Layer7 API Management

  • Private Community

  • 1.  Implement encryption of request payload

    Posted Mar 07, 2018 01:18 AM

    Hi Friends,

     

    Can you please help me to get how can we perform encryption on request payload  for both rest and soap .Which is the best encryption method for it and how we practically implement it in our policy manager.

    It is kind of POC i need to perform .



  • 2.  Re: Implement encryption of request payload

    Broadcom Employee
    Posted Mar 07, 2018 04:57 PM

    Interesting ... I heard WS security is for soap, JWE/JWS is for REST, but not sure what is for both.



  • 3.  Re: Implement encryption of request payload

    Posted Mar 10, 2018 06:22 AM

    Hi Zhijun,

    Thanks for your reply. I did pocs of applying ws-addressing,also encode-decode data,generate security hash and also Apply JWE.
    I have two queries regarding it.Hope You can help me with it.

    1.When to use when(among all above).I am clear about applying ws-addressing when I have to provide more security to soap payload and JWE for json payload.But When I am suppose to use Encode decode assertion and hash assertion.Please provide some light on this concept.I am bit confused.

    2.When I tried using JWE/JWS ,it asked for json web key.So I tried using Create Json Key assertion but it is said that ,the key generated cant be used in the Apply Json Web token assertion to sign the payload.Can you also throw some light on this concept too.

    My question might sound little funny,but as I am unable to understand the concept,I need your help in this.

     

     

    Thanks in advance.

    Sonia



  • 4.  Re: Implement encryption of request payload

    Broadcom Employee
    Posted Mar 11, 2018 07:31 PM

    Dear SoniaMehta ,

    You're welcome.

    I am not an expert on this subject. I maybe wrong, but I try my best to answer you questions.

    1. As per my understanding, it doesn't matter when to use what, it depends on how you design it. You can have multiply layers of encrypting/encoding, but the other party needs to decrypt/decode accordingly. If the other party only accept the standard JWE, then you should only apply the JWE on the payload. (There should be a specification/protocol between you and the other party on how to encrypt/encode the payload)

     

    2. I believe you're talking about create json web key assertion, you will need to select "Json web key set" rather than "json web key" as key type,

     

    Please refer to Create JSON Web Key Assertion - CA API Gateway - 9.3 - CA Technologies Documentation , The Create JSON Web Key Assertion creates a JSON Web Key Set (JWKS) using private keys that you specify.

     

    Regards,

    Mark



  • 5.  Re: Implement encryption of request payload

    Posted Mar 13, 2018 10:52 PM

    Hi Joe,

    I tried the way you mentioned but I am getting below error:-

     

    As an output of create json web key is working fine,I am able to get the encrypted key but when I am trying to encrypt the payload ,I am getting above errors.

    ${Secure} is my output of cretae json Web key. JWTKEY is the name I mentioned like you. 

    Kindly suggest.

     



  • 6.  Re: Implement encryption of request payload

    Broadcom Employee
    Posted Mar 13, 2018 11:00 PM

    JWTKEY is the key id of json web key set generated in previous Create json web key assertion, do you specify the same key id in your create json web key assertion?

     

    Regards,

    Mark



  • 7.  Re: Implement encryption of request payload

    Posted Mar 13, 2018 11:22 PM

    Encryption is working...Now If I am using to sign the payload,It is not working.

    I have made one more key pair for JWE signature and I am using in the same way as that for encryption

     



  • 8.  Re: Implement encryption of request payload
    Best Answer

    Broadcom Employee
    Posted Mar 14, 2018 12:22 AM

    Okay, I have the same problem, we may need to open a support case.

    Or, you can try another way, RSA algorithms+private key works for me,