Did this page help you? Yes No Tell us about it...

Example Request to Use When Troubleshooting

The following example shows the initial portion of a SOAP request that uses WS-Security with an X.509 certificate. If you're using a SOAP toolkit that supports WS-Security and X.509 certificates, the toolkit constructs the request automatically for you, so you don't have to create a request like this yourself. The example is included here as a reference to use if you're troubleshooting authentication issues with your SOAP requests. Several requirements are listed following the example; the numbers highlight where in the example the requirements are satisfied.

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

  <wsse:BinarySecurityToken
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
     ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
    wsu:Id="CertId-1064304">
        [Your base64 encoded X.509 certificate…]
  </wsse:BinarySecurityToken>


  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod  http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
      <ds:SignatureMethod  Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>

     <ds:Reference URI="#id-17984263">
        <ds:Transforms>
          <ds:Transform  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
        <ds:DigestValue>0pjZ1+TvgPf6uG7o+Yp3l2YdGZ4=</ds:DigestValue>
     </ds:Reference>

    <ds:Reference URI="#id-15778003">
      <ds:Transforms>
        <ds:Transform  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod  Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
      <ds:DigestValue>HhRbxBBmc2OO348f8nLNZyo4AOM=</ds:DigestValue>
    </ds:Reference>

    </ds:SignedInfo>

    <ds:SignatureValue>bmVx24Qom4kd9QQtclxWIlgLk4QsQBPaKESi79x479xgbO9PEStXMiHZuBAi9luuKdNTcfQ8UE/d
       jjHKZKEQRCOlLVy0Dn5ZL1RlMHsv+OzJzzvIJFTq3LQKNrzJzsNe</ds:SignatureValue>

    <ds:KeyInfo Id="KeyId-17007273">
       <wsse:SecurityTokenReference
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-22438818">
        <wsse:Reference URI="#CertId-1064304"
           ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
        </wsse:Reference>
      </wsse:SecurityTokenReference>
    </ds:KeyInfo>

  </ds:Signature>


  <wsu:Timestamp
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-17984263">
    <wsu:Created>2006-06-09T10:57:35Z</wsu:Created>
    <wsu:Expires>2006-06-09T11:02:35Z</wsu:Expires>
  </wsu:Timestamp>

  </wsse:Security>
</SOAP-ENV:Header>

Requirements for BinarySecurityToken and Signatures

	The `EncodingType` attribute for the `BinarySecurityToken` element must be `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary`.
	The `ValueType` attribute for the `BinarySecurityToken` element must be `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3` or `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1`.
	The `BinarySecurityToken` element must contain the base64 encoding of the leaf X.509 certificate if the `ValueType` is `#X509v3`, or it must contain the base64 encoding of the full X.509 certificate chain if the `ValueType` is `#X509PKIPathv1`.
	The `Algorithm` attribute of the `CanonicalizationMethod` element must be `http://www.w3.org/2001/10/xml-exc-c14n#`.
	The `Algorithm` attribute of the `SignatureMethod` element must be `http://www.w3.org/2000/09/xmldsig#rsa-sha1`.
	The `Algorithm` attribute of the `Transform` element for each `Reference` element must be either `http://www.w3.org/2001/10/xml-exc-c14n#` or `http://www.w3.org/TR/2001/REC-xml-c14n-20010315`.
	The `Algorithm` attribute of the `DigestMethod` element for each `Reference` element must be `http://www.w3.org/2000/09/xmldsig#sha1`.
	The `KeyInfo` element must contain a `SecurityTokenReference` element. The `SecurityTokenReference` element must contain a `Reference` element with a `URI` attribute. The `URI` attribute must use a local particle reference to identify the `BinarySecurityToken` element that contains the X.509 certificate (for example: the `URI` attribute equals `#CertId-1064304` in the preceding example request).
	You must include a `wsu:Id` attribute in any message elements that you sign. You can sign any SOAP header and the entire SOAP `Body`. Do not sign any other elements (such as children of the `Body` element). AWS ignores those elements for the purposes of signature validation, even if you include a `wsu:ID` attribute in them. If you sign elements that shouldn't be signed, the signature validation will fail.

Related Topics

Document Conventions
Terms of Use

Did this page help you? Yes No Tell us about it...