XML Security Cluster Properties

The following cluster properties are used to configure XML security on the .
gateway83
The following cluster properties are used to configure XML security on the
Layer7 API Gateway
.
Refer to "Time Units" under Cluster Properties for a list of the valid time units that you can use for time-related properties.
Property
Description
security.xml.dsig.idAttributeNames
Attribute names that are recognized as ID attributes for locating Signature Reference URI targets during WS-Security processing. The special prefix 'local:' matches the namespace URI against the owning element rather than the attribute. All other prefixes are ignored.
Default:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Id
{http://schemas.xmlsoap.org/ws/2002/07/utility}Id
{http://schemas.xmlsoap.org/ws/2003/06/utility}Id
{urn:oasis:names:tc:SAML:1.0:assertion}local:
AssertionID
{urn:oasis:names:tc:SAML:2.0:assertion}local:ID
Id
id
ID
This property is for WSS processing and affects all WSS processing across the cluster after a
Layer7 API Gateway
restart.
security.xml.dsig.
permittedDigestAlgorithms
Message digest algorithm names that are respected when verifying XML digital signatures. DigestMethod and SignatureMethod references that require algorithms not on this list are not respected. Separate each entry with a comma.
Default:
MD5,SHA,SHA-1,SHA-256,SHA-384,SHA-512
Requires a
Layer7 API Gateway
restart for changes to take effect.
security.xml.dsig.
permittedTransformAlgorithms
Transform algorithm URIs that are permitted when verifying XML digital signatures. Transforms that require algorithms not on this list fail. Separate each URI with a comma.
The following signature transforms are accepted by default when this cluster property is not populated: 
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform," +
"http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Transform," +
"http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Only-Transform," +
"http://www.w3.org/2000/09/xmldsig#enveloped-signature," +
"http://www.w3.org/2001/10/xml-exc-c14n#," +
"http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
security.xml.xenc.
blacklist.capacity
Number of entries permitted in the decryption key blacklist.
Default:
50000
security.xml.xenc.
blacklist.enabled
Controls whether symmetric keys are blacklisted. Value is a Boolean.
  • true
    = Symmetric keys that fail to successfully decrypt XML (in the number of times specified by the
    security.xml.xenc.blacklist.maxFailures
    property) are blacklisted on this node for a period of time (set in the security.xml.xenc.blacklist.maxAge property). This makes it more difficult to use the
    Layer7 API Gateway
    as a decryption oracle. This setting is the default.
  • false
    = Symmetric keys are never blacklisted, even upon failure to decrypt XML.
security.xml.xenc.
blacklist.failWhenFull
Controls the response if the blacklist reach capacity. Value is a Boolean.
  • true
    = All XML decryption attempts fails immediately once the blacklist has reached its capacity (as set in the security.xml.xenc.blacklist.capacity property).
  • false
    = XML decryption continues even if the blacklist is full. This setting is the default.
security.xml.xenc.
blacklist.maxAge
Minimum time a blacklisted key must remain on the blacklist. Value is a time unit.
Default:
7d
The blacklist is cleared when a node is restarted. Blacklisted keys are released, regardless of whether the blacklist period has been observed.
security.xml.xenc.
blacklist.maxFailures
Maximum number of XML decryption attempts that can fail before a key is blacklisted on a node.
Default:
5
security.xml.xenc.
decryptionAlwaysSucceeds
Controls whether XML decryption should appear to succeed after the
Layer7 API Gateway
has obtained the symmetric key and attempted to decrypt the CipherValue. Value is a Boolean.
  • true
    = Decryption is always successful. XML that cannot be decrypted is replaced with a dummy element named L7xenc:DecryptionFault in the namespace http://layer7tech.com/ns/xenc/decryptionfault. This makes it more difficult to use the
    Layer7 API Gateway
    as a decryption oracle. This setting is the default.
  • false
    = The
    Layer7 API Gateway
    returns its normal response for decryption success and failure. The dummy element is not used.
security.xml.xenc.
encryptEmptyElements
Controls whether the Encrypt Element assertion should encrypt the content of empty elements. Value is a Boolean.
  • true
    = The content of empty elements are encrypted when the assertion is run. This setting is the default.
  • false
    = The empty elements are left unencrypted.