Wednesday, January 9, 2008

OWSM Field Level Encryption

I had chance to work on OWSM agents and different type of encryption. Here I would like to present the solution for OWSM field level encryption. I already had encryption/decryptioin example working for full payload, so here I will just provide tricks on how to configure OWSM for field level encryption.

It is basically doing XPATH encryptiong, as described in

Step 1.

I created a BPEL process called DemoOWSMFieldLevelEncryption which pretty much returns the input string. Here is how it looks like:

I have input payload with SSN number in it, which I am interested in encrypting:

Please note down the namespace, it is used when we encrypt the message.
Step 2:

Just for testing purpose I registered that service in OWSM gateway, and start creating policies for the service as shown below:

If we look at the XML encrypt in more detail :

Here I am using existing utility to create JKS files. Interesting thing to note down is:

Encrypted Content: XPATH

Encrypt XPATH: /soap:Envelope/soap:Body/ns1:DemoFieldLevelEncryptionProcessRequest/ns1:SSN
Encrypt namespaces: soap=,ns1=

As you can see, I am using soap and ns1 namespaces in my XPATH, so I have to define them in namespaces section as comma seperated values.

If we look into XML decrypt, it remains pretty much the same. XML encrypt of body/header/envelope or xpath doesn't change XML decrption part.

I created LOG before and after each policy step as part of best practices.

Step 3:

Now time for testing. I used OWSM test page to test my registered service and used Execution Logs to check if messages are getting encrypted and then decrypted back to the original content. Here is what I saw:

First log (SSN is encrypted)

Second Log: SSN is decrypted back to the original value

It seems like it is encrypting and decrypting field level variables. Source code can be downloaded at here.


Satendra Pare said...

Hello Chintan , I tried encryption and decytion steps u provided in your blog... all the jks file and certificate file are under D:\temp\owsm and other configuration property are as same as u told to do ... but at run time it is not encryption the xpath element ..

please tell me.. how can i proceed..

Satendra Pare said...

Hello..... I found the answer...
first problem was related to namespace .. .so if any body faces this problem .. just check your all configuration property and ..
If in all the condition not able to run successfully .. just restart the server and try again... this is my experiance....

Anonymous said...

Hi Chintan,
have you tried to configure encryption of the SOAP Response too?
As the XML Encrypt step in OWSM uses asymmetric encryption this requires that the encryptor knows the public key of the decryptor.
As the public key to be used depends on which decryptor is to receive the encrypted SOAP Response - how can OWSM select the proper public key to use for encryption of the SOAP Response?

Jøran :-)

Anonymous said...

Hi Chintan, I cant see your screen shots attached here. Is it not available now? or its been deleted?

How can i see screenshots?

Chintan Shah said...

It is available and I'm able to see it. Let me know if you still having issue, I can send the article via email.



Anonymous said...

Hi Chintan, I got it! It was blocked in my office but when i tried from my home, it worked,


I have another question. If i am using a Secured web service in my BPEL process, do i need to secure my Bpel process as well???

Scenario is, i am invoking three secure web services in my Bpel process. Nothing else, just invoking, both WS and BPEL processes does the same job. Do i need to secure my bpel process as well? or since i am already invoking a secure WS, it should solve my purpose?

Thanks in advance chintan.

Chintan Shah said...

I guess you have to protect both, but BPEL can just propagate the credentials to the web-service which probably can reduce and simplify your implementation scenario.

Anonymous said...

I followed using the steps and I get >WS-Security process failure:String index out of range: -1

let me know if I am missing something..wht is the issue??