How to sign data within policy logic

Document ID : KB000010320
Last Modified Date : 14/02/2018
Show Technical Document Details

Tactical assertion 'Generate Security Hash' is an APIM Gateway extension available from CA Support.  It allows any data to be signed thus providing the ability to build security tokens that are not supported by out of the box assertions.   This document provides a simple example of how it can sign data which can then be validated outside of the gateway. 

The policy was tested on an 8.3 APIM Gateway.

The following steps illustrate a simple policy that use's 'Generate Security Hash' and how it can be verified via opensll.  

1) Created a private key on the gateway (via policy manager) and exported the key (test.p12) and the certificate (test.public.pem) and move the files to a linux prompt. 

2) Then use the following command to convert the private key:- 

openssl pkcs12 -in test.p12 -nodes -out test.key 

3) Create a test file to sign, the -n options makes sure a line feed is not added to the end of the file:-

echo -n "The quick brown fox jumps over the lazy dog"

4) We can then use this to sign the data (data.unsigned) and place the output in data.sha256. The text is data.unsigned is "The quick brown fox jumps over the lazy dog". 

openssl dgst -sha256 -sign test.key -out data.sha256 data.unsighed 

5) Next we start to verify, first we obtain the public key from the certificate we exported from the gateway:- 

openssl x509 -pubkey -noout -in test.public.pem > pubkey.pem 

6) And then we can use this public key to verify the signed text:- 

openssl dgst -sha256 -verify pubkey.pem -signature data.sha256 data.unsighed 

This returns:- 

Verified OK 

7) Next we can run the same test but using the gateway to generate the signature, create a policy on the gateway and import the attached signdata.xml.  You should see the following assertions:-

Set Context variable data as String to: ${request.http.parameter.text} 

Generate Security Hash 

Return template Response to Requester 

8) Call the request with the same string, I'm then renaming the returned file to make it easier to refer to in the command line. 

wget"The quick brown fox jumps over the lazy dog" 

mv signdata\?text\=The\ quick\ brown\ fox\ jumps\ over\ the\ lazy\ dog data.signedbyGWBase64 

9) Use openssl to decode the base64 string:- 

openssl enc -base64 -d < data.signedbyGWBase64 > data.signedbyGW 

10) We can use the same verify command to confirm that the signature is good for the original data. 

openssl dgst -sha256 -verify pubkey.pem -signature data.signedbyGW data.unsigned 

If successful you should see 'Verified OK' returned. 


File Attachments: