Sign Element Assertion

The Sign Element assertion is used to select message elements to be signed in the target message.
Sign Element 
assertion is used to select message elements to be signed in the target message.
  • If the target is the 
     message, signing will occur automatically.
  • If the target is the 
     message or a 
    message context variable
    , then the Add or Remove WS-Security assertion must be added after the Encrypt Element assertion in the policy to perform the signing.
You can add a Sign Element assertion for each element of the target message that you want signed. This assertion supports WS-Security 1.0 and 1.1.
To learn about selecting the target message for this assertion, see Select a Target Message.
To learn more about selecting a private key for this assertion, see Select a Custom Private Key.
To learn more about changing the WSS Recipient for this assertion, see Change the WSS Assertion Recipient.
The Sign Element assertion is intended for use in web service policies. If the target is the response message, ensure the assertion is placed
the routing assertion. If the target is the request message, the assertion should be placed
the routing assertion.
Using the Assertion
  1. Do one of the following:
  2. To add the assertion to the Policy Development window, see Add an Assertion.
  3. To change the configuration of an existing assertion, proceed to step 2 below.
  4. Right-click 
     Sign Element 
    in the policy window and select 
    Sign Element Properties
     or double-click the assertion in the policy window. The assertion properties are displayed. The title of the dialog will show "Request", "Response", or "${variableName}", depending on the target message.
  5. Specify the XPath and select the target element to be sign from the code box. For detailed instructions on using the interface to build your XPath, see Select an XPath.
  6. For 
    Signature Key Reference
    , select the method to use to include the SSL certificate for the 
    API Gateway
    • BinarySecurityToken (BST):
       The certificate is embedded within the message and does not require the recipient to already possess a copy of the signing certificate. This results in larger messages, but is more compatible. This setting is the default.
    • Signed:
       Select the 
       check box if the BinarySecurityToken must be digitally signed.
    • SubjectKeyIdentifier (SKI):
       Use SecurityTokenReference containing the SubjectKeyIdentifier (SKI). This produces smaller messages, but at the risk of decreased compatibility.
    • Issuer Name/Serial Number:
       Use a SecurityTokenReference containing the certificates issuer distinguished name and serial number. This produces smaller messages, but at the risk of decreased compatibility.
  7. For the 
    Signature Digest Algorithm
    , select one of the following options:
    • Automatic:
       The algorithm used for signature digest is determined by the 
       cluster property.
    • Any setting other than 'Automatic':
       The selected digest algorithm is used, overriding the setting in the 
       cluster property. The selected digest will be used for both the signature method and the digest method.
    If the selected combination of signing key type and digest algorithm has no corresponding signature method implementation (for example, signing with a DSA private key with any digest algorithm other than SHA-1) then the signature will fail when the decoration requirements are later applied to the message.
  8. Click [
    ] when done.