Changes for page Endpoint Check

Last modified by Erik Bakker on 2024/02/21 21:35

From 34.2 to 34.1 From 38.2 to 38.1

From version 38.1

edited by Erik Bakker
on 2022/06/12 09:38

Change comment: There is no comment for this version

To version 34.2

edited by Erik Bakker
on 2022/06/12 09:34

Change comment: Update document after refactoring.

Raw
Rendered

Summary

Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Title

@@ -1,1 +1,1 @@
--Securing your SOAP Webservice
++novice-soap-webservice-connectivity-calling-a-soap-webservice

Content

@@ -1,5 +1,5 @@
  {{container}}{{container layoutStyle="columns"}}(((
--When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that security plays on a client level when hosting a SOAP web service.
++When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will learn the basics of this configuration in the various phases of the platform so you can easily set up your SOAP web service.
  Should you have any questions, please contact academy@emagiz.com.
@@ -20,11 +20,11 @@
  * Validation
  * Authentication
--Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning.
++Of these four points, the last two will be discussed in separate microlearnings.
--== 3. Securing your SOAP Webservice ==
++== 3. Configure your SOAP Webservice ==
--When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that security plays on a client level when hosting a SOAP web service.
++When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will learn the basics of this configuration in the various phases of the platform so you can easily set up your SOAP web service.
  Crucial parts in the configuration are:
  * Operation Name
@@ -32,62 +32,51 @@
  * Validation
  * Authentication
--Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning. When hosting your SOAP web service in the eMagiz Cloud the endpoint will be HTTPS secured on default. If you want to mimic the same result for an on-premise environment you should define the valid SSL settings (https://my.emagiz.com/p/question/172825635700357186).
++Of these four points, the last two will be discussed in separate microlearnings. In this microlearning, we will focus on the first two aspects of the configuration. As you might have noticed I did not mention the fact whether the integration is synchronous or asynchronous as a crucial part of the configuration. The reason being that when configuring a (SOAP) web service you always need to send an acknowledgment back to the client calling the web service to let them know what the status of the message is. In case you want to set up the rest of your integration asynchronously you can send an empty message back as acknowledgment. In case you want to set up the rest of your integration synchronously you need to send the response you have received from the backend operation back to the client. More on the choice between asynchronous and synchronous in a later stage.
--Apart from that aspect of security, we should also consider how clients that call the SOAP Web service will authenticate themselves upon entry. Within eMagiz, we advise a two-step approach. Each client that wants to call your SOAP Webservice should:
++=== 3.1 Operation Name ===
--* Send along a client certificate
--* Send along an API key in a SOAP Header that references to the word apiKey (i.e. apiKey)
++Let us first zoom in on the parts of the configuration before we learn how you can implement it in eMagiz. Starting with the operation name. When you have dealt with the API Gateway offering of eMagiz in the past or have some knowledge of how APIs work the notion of an operation name should not be unfamiliar. In essence, it is a unique name that defines a certain operation. In eMagiz the best practice for naming the operation is as follows:
--To verify both parts some configuration is needed. The first aspect, checking for a valid client certificate is done on cloud level. For more information on how to exactly configure this please take a look at the microlearning [Securing a hosted web service with certificates in the eMagiz Cloud](intermediate-securing-your-data-traffic-securing-a-hosted-webservice-with-certificates-in-the-emagiz-cloud.md).
++* Send{technicalnameoftheoperation}
--In this microlearning, we will focus on the second part of the configuration.
++When you are in Create you will notice that eMagiz uses the default suffix of Request and Response is added to the operation name. Therefore the full operation name a client needs to call to get the desired result if you adhere to the best practice is:
--=== 3.1 API Key verification ===
++* Send{technicalnameoftheoperation}Request
--To verify whether the client has sent a valid API Key we need to change the configuration within the entry flow in the Create phase of eMagiz. The configuration consists of three steps:
++=== 3.2 SOAP Webservice Namespace ===
--* Get value from SOAP Header
--* Check value against a list
--* Respond based on results
++The second part of the configuration is the SOAP Webservice Namespace. When hosting a SOAP Webservice via the standard eMagiz tooling you need to define a namespace. To smoothen this process eMagiz automatically generates a namespace based on the configuration settings you choose in the Design phase of eMagiz.
--==== 3.1.1 Get value from SOAP Header ====
++=== 3.3 Configuration in eMagiz ===
--Let us move to the entry flow by going to the Create phase of eMagiz, opening the correct flow, and entering "Start Editing" mode. After you have done so we need to add a support object to the flow. The support we need is called 'Complex SOAP header mapper'. In this component, we need the bottom section.
++Now that we know what configurations are required, we can see how we can implement this in eMagiz. In the Capture phase, nothing changes. You simply draw a system on the canvas including at least one line that goes from the system towards eMagiz. When you are done you move to the Design phase in eMagiz. In this phase, you need to correctly set up the operation name(s) and the SOAP Webservice Namespace.
--[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--complex-soap-header-mapper.png]]
++The configuration in Design starts at the system level. At the system level, you need to define the technical name (or let eMagiz automatically fill it in for you) and select the checkbox called Combined Entry Connector. By selecting this checkbox you tell eMagiz that you want to host an endpoint for others to call.
--Here we define a new header by entering a name and a valid XPath expression.
++[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-configure-your-soap-webservice--combined-entry-check.png]]
--[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--complex-soap-header-mapper-config.png]]
++As you can see, selecting this option opens up a new choice to make. In this case between SOAP Webservice and Custom.
--When you are satisfied you can press Save twice to store the support object. After we have configured the support object we need to link it to our web service inbound gateway. To do so open the component, navigate to the advanced tab and select the Header mapper you have just created.
++[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-configure-your-soap-webservice--combined-entry-choice.png]]
--[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--link-complex-soap-header-mapper.png]]
++In this case, we opt for the SOAP web service. After you have done so eMagiz will automatically define the SOAP Webservice Name and SOAP Webservice Namespace.
--==== 3.1.2 Check value against list ====
++[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-configure-your-soap-webservice--combined-entry-soap-ws-namespace.png]]
--Now that we placed the value the client has entered in the apiKey SOAP header on our message we can check whether the value exists in a list of predefined valid values. To do add two headers to the standard header enricher component in your flow. The first one ensures that the apiKey is removed from the header (to prevent the API key from being publicly seen by others). The second one searches for the client name that corresponds with the apiKey and returns the name of the client in the header. This search action is done with the help of a SpEL expression, more on that later on. In this case the SpEL expression we use is set up as follows: headers['spwbsrv_apiKey'] != null and {${authentication.api-keys}}.contains(headers.spwbsrv_apiKey) ? {${authentication.tenant-ids}}[{${authentication.api-keys}}.indexOf(headers.spwbsrv_apiKey)] : null
++With this, you are done with your configuration on the system level. Don't forget to update the status of your task. Now that we have configured the system it is time to configure the integration that is drawn from the system to eMagiz. We can do so by double-clicking on it (or by accessing the context menu and selecting the edit option). When you open the Edit page on the integration level you will notice that a new segment is added (compared to other integrations). This segment defines the settings on the system level we have just specified and defines the operation name.
--With this SpEL expression, we check whether there is an API key and whether that apiKey can be found in a predefined list. If so we search for the corresponding name based on the index of where a certain apiKey is within the list. If not the header is not created. Combining this logic in one component should look similar to the following.
++[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-configure-your-soap-webservice--edit-integration.png]]
--[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--check-headers.png]]
++As you can see eMagiz has already prefilled the operation name for you based on the best practice at eMagiz. If you want to change you have the option to do so. Do note that for the sake of consistency it would be smart to use the same naming convention within a single project to avoid confusion.
--==== 3.1.3 Respond based on results ====
++=== 3.4 Add integration to Create ===
--After we have searched for the API key in the list and we have defined the client that is sending the information (or not) we can respond to the client whether or not the client is authorized to call our SOAP web service. To execute this check we first need a standard filter component. In this component, we will check whether the spwbsrv_client header we have just created is not null.
++Now that we have finished the configuration in Design the last step of this microlearning is to add the integration to Create. You can simply do so by navigating to Create -> Add integrations and selecting the integration to move it to Create. After you have selected it press Save to add the integration to Create.
--[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--standard-filter.png]]
--
--If it is indeed not null we can pass the empty message back to the client telling the client that the message was delivered successfully. If the header is null we need to tell the client that he/she is unauthorized to call the operation. To do so we need to add a component called 'custom error message activator'. In this component, we define the message we want to give back to the client in case of an error. In this case, we simply give back 'Unauthorized'.
--
--[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--custom-error-message.png]]
--
--With all this done we have successfully secured our SOAP web service according to the best practices.
--
  == 4. Assignment ==
--Secure a SOAP web service to confirm the outlined approach above. Focus on the apiKey part.
++Configure a SOAP web service that consists of at least one operation and add it to Create.
  This assignment can be completed with the help of the (Academy) project that you have created/used in the previous assignment.
  == 5. Key takeaways ==
@@ -97,8 +97,7 @@
      ** SOAP Webservice Namespace
      ** Validation
      ** Authentication
--* Hosting your SOAP web service in the eMagiz cloud results in standard HTTPS
--* Use a combination of client certificate + API key for authentication
++* For ease, you can use the default naming convention of eMagiz
  == 6. Suggested Additional Readings ==
@@ -106,6 +106,6 @@
  == 7. Silent demonstration video ==
--{{video attachment="novice-soap-webservice-connectivity-securing-your-soap-webservice.mp4" reference="Main.Videos.Microlearning.WebHome"/}}
++{{video attachment="novice-soap-webservice-connectivity-configure-your-soap-webservice.mp4" reference="Main.Videos.Microlearning.WebHome"/}}
  )))((({{toc/}}))){{/container}}{{/container}}

Changes for page Endpoint Check

Summary

Details

Navigation