NonStop SOAP User's Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

251

252

253

254

255

256

257

258

259

260

NonStop SOAP with Digital Signatures

NonStop SOAP User’s Manual—520501-012

7-2

NonStop SOAP with Digital Signatures

2. The Client encrypts the message digest with its private key to generate the Digital

Signature.

3. The Client appends the Digital Signature to the contract document.

The Client transmits the above document to all its Partners. To confirm that the

message has come from the right source (that is Client), all the Partners process the

digitally signed document as follows:

1. Generate the message digest using the contract information sent by the Client.

The partners use the same Hashing algorithm as used by the Client. The Client

passes information about the Hashing algorithm with the digitally signed message.

2. Decrypt the Digital Signature appended by the Client, using the Client’s public key

to receive the message digest.

3. If the two message digests (as obtained from steps 1 and 2) match, then the

Partners can confirm that the message received by them was sent by Client, and it

has not been tampered in any manner.

The above process can fail if a disgruntled entity tries to manipulate the message sent

by the Client and re-transmits a public key, which appears to be that of Client. To avoid

this, the Client transmits a digital certificate obtained from a trusted certifying body,

which validates the Client’s public key. The digital certificate also provides some other

basic information about the Client. Partners can check for the trusted certificate and

confirm that the public key in the message belongs to Client.

On the other end, each Partner can add Digital Signatures in their responses using

their private key. The Client’s partners can encrypt the message they send using there

private key. The Client must use the server’s public key to decrypt the message.

Everyone would have access to the message sent by the particular partner, but cannot

decrypt it without the Server’s public key.

NonStop SOAP with Digital Signatures

From the security perspective, although a user can send NSSOAP requests through

SSL (https layer), it is not guaranteed that the message sent by the user is not subject

to those security vulnerabilities which still pose a question on message integrity.

Transport-level security does not guarantee message integrity. Therefore, to ensure

message integrity of NSSOAP transactions, it is always recommended to digitally sign

the NSSOAP request/response while sending them across the network. Digital

Signatures in NSSOAP transactions provide the following benefits:

•

A user is able to sign NSSOAP messages with their private key. Therefore, the

server is able to authenticate the user.

•

The server responds to the client with the server’s certificate, making it certain to

the user that the information was sent by the authenticating server.