ebXML XML Digital Signature Service
The ebXML XML Digital Signature service composes and verifies digital signatures.
The following table provides an overview of the ebXML XML Digital Signature service:
Category | Description |
---|---|
System name | ebXMLDSig |
Graphical Process Modeler (GPM) categories | All Services, Internet B2B > ebXML |
Description | Composes and verifies digital signatures. |
Business usage | Business usage:
|
Usage example | A business process that needs a node to be digitally signed or verified can invoke this service by passing the required parameters. |
Preconfigured? | Must be installed and deployed before it can run. There are no configuration parameters required. |
Requires third-party files? | xss4j.jar (included in Sterling B2B Integrator installation) |
Platform availability | All supported Sterling B2B Integrator platforms. |
Related services | No |
Application requirements | No |
Initiates business processes? | No |
Invocation | Runs as part of a business process. |
Business process context considerations | None |
Returned status values | None |
Restrictions | None |
Testing considerations | Use the correct certificates for the signing. The most frequent problem encountered is the certificates used for the signing were not created with a storepass value of integrator and a keypass value of integrator. If you receive an error with this condition, see your system administrator. |
Notes | Output Parameters: signRequestA node or updated
Primary Document containing the original contents and the Signature
element after the digital signature is applied. Output Parameters:
verifyRequestA node containing the validity of the signature. The
two possible values are: and
|
Parameters Passed from Business Process to Service
The following table describes the parameters that are passed from a business process to the service:
Field | Description |
---|---|
certificateIdentifier | Alias of a certificate public key. When used during signing, it indicates that the KeyInfo element must be included in the Signature. Only applicable when signing the Primary Document. Valid value is a valid alias name. Required. |
ds:Transforms | Required Transforms to be used in the signing. If omitted, the enveloped-signature Transform will be used. Only applicable when signing the Primary Document. Valid value is a valid node. |
incomingDoc | Node to be digitally signed. When not specified, it implies that the Primary Document needs to be signed. Valid value is a valid node. |
nodeToSign | Required node to be signed. This node is found within the Primary Document. If not specified it implies that we wish to sign the whole document. Only applicable when signing the Primary Document. Valid value is a valid node name. |
signCertificateIdentifier | Alias of a private key of a certificate. Valid value is a valid alias name. |
The incoming document must contain the prerequisites of the ebXML XML Digital Signature service. The following is an example node that is passed to the ebXML XML Digital Signature service for signature creation:
<ebXMLMessage>
<mime:message xmlns:mime="http://www.company.com/mime/v0.5">
<mime:header name="Content-Type">multipart/related
<mime:parameter name="start">ebxml-envelope@company.com</mime:parameter>
<mime:parameter name="type">text/xml</mime:parameter>
</mime:header>
<mime:header name="SOAPAction">ebXML</mime:header>
<mime:body>
<mime:message>
<mime:header name="Content-ID"><ebxml-envelope@company.com>
</mime:header>
<mime:header name="Content-Type">text/xml<mime:parameter
name="charset">UTF-8</mime:parameter>
</mime:header>
<mime:body>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.ditasoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.ditasoap.org/soap/envelope/
http://www.oasis-open.org/committees/ebxml-msg/schema/envelope.xsd">
<SOAP-ENV:Header xmlns:eb=
"http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd">
<eb:MessageHeader SOAP-ENV:mustUnderstand="1"
eb:id="ebxml-MessageHeader-company.com"
eb:version="2.0" xsi:schemaLocation=
"http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd">
<eb:From>
<eb:Role>http://www.company.com/roles/Sender</eb:Role>
</eb:From>
<eb:To>
<eb:Role>http://www.company.com/roles/Receiver</eb:Role>
</eb:To>
<eb:CPAId>CompanyID-CompanyID</eb:CPAId>
<eb:ConversationId>server::111z1:zzz999z9z:-1111</eb:ConversationId>
<eb:Service eb:type="string">FileTransfer-Sign</eb:Service>
<eb:Action>Receive</eb:Action>
<eb:MessageData>
<eb:MessageId>server::111z1:zzz999z9z:-1111</eb:MessageId>
<eb:Timestamp>2005-07-18T04:10:18Z</eb:Timestamp>
</eb:MessageData>
<eb:Description xml:lang="en-US">An ebXML Message.</eb:Description>
</eb:MessageHeader>
<eb:SyncReply SOAP-ENV:actor="http://schemas.ditasoap.org/soap/actor/next"
SOAP-ENV:mustUnderstand="1"
eb:id="ebxml-SyncReply-company.com" eb:version="2.0" xsi:schemaLocation=
"http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"/>
<eb:AckRequested SOAP-ENV:mustUnderstand="1"
eb:id="ebxml-AckRequested-company.com"
eb:signed="true" eb:version="2.0"
xsi:schemaLocation="http://www.oasis-open.org/committees/ebxml-msg/
schema/msg-header-2_0.xsd
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"/>
</SOAP-ENV:Header>
<SOAP-ENV:Body/>
</SOAP-ENV:Envelope>
</mime:body>
</mime:message>
<mime:message>
<mime:header name="Content-ID"><ebxml-payload-0@company.com></mime:header>
<mime:header name="Content-Type">application/xml</mime:header>
<mime:body>
<doc:document-id xmlns:doc="http://www.company.com/document-id">
server:4lll4kdlllrrrr4:-99zz</doc:document-id>
</mime:body>
</mime:message>
</mime:body>
</mime:message>
</ebXMLMessage>
</mime:message>
</mime:body>
</mime:message>
</ebXMLMessage>
The following parameters need to be passed to the service when it runs with the output message set to verifyRequest:
Field | Description |
---|---|
certificateIdentifier | Alias of a public key of a certificate. Valid value is a valid alias name. |
documentID | Document-id of the MIME message to be cerified. Valid value is a valid document id. |
incomingDoc | Node that needs to have its digital signature verified. Valid value is a valid node. |
removeSignature | Indicates if the validated document needs to have the Signature element removed. Only applicable when validating the Primary Document. Valid values are True and False. |
The incoming document must contain the prerequisites of the ebXML XML Digital Signature service. The following is an example node that is passed to the ebXML XML Digital Signature service for signature validation:
<ebXMLMessage>
<mime:message xmlns:mime="http://www.company.com/mime/v0.5">
<mime:header name="Content-Type">multipart/related<mime:
parameter name="start">ebxml-envelope@company.com</mime:parameter>
<mime:parameter name="type">text/xml</mime:parameter>
</mime:header>
<mime:header name="SOAPAction">ebXML</mime:header>
<mime:body>
<mime:message>
<mime:header name="Content-ID"><ebxml-envelope@company.com></mime:header>
<mime:header name="Content-Type">text/xml<mime:
parameter name="charset">UTF-8</mime:parameter>
</mime:header>
<mime:body>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.ditasoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.ditasoap.org/soap/envelope/
http://www.oasis-open.org/committees/ebxml-msg/schema/envelope.xsd">
<SOAP-ENV:Header xmlns:eb="http://www.oasis-open.org/committees/
ebxml-msg/schema/msg-header-2_0.xsd">
<eb:MessageHeader SOAP-ENV:mustUnderstand="1" eb:
id="ebxml-MessageHeader-company.com"
eb:version="2.0" xsi:schemaLocation="http://www.oasis-open.org/committees/
ebxml-msg/schema/msg-header-2_0.xsd
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd">
<eb:From>
<eb:Role>http://www.company.com/roles/Sender</eb:Role>
</eb:From>
<eb:To>
<eb:Role>http://www.company.com/roles/Receiver</eb:Role>
</eb:To>
<eb:CPAId>company-company</eb:CPAId>
<eb:ConversationId>server::11c1:88888zzzz:-1111</eb:ConversationId>
<eb:Service eb:type="string">FileTransfer-Sign</eb:Service>
<eb:Action>Receive</eb:Action>
<eb:MessageData>
<eb:MessageId>server::11c1:88888zzzz:-1111</eb:MessageId>
<eb:Timestamp>2002-07-18T04:10:18Z</eb:Timestamp>
</eb:MessageData>
<eb:Description xml:lang="en-US">An ebXML Message.</eb:Description>
</eb:MessageHeader>
<eb:SyncReply SOAP-ENV:actor="http://schemas.ditasoap.org/soap/actor/next"
SOAP-ENV:mustUnderstand="1"
eb:id="ebxml-SyncReply-company.com" eb:version="2.0"
xsi:schemaLocation="http://www.oasis-open.org/committees/
ebxml-msg/schema/msg-header-2_0.xsd
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"/>
<eb:AckRequested SOAP-ENV:mustUnderstand="1"
eb:id="ebxml-AckRequested-company.com"
eb:signed="true" eb:version="2.0"
xsi:schemaLocation="http://www.oasis-open.org/committees/ebxml-msg/
schema/msg-header-2_0.xsd
http://www.oasis-open.org/committees/ebxml-msg/schema/msg-header-2_0.xsd"/>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference Type="http://www.w3.org/2000/09/xmldsig#Object" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath> not(ancestor-or-self::node()[@SOAP-ENV:actor=
"urn:oasis:names:tc:ebxml-msg:service:nextMSH"]|ancestor-or-self::node()
[@SOAP-ENV:actor="http://schemas.ditasoap.org/soap/actor/next"])
</ds:XPath> </ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>+TTgggfFZZZ+444t444DDffEEEddddd=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="cid:ebxml-payload-0@company.com">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>5SS4d44dGG1DD1DDddd3FFFee2GGGddd=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ZZzzzZZzzzZZzzzZZzzzzZZZzAAaaaEEaaaEEEEaaaaEEEaaaaDDDDddDDdddzzzZzzZZzzzZ
zzAA33AAzzz44ZZaaZZZaaZZZaaaZZZZ4eeEEE5WWWqqqEEEaaa4AAAee5DDDddEEEEddd2DDD
9Ik99R3EeeR444rrrFFF4694eeeOOO333aaddii999l=
</ds:SignatureValue>
</ds:Signature>
</SOAP-ENV:Header>
<SOAP-ENV:Body/>
</SOAP-ENV:Envelope>
</mime:body>
</mime:message>
<mime:message>
<mime:header name="Content-ID"><ebxml-payload-0@company.com></mime:header>
<mime:header name="Content-Type">application/xml</mime:header>
<mime:body>
<doc:document-id xmlns:doc="http://www.company.com/document-id">
server:999z9:ggggh9g9g:-99zz</doc:document-id>
</mime:body>
</mime:message>
</mime:body>
</mime:message>
</ebXMLMessage>
Implementing the ebXML XML Digital Signature Service
- Activate your license for the ebXML XML Digital Signature service. See Installing Sterling B2B Integrator.
- Create an ebXML XML Digital Signature service configuration. See Managing Services and Adapters.
- Configure the ebXML XML Digital Signature service. For information, see Configuring the ebXML XML Digital Signature Service.
- Use the ebXML XML Digital Signature service in a business process.
Import a Key certificate for the ebXML XML Digital Signature service to reference in the business process. For the procedure, see Importing a Key Certificate into a Business Process.
Configuring the ebXML XML Digital Signature Service
To configure the ebXML XML Digital Signature service, you must specify settings for the following fields in the GPM:
Field | Description |
---|---|
Config | Name of the service configuration. |
certificateIdentifier | The alias of a public key of a certificate. Valid value is a valid alias name. |
incomingDoc | The node that needs to be digitally signed. Valid value is a valid node. |
signCertificateIdentifier | The alias of a private key of a certificate. Valid value is a valid alias name. |
Importing a Key Certificate into a Business Process
When importing a Key certificate, your BPML should use this alias to associate with the appropriate field (signCertificateIdentifier). The following BPML provides an example of how your BPML should look:
<operation name="SignMessage">
<participant name="ebXMLDSig"/>
<output message="signRequest">
<assign to="incomingDoc" from="ebXMLMessage/mime:message"/>
<assign to="signCertificateIdentifier" from="cpa/thisParty/
signing-certificate-name/text()"/>
</output>
<input message="signResponse">
<assign to="ebXMLMessage"
from="signedEnvelope/signRequest/incomingDoc/node()"/>
</input>
</operation>
Business Process Example
The following example assumes that the nodes are found in the process data:
<process name=”Test_Sign>
<operation name="SignMessage">
<participant name="ebXMLDSig"/>
<output message="signRequest">
<assign to="incomingDoc" from="ebXMLMessage/mime:message"/>
<assign to="signCertificateIdentifier" from="cpa/thisParty/signing-
certificate-name/text()"/>
</output>
<input message="signResponse">
<assign to="ebXMLMessage"
from="signedEnvelope/signRequest/incomingDoc/node()"/>
</input>
</operation>
</process>
The following example shows how to sign the whole Primary Document and add the KeyInfo element with the Signature element by including the certificateIdentifier parameter in the signing request. The example also includes how to construct the ds:Transforms node:
<process name="TestSigning">
<sequence>
<assign to="temp/@Algorithm" from="'http://www.w3.org/2000/09/
xmldsig#enveloped-signature'"/>
<assign to="ds:Transforms/ds:Transform" from="temp/@*"/>
<assign to="temp/@Algorithm" from="'http://www.w3.org/TR/1999/
REC-xpath-19991116'"/>
<assign to="temp/ds:XPath">count(/ETrade/DataArea/LCAdvice/descendant-
or-self::node()
| /ETrade/DataArea/LCAdvice/descendant-or-self::*/@* |
/ETrade/DataArea/LCAdvice/descendant-or-self::*/namespace::*)
= count(. | /ETrade/DataArea/LCAdvice/descendant-or-self::node() |
/ETrade/DataArea/LCAdvice/descendant-or-self::*/@* |
/ETrade/DataArea/LCAdvice/descendant-or-self::*/namespace::*)
</assign>
<assign to="ds:Transforms/ds:Transform" from="temp/@* | temp/node()"
append="true"/>
<!-- Do the Signing -->
<operation name="SignMessage">
<participant name="ebXMLDSig"/>
<output message="signRequest">
<assign to="." from="*"/>
<assign to="signCertificateIdentifier" from="'PrivKey'"/>
<assign to="certificateIdentifier" from="'PubKey'"/>
<assign to="ds:Transforms" from="ds:Transforms/node()"/>
</output>
<input message="signResponse">
<assign to="." from="*"/>
</input>
</operation>
</sequence>
</process>
This BPML example shows how to sign a particular node in the Primary Document
<process name="TestSigning">
<sequence>
<assign to="temp/@Algorithm" from="'http://www.w3.org/2000/09/
xmldsig#enveloped-signature'"/>
<assign to="ds:Transforms/ds:Transform" from="temp/@*"/>
<assign to="temp/@Algorithm" from="'http://www.w3.org/TR/1999/
REC-xpath-19991116'"/>
<assign to="temp/ds:XPath">count(/ETrade/DataArea/LCAdvice/descendant
-or-self::node()
| /ETrade/DataArea/LCAdvice/descendant-or-self::*/@* |
/ETrade/DataArea/LCAdvice/descendant-or-self::*/namespace::*)
= count(. | /ETrade/DataArea/LCAdvice/descendant-or-self::node() |
/ETrade/DataArea/LCAdvice/descendant-or-self::*/@* |
/ETrade/DataArea/LCAdvice/descendant-or-self::*/namespace::*)
</assign>
<assign to="ds:Transforms/ds:Transform" from="temp/@* | temp/node()"
append="true"/>
<!-- Do the Signing -->
<operation name="SignMessage">
<participant name="ebXMLDSig"/>
<output message="signRequest">
<assign to="." from="*"/>
<assign to="signCertificateIdentifier" from="'PrivKey'"/>
<assign to="nodeToSign" from="'TransactionResultResponse'"/>
<assign to="certificateIdentifier" from="'PubKey'"/>
<assign to="ds:Transforms" from="ds:Transforms/node()"/>
</output>
<input message="signResponse">
<assign to="." from="*"/>
</input>
</operation>
</sequence>
</process>
This BPML example shows how to validate a signed Primary Document using a specified public certificate stored in Sterling B2B Integrator. The signature element will be removed from the Primary Document after the successful validation.
<process name="TestValidating">
<sequence>
<!-- Do the verification -->
<operation name="VerifyMessage">
<participant name="ebXMLDSig"/>
<output message="verifyRequest">
<assign to="." from="*"/>
<assign to="removeSignature" from="'true'"/>
<assign to="certificateIdentifier" from="'PubKey'"/>
</output>
<input message="verifyResponse">
<assign to="." from="*"/>
</input>
</operation>
</sequence>
</process>