ebXML XML Digital Signature Service

The ebXML XML Digital Signature service composes and verifies digital signatures.

The following table provides an overview of the ebXML XML Digital Signature service:

Category Description
System name ebXMLDSig
Graphical Process Modeler (GPM) categories All Services, Internet B2B > ebXML
Description Composes and verifies digital signatures.
Business usage
Business usage:
  • Composes a digital signature (XMLDSIG) on a given node or primary document by using a private key of a specified and returns a hash value together with the original input node.
  • Validates the hash value of the input node or Primary Document by making use of a public key, either through a specified certificate or from the KeyInfo element of the Signature and indicates this with a TRUE or FALSE.
Usage example A business process that needs a node to be digitally signed or verified can invoke this service by passing the required parameters.
Preconfigured? Must be installed and deployed before it can run. There are no configuration parameters required.
Requires third-party files? xss4j.jar (included in Sterling B2B Integrator installation)
Platform availability All supported Sterling B2B Integrator platforms.
Related services No
Application requirements No
Initiates business processes? No
Invocation Runs as part of a business process.
Business process context considerations None
Returned status values None
Restrictions None
Testing considerations Use the correct certificates for the signing. The most frequent problem encountered is the certificates used for the signing were not created with a storepass value of integrator and a keypass value of integrator. If you receive an error with this condition, see your system administrator.
Notes Output Parameters: signRequestA node or updated Primary Document containing the original contents and the Signature element after the digital signature is applied. Output Parameters: verifyRequestA node containing the validity of the signature. The two possible values are:
<validity> 
<valid>true</value> 
</validity>
and
<validity> 
<valid>false</value> 
</validity> 
An updated Primary Document when validating the Primary
Document

Parameters Passed from Business Process to Service

The following table describes the parameters that are passed from a business process to the service:

Field Description
certificateIdentifier Alias of a certificate public key. When used during signing, it indicates that the KeyInfo element must be included in the Signature. Only applicable when signing the Primary Document. Valid value is a valid alias name. Required.
ds:Transforms Required Transforms to be used in the signing. If omitted, the enveloped-signature Transform will be used. Only applicable when signing the Primary Document. Valid value is a valid node.
incomingDoc Node to be digitally signed. When not specified, it implies that the Primary Document needs to be signed. Valid value is a valid node.
nodeToSign Required node to be signed. This node is found within the Primary Document. If not specified it implies that we wish to sign the whole document. Only applicable when signing the Primary Document. Valid value is a valid node name.
signCertificateIdentifier Alias of a private key of a certificate. Valid value is a valid alias name.

The incoming document must contain the prerequisites of the ebXML XML Digital Signature service. The following is an example node that is passed to the ebXML XML Digital Signature service for signature creation:

<ebXMLMessage> 
<mime:message xmlns:mime="http://www.company.com/mime/v0.5"> 
<mime:header name="Content-Type">multipart/related
<mime:parameter name="start">ebxml-envelope@company.com</mime:parameter> 
<mime:parameter name="type">text/xml</mime:parameter> 
</mime:header> 
<mime:header name="SOAPAction">ebXML</mime:header> 
<mime:body> 
<mime:message> 
<mime:header name="Content-ID"><ebxml-envelope@company.com>
    </mime:header> 
<mime:header name="Content-Type">text/xml<mime:parameter 
     name="charset">UTF-8</mime:parameter> 
</mime:header> 
<mime:body> 
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.ditasoap.org/soap/envelope/" 
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.ditasoap.org/soap/envelope/ 
       http://www.oasis-open.org/committees/ebxml-msg/schema/envelope.xsd"> 
<SOAP-ENV:Header xmlns:eb=
       "http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"> 
<eb:MessageHeader SOAP-ENV:mustUnderstand="1" 
        eb:id="ebxml-MessageHeader-company.com"
eb:version="2.0" xsi:schemaLocation=
        "http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd 
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"> 
<eb:From> 
<eb:Role>http://www.company.com/roles/Sender</eb:Role> 
</eb:From> 
<eb:To> 
<eb:Role>http://www.company.com/roles/Receiver</eb:Role> 
</eb:To> 
<eb:CPAId>CompanyID-CompanyID</eb:CPAId> 
<eb:ConversationId>server::111z1:zzz999z9z:-1111</eb:ConversationId> 
<eb:Service eb:type="string">FileTransfer-Sign</eb:Service> 
<eb:Action>Receive</eb:Action> 
<eb:MessageData> 
<eb:MessageId>server::111z1:zzz999z9z:-1111</eb:MessageId> 
<eb:Timestamp>2005-07-18T04:10:18Z</eb:Timestamp> 
</eb:MessageData> 
<eb:Description xml:lang="en-US">An ebXML Message.</eb:Description> 
</eb:MessageHeader> 
<eb:SyncReply SOAP-ENV:actor="http://schemas.ditasoap.org/soap/actor/next" 
     SOAP-ENV:mustUnderstand="1"
eb:id="ebxml-SyncReply-company.com" eb:version="2.0" xsi:schemaLocation=
      "http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"/> 
<eb:AckRequested SOAP-ENV:mustUnderstand="1" 
      eb:id="ebxml-AckRequested-company.com"
eb:signed="true" eb:version="2.0" 
xsi:schemaLocation="http://www.oasis-open.org/committees/ebxml-msg/
      schema/msg-header-2_0.xsd
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"/> 
</SOAP-ENV:Header> 
<SOAP-ENV:Body/> 
</SOAP-ENV:Envelope> 
</mime:body> 
</mime:message> 
<mime:message> 
<mime:header name="Content-ID"><ebxml-payload-0@company.com></mime:header> 
<mime:header name="Content-Type">application/xml</mime:header> 
<mime:body> 
<doc:document-id xmlns:doc="http://www.company.com/document-id">
      server:4lll4kdlllrrrr4:-99zz</doc:document-id> 
</mime:body> 
</mime:message> 
</mime:body> 
</mime:message> 
</ebXMLMessage> 
</mime:message> 
</mime:body> 
</mime:message> 
</ebXMLMessage>

The following parameters need to be passed to the service when it runs with the output message set to verifyRequest:

Field Description
certificateIdentifier Alias of a public key of a certificate. Valid value is a valid alias name.
documentID Document-id of the MIME message to be cerified. Valid value is a valid document id.
incomingDoc Node that needs to have its digital signature verified. Valid value is a valid node.
removeSignature Indicates if the validated document needs to have the Signature element removed. Only applicable when validating the Primary Document. Valid values are True and False.

The incoming document must contain the prerequisites of the ebXML XML Digital Signature service. The following is an example node that is passed to the ebXML XML Digital Signature service for signature validation:

<ebXMLMessage>
	<mime:message xmlns:mime="http://www.company.com/mime/v0.5">
	<mime:header name="Content-Type">multipart/related<mime:
       parameter name="start">ebxml-envelope@company.com</mime:parameter> 
<mime:parameter name="type">text/xml</mime:parameter>
	</mime:header>
	<mime:header name="SOAPAction">ebXML</mime:header>
	<mime:body>
		<mime:message>
			<mime:header name="Content-ID"><ebxml-envelope@company.com></mime:header>
			<mime:header name="Content-Type">text/xml<mime:
              parameter name="charset">UTF-8</mime:parameter>
			</mime:header>
	<mime:body>
	<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.ditasoap.org/soap/envelope/" 
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.ditasoap.org/soap/envelope/ 
          http://www.oasis-open.org/committees/ebxml-msg/schema/envelope.xsd">
	<SOAP-ENV:Header xmlns:eb="http://www.oasis-open.org/committees/
          ebxml-msg/schema/msg-header-2_0.xsd">
	<eb:MessageHeader SOAP-ENV:mustUnderstand="1" eb:
          id="ebxml-MessageHeader-company.com"
eb:version="2.0" xsi:schemaLocation="http://www.oasis-open.org/committees/
          ebxml-msg/schema/msg-header-2_0.xsd 
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd">
	<eb:From>
	<eb:Role>http://www.company.com/roles/Sender</eb:Role>
	</eb:From>
	<eb:To>
	<eb:Role>http://www.company.com/roles/Receiver</eb:Role>
	</eb:To>
	<eb:CPAId>company-company</eb:CPAId>
	<eb:ConversationId>server::11c1:88888zzzz:-1111</eb:ConversationId>
	<eb:Service eb:type="string">FileTransfer-Sign</eb:Service>
	<eb:Action>Receive</eb:Action>
	<eb:MessageData>
	<eb:MessageId>server::11c1:88888zzzz:-1111</eb:MessageId>
	<eb:Timestamp>2002-07-18T04:10:18Z</eb:Timestamp>
	</eb:MessageData>
	<eb:Description xml:lang="en-US">An ebXML Message.</eb:Description> 
</eb:MessageHeader> 
<eb:SyncReply SOAP-ENV:actor="http://schemas.ditasoap.org/soap/actor/next" 
      SOAP-ENV:mustUnderstand="1"
eb:id="ebxml-SyncReply-company.com" eb:version="2.0" 
      xsi:schemaLocation="http://www.oasis-open.org/committees/
      ebxml-msg/schema/msg-header-2_0.xsd
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"/> 
<eb:AckRequested SOAP-ENV:mustUnderstand="1" 
      eb:id="ebxml-AckRequested-company.com"
eb:signed="true" eb:version="2.0" 
xsi:schemaLocation="http://www.oasis-open.org/committees/ebxml-msg/
       schema/msg-header-2_0.xsd
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"/> 
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
<ds:SignedInfo> 
<ds:CanonicalizationMethod Algorithm=
      "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> 
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
<ds:Reference Type="http://www.w3.org/2000/09/xmldsig#Object" URI=""> 
<ds:Transforms> 
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> 
<ds:XPath> not(ancestor-or-self::node()[@SOAP-ENV:actor=
      "urn:oasis:names:tc:ebxml-msg:service:nextMSH"]|ancestor-or-self::node()
       [@SOAP-ENV:actor="http://schemas.ditasoap.org/soap/actor/next"])
        </ds:XPath> </ds:Transform> 
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> 
</ds:Transforms> 
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
<ds:DigestValue>+TTgggfFZZZ+444t444DDffEEEddddd=</ds:DigestValue> 
</ds:Reference> 
<ds:Reference URI="cid:ebxml-payload-0@company.com"> 
         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>5SS4d44dGG1DD1DDddd3FFFee2GGGddd=</ds:DigestValue>
</ds:Reference> 
</ds:SignedInfo> 
<ds:SignatureValue> 
ZZzzzZZzzzZZzzzZZzzzzZZZzAAaaaEEaaaEEEEaaaaEEEaaaaDDDDddDDdddzzzZzzZZzzzZ 
zzAA33AAzzz44ZZaaZZZaaZZZaaaZZZZ4eeEEE5WWWqqqEEEaaa4AAAee5DDDddEEEEddd2DDD 
9Ik99R3EeeR444rrrFFF4694eeeOOO333aaddii999l=
  </ds:SignatureValue> 
</ds:Signature> 
</SOAP-ENV:Header> 
<SOAP-ENV:Body/> 
</SOAP-ENV:Envelope> 
</mime:body> 
</mime:message> 
<mime:message> 
<mime:header name="Content-ID"><ebxml-payload-0@company.com></mime:header> 
<mime:header name="Content-Type">application/xml</mime:header> 
<mime:body> 
<doc:document-id xmlns:doc="http://www.company.com/document-id">
    server:999z9:ggggh9g9g:-99zz</doc:document-id> 
</mime:body> 
</mime:message> 
</mime:body> 
</mime:message> 
</ebXMLMessage>

Implementing the ebXML XML Digital Signature Service

To implement the ebXML XML Digital Signature service, complete the following tasks:
  1. Activate your license for the ebXML XML Digital Signature service. See Installing Sterling B2B Integrator.
  2. Create an ebXML XML Digital Signature service configuration. See Managing Services and Adapters.
  3. Configure the ebXML XML Digital Signature service. For information, see Configuring the ebXML XML Digital Signature Service.
  4. Use the ebXML XML Digital Signature service in a business process.

    Import a Key certificate for the ebXML XML Digital Signature service to reference in the business process. For the procedure, see Importing a Key Certificate into a Business Process.

Configuring the ebXML XML Digital Signature Service

To configure the ebXML XML Digital Signature service, you must specify settings for the following fields in the GPM:

Field Description
Config Name of the service configuration.
certificateIdentifier The alias of a public key of a certificate. Valid value is a valid alias name.
incomingDoc The node that needs to be digitally signed. Valid value is a valid node.
signCertificateIdentifier The alias of a private key of a certificate. Valid value is a valid alias name.

Importing a Key Certificate into a Business Process

When importing a Key certificate, your BPML should use this alias to associate with the appropriate field (signCertificateIdentifier). The following BPML provides an example of how your BPML should look:

<operation name="SignMessage"> 
<participant name="ebXMLDSig"/> 
<output message="signRequest"> 
<assign to="incomingDoc" from="ebXMLMessage/mime:message"/> 
<assign to="signCertificateIdentifier" from="cpa/thisParty/
            signing-certificate-name/text()"/> 
</output> 
<input message="signResponse"> 
<assign to="ebXMLMessage" 
from="signedEnvelope/signRequest/incomingDoc/node()"/> 
</input> 
</operation>

Business Process Example

The following example assumes that the nodes are found in the process data:

<process name=”Test_Sign> 
<operation name="SignMessage"> 
<participant name="ebXMLDSig"/> 
<output message="signRequest"> 
<assign to="incomingDoc" from="ebXMLMessage/mime:message"/> 
<assign to="signCertificateIdentifier" from="cpa/thisParty/signing-
           certificate-name/text()"/> 
</output> 
<input message="signResponse"> 
<assign to="ebXMLMessage" 
from="signedEnvelope/signRequest/incomingDoc/node()"/> 
</input> 
</operation> 
</process>

The following example shows how to sign the whole Primary Document and add the KeyInfo element with the Signature element by including the certificateIdentifier parameter in the signing request. The example also includes how to construct the ds:Transforms node:

<process name="TestSigning"> 
<sequence> 
<assign to="temp/@Algorithm" from="'http://www.w3.org/2000/09/
     xmldsig#enveloped-signature'"/> 
<assign to="ds:Transforms/ds:Transform" from="temp/@*"/> 
<assign to="temp/@Algorithm" from="'http://www.w3.org/TR/1999/
     REC-xpath-19991116'"/> 
<assign to="temp/ds:XPath">count(/ETrade/DataArea/LCAdvice/descendant-
     or-self::node()
     | /ETrade/DataArea/LCAdvice/descendant-or-self::*/@* | 
      /ETrade/DataArea/LCAdvice/descendant-or-self::*/namespace::*)
     = count(. | /ETrade/DataArea/LCAdvice/descendant-or-self::node() |
     /ETrade/DataArea/LCAdvice/descendant-or-self::*/@* | 
     /ETrade/DataArea/LCAdvice/descendant-or-self::*/namespace::*) 
</assign> 
<assign to="ds:Transforms/ds:Transform" from="temp/@* | temp/node()" 
     append="true"/> 
<!-- Do the Signing --> 
<operation name="SignMessage"> 
<participant name="ebXMLDSig"/> 
<output message="signRequest"> 
<assign to="." from="*"/> 
<assign to="signCertificateIdentifier" from="'PrivKey'"/> 
<assign to="certificateIdentifier" from="'PubKey'"/> 
<assign to="ds:Transforms" from="ds:Transforms/node()"/> 
</output> 
<input message="signResponse"> 
<assign to="." from="*"/> 
</input> 
</operation> 
</sequence> 
</process>

This BPML example shows how to sign a particular node in the Primary Document

<process name="TestSigning"> 
<sequence> 
<assign to="temp/@Algorithm" from="'http://www.w3.org/2000/09/
     xmldsig#enveloped-signature'"/> 
<assign to="ds:Transforms/ds:Transform" from="temp/@*"/> 
<assign to="temp/@Algorithm" from="'http://www.w3.org/TR/1999/
      REC-xpath-19991116'"/> 
<assign to="temp/ds:XPath">count(/ETrade/DataArea/LCAdvice/descendant
      -or-self::node()
      | /ETrade/DataArea/LCAdvice/descendant-or-self::*/@* | 
     /ETrade/DataArea/LCAdvice/descendant-or-self::*/namespace::*)
      = count(. | /ETrade/DataArea/LCAdvice/descendant-or-self::node() |
      /ETrade/DataArea/LCAdvice/descendant-or-self::*/@* | 
      /ETrade/DataArea/LCAdvice/descendant-or-self::*/namespace::*) 
</assign> 
<assign to="ds:Transforms/ds:Transform" from="temp/@* | temp/node()" 
     append="true"/> 
<!-- Do the Signing --> 
<operation name="SignMessage"> 
<participant name="ebXMLDSig"/> 
<output message="signRequest"> 
<assign to="." from="*"/> 
<assign to="signCertificateIdentifier" from="'PrivKey'"/> 
<assign to="nodeToSign" from="'TransactionResultResponse'"/> 
<assign to="certificateIdentifier" from="'PubKey'"/> 
<assign to="ds:Transforms" from="ds:Transforms/node()"/> 
</output> 
<input message="signResponse"> 
<assign to="." from="*"/> 
</input> 
</operation> 
</sequence> 
</process>

This BPML example shows how to validate a signed Primary Document using a specified public certificate stored in Sterling B2B Integrator. The signature element will be removed from the Primary Document after the successful validation.

<process name="TestValidating"> 
<sequence>				
<!-- Do the verification --> 
<operation name="VerifyMessage"> 
<participant name="ebXMLDSig"/> 
<output message="verifyRequest"> 
<assign to="." from="*"/> 
<assign to="removeSignature" from="'true'"/> 
<assign to="certificateIdentifier" from="'PubKey'"/> 
</output> 
<input message="verifyResponse"> 
<assign to="." from="*"/> 
</input> 
</operation> 
</sequence> 
</process>