To digitally sign a SOAP message, you can use the basic procedure here or the variations described in the following parts of the topic.
-
Optionally include the %soap.inc include file, which defines macros you might need to use.
-
If you want to sign any security header elements, create those security header elements. For example:
set utoken=##class(%SOAP.Security.UsernameToken).Create("_SYSTEM","SYS")
-
Create an instance of %SYS.X509CredentialsOpens in a new tab, as described in Retrieving Credential Sets Programmatically. This InterSystems IRIS credential set must contain your own certificate, and you must provide the private key password, if it has not already been loaded. For example:
Set x509alias = "servercred"
Set pwd = "mypassword"
Set credset = ##class(%SYS.X509Credentials).GetByAlias(x509alias,mypassword)
-
Create a binary security token that contains the certificate associated with that credential set. To do so, call the CreateX509Token() class method of %SOAP.Security.BinarySecurityTokenOpens in a new tab. For example:
set bst=##class(%SOAP.Security.BinarySecurityToken).CreateX509Token(credset)
This method returns an instance of %SOAP.Security.BinarySecurityTokenOpens in a new tab that represents the <BinarySecurityToken> header element.
-
Add this token to the WS-Security header element. To do so, call the AddSecurityElement() method of the SecurityOut property of your web client or web service. For the method argument, use the token you just created. For example:
do ..SecurityOut.AddSecurityElement(bst)
-
Create the <Signature> element based on the binary security token. To do so, call the CreateX509() class method of %XML.Security.SignatureOpens in a new tab. For example:
set dsig=##class(%XML.Security.Signature).CreateX509(bst)
This method returns an instance of %XML.Security.SignatureOpens in a new tab that represents the <Signature> header element. The <Signature> element applies to a default set of parts of the message; you can specify a different set of parts.
Formally, this method has the following signature:
classmethod CreateX509(credentials As %SYS.X509Credentials = "",
signatureOptions As %Integer,
referenceOption As %Integer,
Output status As %Status) as %XML.Security.Signature
Where:
-
Add the digital signature to the WS-Security header element. To do so, call the AddSecurityElement() method of the SecurityOut property of your web client or web service. For the argument, specify the signature object created in the previous step. For example:
do ..SecurityOut.AddSecurityElement(dsig)
-
Send the SOAP message. See the general comments in Adding Security Header Elements.