I am trying to understand how I can implement support for encrypted UsernameToken in our existing Layer 7 Secure Span Gateway. Reading through the documentation, I see the following:
Quote [The Require Encrypted UsernameToken Profile Credentials assertion requires an encrypted Username Token element to be present and that it be encrypted with the same key that was used to sign the timestamp or other parts of the message. This provides message level security without requiring a client certificate. The client creates a new symmetric key and encrypts it for the server. The encrypted symmetric key prevents the UsernameToken from being intercepted and attached to another message.]
My understanding is that, if I were to sign an element (for ex. timestamp) in my SOAP message, I will include the signature as well as the x.509 certificate in the SOAP payload so that the receiver would be able to verify that the soap payload (timestamp in this case) wasn't tempered with.
I am having difficulty understanding how the x509 certificate will help decrypt the username token however. Perhaps I am having difficulty understanding the language.
Any help is appreciated. Thanks in advance.