Fortinet black logo

Administration Guide

Creating WS-Security rules

Creating WS-Security rules

With WS-Security rules, you can do the following

  • Encrypt and decrypt parts of SOAP messages
  • Digitally sign parts of SOAP messages
  • Verify parts of SOAP messages using digital signatures

This section provides instructions to how to create a WS-Security rule.

To create a WS-security rule
  1. Go to XML Protection > WS-Security Rule.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
  5. Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an XML protection rule.

    Security in Request Direction

    Enable to configure FortiWeb to decrypt, sign and verify the encryped SOAP messages from the client.

    Security Operation

    Select the operation that FortiWeb performs for the encryped SOAP messages from the client.

    Available only when Security in Request Direction is enabled.

    Security in Response Direction

    Enable to configure FortiWeb to encrypt , and sign the SOAP messages returned from the server.

    Security Operation

    Select the operation that FortiWeb performs for the SOAP messages returned from the server.

    Available only when Security in Response Direction is enabled.

    Encryption Part

    Select which part of the SOAP messages to encrypt.

    • Element Value—Encrypt the selected element value.
    • Element Markup—Encrypt the selected element along with the element’s XML markup.

    Available only when Security in Response Direction is enabled, and the Security Operation is Encrypt, Sign & Encrypt, or Encrypt & Sign.

    Signature Algorithm

    Select the signature algorithm.

    • RSA-SHA-1
    • HMAC-SHA-1

    If you select HMAC-SHA-1, you must upload a shared SecretKey file from XML Certificate > Client Certificate.

    Available only when Security in Response Direction is enabled, and Security Operation is Sign, Sign & Encrypt, or Encrypt & Sign.

    Encrypt Algorithm

    Select the encryption algorithm.

    • 3EDS
    • AES-128
    • AES-256

    Available only when Security in Response Direction is enabled, and Security Operation is Encrypt, Sign & Encrypt, or Encrypt & Sign.

    Key Transport Algorithm

    Select the key transport algorithm.

    • RSA-15
    • RSA-OAEP

    Available only when Security in Response Direction is enabled, and the Security Operation is Encrypt, Sign & Encrypt, or Encrypt & Sign.

    XML Server Certificate

    Select the XML server certificate uploaded from XML Certificate > Server Certifcate.

    Available only when Security in Request Direction is enabled, and the Security Operation is Sign, Sign & Decrypt or Decrypt & Sign.

    XML Client Certificate Group

    Select the XML client certificate group created from XML Certificate > Client Certifcate Group.

    Available only when Security in Request Direction is enabled, and the Security Operation is Sign Verify & Decrypt or Sign Verify.

    Or

    Available only when Security in Response Direction is enabled, and the Security in Response Direction is Encrypt, Sign & Encrypt or Encrypt & Sign .

  6. Click OK.
  7. Click Create New to configure the namespace mappings table.
    XML namespace mapping is included in the beginning label of an element to help prevent the element naming conflict. by adding different prefixes for the namespace.
  8. For Prefix, add a prefix for the namespace.
  9. For Namespace, add the namespace.
  10. Click OK.
  11. Click Create New to configure the elements list.
    The elements list defines the XPath and whether the XPath appies to the request or response direction.
  12. For XPath, enter an XPath to specify which part of the XML file to process, for example, /S11:Envelope/S11:Body.
  13. For Apply To, select either Request or Response to define in which direction the XPath applies to.
  14. Click OK.
  15. To add a WS-Secuirty rule to an XML protection rule, see Creating XML protection rules.

Creating WS-Security rules

With WS-Security rules, you can do the following

  • Encrypt and decrypt parts of SOAP messages
  • Digitally sign parts of SOAP messages
  • Verify parts of SOAP messages using digital signatures

This section provides instructions to how to create a WS-Security rule.

To create a WS-security rule
  1. Go to XML Protection > WS-Security Rule.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
  5. Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an XML protection rule.

    Security in Request Direction

    Enable to configure FortiWeb to decrypt, sign and verify the encryped SOAP messages from the client.

    Security Operation

    Select the operation that FortiWeb performs for the encryped SOAP messages from the client.

    Available only when Security in Request Direction is enabled.

    Security in Response Direction

    Enable to configure FortiWeb to encrypt , and sign the SOAP messages returned from the server.

    Security Operation

    Select the operation that FortiWeb performs for the SOAP messages returned from the server.

    Available only when Security in Response Direction is enabled.

    Encryption Part

    Select which part of the SOAP messages to encrypt.

    • Element Value—Encrypt the selected element value.
    • Element Markup—Encrypt the selected element along with the element’s XML markup.

    Available only when Security in Response Direction is enabled, and the Security Operation is Encrypt, Sign & Encrypt, or Encrypt & Sign.

    Signature Algorithm

    Select the signature algorithm.

    • RSA-SHA-1
    • HMAC-SHA-1

    If you select HMAC-SHA-1, you must upload a shared SecretKey file from XML Certificate > Client Certificate.

    Available only when Security in Response Direction is enabled, and Security Operation is Sign, Sign & Encrypt, or Encrypt & Sign.

    Encrypt Algorithm

    Select the encryption algorithm.

    • 3EDS
    • AES-128
    • AES-256

    Available only when Security in Response Direction is enabled, and Security Operation is Encrypt, Sign & Encrypt, or Encrypt & Sign.

    Key Transport Algorithm

    Select the key transport algorithm.

    • RSA-15
    • RSA-OAEP

    Available only when Security in Response Direction is enabled, and the Security Operation is Encrypt, Sign & Encrypt, or Encrypt & Sign.

    XML Server Certificate

    Select the XML server certificate uploaded from XML Certificate > Server Certifcate.

    Available only when Security in Request Direction is enabled, and the Security Operation is Sign, Sign & Decrypt or Decrypt & Sign.

    XML Client Certificate Group

    Select the XML client certificate group created from XML Certificate > Client Certifcate Group.

    Available only when Security in Request Direction is enabled, and the Security Operation is Sign Verify & Decrypt or Sign Verify.

    Or

    Available only when Security in Response Direction is enabled, and the Security in Response Direction is Encrypt, Sign & Encrypt or Encrypt & Sign .

  6. Click OK.
  7. Click Create New to configure the namespace mappings table.
    XML namespace mapping is included in the beginning label of an element to help prevent the element naming conflict. by adding different prefixes for the namespace.
  8. For Prefix, add a prefix for the namespace.
  9. For Namespace, add the namespace.
  10. Click OK.
  11. Click Create New to configure the elements list.
    The elements list defines the XPath and whether the XPath appies to the request or response direction.
  12. For XPath, enter an XPath to specify which part of the XML file to process, for example, /S11:Envelope/S11:Body.
  13. For Apply To, select either Request or Response to define in which direction the XPath applies to.
  14. Click OK.
  15. To add a WS-Secuirty rule to an XML protection rule, see Creating XML protection rules.