Encrypt Element Assertion

The Encrypt Element assertion is used to select message elements to be encrypted in the target message.
Encrypt Element 
assertion is used to select message elements to be encrypted in the target message.
  • If the target is the 
     message, encryption will occur automatically.
  • If the target is the 
     message or a 
    message context variable
    , then the Add or Remove WS-Security assertion must be added after the Encrypt Element assertion in the policy to perform the encryption.
You can add an Encrypt Element assertion for each element of the target message that you want encrypted. This assertion supports the W3C XML Signature 1.0 standard.
This assertion can only be used in a web service policy. It should be placed before the routing assertion in a policy.
To learn about selecting the target message for this assertion, see Select a Target Message.
To learn more about selecting the target identity for this assertion, see Select a Target Identity.
To learn more about changing the WSS Recipient for this assertion, see Change the WSS Assertion Recipient.
When multiple signatures are used in a target message, it is mandatory to select a target identity.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. Right-click the 
     Encrypt Element
     in the policy window and select 
    Encrypt Element Properties
     or double-click the assertion in the policy window. The assertion properties are displayed. The title of the dialog will show "Request", "Response", or "${variableName}", depending on the target message.
  3. Specify the XPath and select the target element to be encrypted from the code box. For detailed instructions on using the interface to build your XPath, see Select an XPath.
    The Policy Manager will not allow you to encrypt the 
     element in the Encrypt Request Element Properties dialog. You can, however, encrypt a child element within the envelope such as 
    A matching element's own opening and closing tags and tag attributes do not need to be encrypted. To force the encryption of an entire element—including opening and closing tags, attributes, and white space content—match the XPath expression to the parent element of the message. Clicking, or highlighting, an element selects it (and any child code) for the assertion encryption requirement.
  4. Choose the 
    Encryption Method
     from the drop-down list: 
    AES 128 CBC
    AES 192 CBC
    AES 256 CBC
    Triple DES
    AES 128 GCM
     for both AES-GCM>
    AES 256 GCM
     The "AES-GCM" encryption options can be selected even if your security provider does not support it. However, this will result in encryption/decryption attempts to fail at runtime.
  5. For 
    Encryption Key Reference
    , select the method to use to include the SSL certificate for the
    API Gateway
    • BinarySecurityToken (BST):
       Use a SecurityTokenReference containing the BinarySecurityToken (BST).
    • SubjectKeyIdentifier (SKI):
       Use a SecurityTokenReference containing the SubjectKeyIdentifier (SKI).
    • Issuer Name/Serial Number:
       Use a SecurityTokenReference containing the certificates issuer distinguished name and serial number.
    • Key Name:
       Use a SecurityTokenReference containing the Key Name.
      (1) Using a "Key Name" reference violates the WS-I Basic Security Profile so this reference type should be avoided whenever possible. (2) The "KeyName" element will be added inside a "SecurityTokenReference", e.g.,
      <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
      <dsig:KeyName>CN=Bob,OU=OASIS Interop Test Cert,O=OASIS</dsig:KeyName>
  6. Click [