Enable WS-Security for SOAP backends
In a REST to SOAP scenario where the backend demands the SOAP message to be signed using a certificate, it would be great if there were policies that could generate the whole message based on the contents of the body. Right now one can build the SOAP XML message using a liquid template but then the task of generating the security headers is hard (and I really don't know how to generate them). For example:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservices.myweb.com">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
......<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-123456">generated_token</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-65D54B60823432DD6615040826919135" xmlns:ds="<a rel="nofollow noreferrer" href="http://www.w3.org/2000/09/xmldsig#"">http://www.w3.org/2000/09/xmldsig#"</a>>
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="<a rel="nofollow noreferrer" href="http://www.w3.org/2001/10/xml-exc-c14n#"">http://www.w3.org/2001/10/xml-exc-c14n#"</a>><ec:InclusiveNamespaces PrefixList="soapenv web" xmlns:ec="<a rel="nofollow noreferrer" href="http://www.w3.org/2001/10/xml-exc-c14n#"/">http://www.w3.org/2001/10/xml-exc-c14n#"/</a>></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="<a rel="nofollow noreferrer" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/">http://www.w3.org/2000/09/xmldsig#rsa-sha1"/</a>>
<ds:Reference URI="#id-12345">
<ds:Transforms><ds:Transform Algorithm="<a rel="nofollow noreferrer" href="http://www.w3.org/2001/10/xml-exc-c14n#"">http://www.w3.org/2001/10/xml-exc-c14n#"</a>><ec:InclusiveNamespaces PrefixList="web" xmlns:ec="<a rel="nofollow noreferrer" href="http://www.w3.org/2001/10/xml-exc-c14n#"/">http://www.w3.org/2001/10/xml-exc-c14n#"/</a>></ds:Transform></ds:Transforms>
<ds:DigestMethod Algorithm="<a rel="nofollow noreferrer" href="http://www.w3.org/2000/09/xmldsig#sha1"/">http://www.w3.org/2000/09/xmldsig#sha1"/</a>><ds:DigestValue>digest_value</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
<ds:SignatureValue>my_signature</ds:SignatureValue>
<ds:KeyInfo Id="KI-123456"><wsse:SecurityTokenReference wsu:Id="STR-65D54B60823432DD6615040826918923"><wsse:Reference URI="#X509-123456" ValueType="<a rel="nofollow noreferrer" href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/</a>></wsse:SecurityTokenReference></ds:KeyInfo>
</ds:Signature>
</wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-12345" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<web:myMessage>...</web:myMessage>
</soapenv:Body>
</soapenv:Envelope>
The certificate should be one of the available in my APIM instance.
Thanks.

Hi Carlos – thanks for your feedback. We need more feedback from users on this feature due to the many complexities of how WS-security is implemented. Would what Carlos describes be helpful for you? Is this preferable to a mutual TLS connection secure the communication?
4 comments
-
Raul commented
One more waiting for this feature here...
-
Anonymous commented
Several enterprise level SOAP backends use WS-Security with certificate signatures. We are not always able to change those, and such this would be needed if we want to consume those services in API management.
Currently, the best option seems to be a passthrough, but that again limits us to use the full .NET Framework as .Net Core doesn't support this either.
-
Prasad commented
Hi Team, Even We were expecting this functionality to be available
-
Anonymous commented
when can this be implemented? Waiting for it.