

The designers of Apigee Edge recognize that there will always be cases that cannot be handled by the builtin policies. So Edge includes a way to extend the function. You can build your own policies.

For example, a customer a while ago asked for way to verify an HMAC on some of the inbound request. An HMAC is just a keyed hash - basically you use a hash function like SHA256, and combine it with a digital signature, and that's an HMAC. There are various APIs that use HMACs to provide integrity verification of requests - a big example is the various AWS APIs. They use HMAC extensively. But many other APIs do as well.

Apigee Edge didn't include an HMAC verification policy right out of the box, so we built one using the extensibility mechanism. You can find it here. It's free to use, open source, and easy to employ in your API proxies.

ok, but you didn't ask about HMAC. You asked about WS-Security and signatures based on X.509 certificates. And that's another one of those capabilities that is currently supported via an extension policy. The WS-Sec policy is here.

That policy can be used to verify a SOAP signature and then strip off the signature. If you employ it in a Proxy, then the backend system would receive the unsigned SOAP message.

The configuration for this is like so:

<JavaCallout name='Java-VerifySignature'>
  <Properties>
    <Property name='alias'>{private.keyalias}</Property>
    <Property name='password'>{private.keypassword}</Property>
    <Property name='jks-base64'>{private.jks-base64}</Property>
  </Properties>
  <ClassName>com.google.apigee.callout.wssec.SOAPVerifier</ClassName>
  <ResourceURL>java://edge-wssec-sign-x509-1.0.4.jar</ResourceURL>
</JavaCallout>

This policy will implicitly read the message content, verify the signature, and then transform the message to strip the signature out.

There's a newer callout available which is more configurable, and may be better suited to your needs:

https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature-2