1) Performance. XML processing takes up significant CPU resources. So does cryptography. Together, XML Decryption creates a "perfect storm" of CPU usage.
2) Key generation and key management. It can be very tricky indeed to generate cryptographic keys and then to store them safely on hardware.
The good news is that XML Gateways address both issues. They are high-performance, and they typically include hardware for key storage. Vordel's XML Gateway also includes a simple tool for generating certificates and private keys.
We are going to setup a demo whereby a client encrypts part of an XML message using a public key, and then an XML Gateway decrypts the encrypted data using the corresponding private key. This is shown in the schematic below:
To set this up, the first thing you need to run this demo is a copy of the SOAPbox testing tool and a copy of the Vordel XML Gateway (grab a XML Gateway evaluation here). We are going to use the Policy Studio to generate the keys.
The high-level steps are:
Step 1) Create the public and private keys in Policy Studio, then export them.
Step 2) Import the keys into the SOAPbox
Step 3) Create the XML Decryption policy in Policy Studio
Step 4) Perform the Encryption in SOAPbox and send the encrypted message to the XML Gateway, where it is decrypted.
Let's get started...
Step 1 - Creating the certificate and private key.
For this demo, we are going to create a self-signed certificate. In a real deployment scenario, of course, you would use a certificate from a trusted CA such as VeriSign, or a corporate CA.
In Policy Studio, open the Certificates configuration by clicking on “Certificates” on the left-hand side:
Press “Edit” beside the “Subject” and enter details. You only need to enter the Common Name and Company Name. Then press “Sign Certificate” and choose “Self-Sign” in order to create the private key also. You can choose “Use Distinguished Name” for the name of the certificate, used to identify it later.
Now press on “Export Certificate and Key”. Choose the “PEM” format. Enter a password, and remember the password because you will need it later
2) Importing Certificate into SOAPbox
In SOAPbox choose “Security “ from the menu, then “View Certificates”.
Press on “Create” and then “Import certificate+key”. Load in the certificate file (“PEM” file) which you created in the previous step (note: strictly speaking we only need the public key for this demo, as we're only doing XML Encryption on the client. If you want to follow on and do XML Signature on the client, you'll need the private key. Note also that if you use an XML Gateway appliance, then key exporting is highly controlled).
3) Configuring the XML Decryption policy in Policy Studio
Back in Policy Studio, right-click on the policies and choose “Add Policy”.
Give the policy a name:
Drag an “XML Decryption Settings” filter from the right-hand-side onto the policy canvas. You can find it under the “Encyption” group.
Enter the settings “Decrypt all” and “Find via KeyInfo in message”, as shown below:
Now, right-click on the “XML Decryption Settings” filter and choose “Set as start”.
We want to echo the decrypted message back to the client (i.e. back to SOAPbox). So we now add a “Reflect” filter at the end of our policy. This is to be found under the “Utility” group. The policy now looks like this:
Now, at the “XML Gateway” level, right-click and choose “Add Relative Path”, as shown below:
Create a path called “/decryption” and map it to the policy you just created.
Be sure to press F5 to push the updated policies put to the XML Gateway. If you are using Policy Director then you must have deploy privileges for that XML Gateway.
4) Seeing XML Decryption in action with SOAPbox
Finally we perform the Encryption in SOAPbox and send the encrypted message to the XML Gateway, where it is decrypted.
In SOAPbox, using the “Classic Mode”:
In the SOAPbox screenshot below, you can see the encrypted data in the left-hand (outbound) side. Press “Send Request”. We now see the message being sent to the decryption Web Service. In the response, on the right-hand-side, the data is decrypted:
That is all there is to setting up XML Decryption using SOAPbox, the Policy Studio, and the Vordel XML Gateway.
