Integration Server 11.1 | Built-In Services Reference Guide | Security Folder | Summary of Elements in this Folder | pub.security:signAndEncrypt
 
pub.security:signAndEncrypt
WmPublic. Adds a digital signature to data and then encrypts the data.
Input Parameters
securityProvider
String Optional. The type of security provider. The valid values are:
*PGP (Pretty Good Privacy)
*JCE-KBE (Java Cryptography Extension-Key Based Encryption)
The default value is PGP.
data
Document Data that you want to sign and encrypt. The data must be in one of the following formats. If multiple input parameters are supplied for data, the service throws an exception stating that only one parameter must be passed.
Key
Description
string
String Optional. The string that you want to sign and encrypt.
stream
java.io.InputStream Optional. The stream data that you want to sign and encrypt.
bytes
byte[ ] Optional. The byte array that you want to sign and encrypt.
file
String Optional. The absolute or relative path of the file that you want to sign and encrypt. If the file is outside the Integration Server or Microservices Runtime installation directory, provide the absolute path. Otherwise, place the file in your Integration Server or Microservices Runtime working directory.
The About page in Integration Server Administrator and Microservices Runtime Administrator displays the working directory. The watt.server.homeDir server configuration parameter also specifies the working directory.
loadAs
String Optional. The format in which the service returns the output. Set to:
*bytes to return the output as a byte array. This is the default.
*stream to return the output as a stream object.
*string to return the output as a string.
publicKey
Document The public key required to encrypt the data.
For PGP, provide publicKeyBytes, publicKeyString, or publicKeyRingFile. If you provide publicKeyRingFile, you must also provide publicKeyAlias. Otherwise, the service throws an exception.
For JCE-KBE, provide publicKeyBytes, publicKeyString, or truststoreAlias. If you provide truststoreAlias, you must also provide certAlias. Otherwise, the service throws an exception.
Key
Description
publicKeyBytes
Object List Optional. One or more public key files as byte arrays for PGP. JCE supports only a single public key file.
Note:
Public key files have a .asc extension for PGP.
publicKeyString
String List Optional. One or more public keys as strings for PGP. JCE supports only a single public key string.
public​KeyRingFile
String Optional. The absolute or relative path of the public keyring file. The public keyring file is a collection of public keys with a unique key ID. If the file is outside the Integration Server or Microservices Runtime installation directory, provide the absolute path. Otherwise, place the file in your Integration Server or Microservices Runtime working directory. This parameter is specific to PGP.
The About page in Integration Server Administrator and Microservices Runtime Administrator displays the working directory. The watt.server.homeDir server configuration parameter also specifies the working directory.
Note:
Public keyring files have a .pkr extension for PGP.
publicKeyAlias
String List Optional. One or more public key aliases as strings. A public key alias is the 64-bit (16 characters) key identifier of a public key.
Note:
This parameter is required only when you use publicKeyRingFile.
truststoreAlias
String Optional. Applies only to JCE. The alias for the truststore containing the public key and certificate.
certAlias
String Optional. Applies only to JCE. The alias identifying a particular trusted certificate within a truststore.
Note:
This parameter is required only when you use truststoreAlias.
encryptionAlgorithm
String The encryption algorithm to use.
*For PGP, select one of the following symmetric key encryption algorithms:
*AES_192
*AES_256
*BLOWFISH
*IDEA
*TRIPLE_DES
*TWOFISH
The default value is AES_256.
*For JCE, select RSA (asymmetric key encryption algorithm).
secretKey
Document The secret key required to sign the data.
For PGP, provide secretKeyBytes, secretKeyString, or secretKeyRingFile. If you provide secretKeyRingFile, you must also provide secretKeyAlias. Otherwise, the service throws an exception.
For JCE-KBE, provide secretKeyBytes, secretKeyString, or keyStoreAlias. If you provide keyStoreAlias, you must provide keyAlias. Otherwise, the service throws an exception.
Key
Description
secretKeyBytes
byte[ ] Optional. The secret key file in bytes.
Note:
Secret key files have a .asc extension for PGP.
secretKeyString
String Optional. The secret key as a string.
secret​KeyRingFile
String Optional. The absolute or relative path of the secret keyring file. The secret keyring file is a collection of secret keys with a unique key ID. If the file is outside the Integration Server or Microservices Runtime installation directory, provide the absolute path. Otherwise, place the file in your Integration Server or Microservices Runtime working directory. This parameter is specific to PGP.
The About page in Integration Server Administrator and Microservices Runtime Administrator displays the working directory. The watt.server.homeDir server configuration parameter also specifies the working directory.
Note:
Secret keyring files have a .skr extension for PGP.
secretKeyAlias
String Optional. The 64 bit (16 characters) key identifier of the secret key.
Note:
This parameter is required only when you use secretKeyRing​File.
secretKey ​Passphrase
String Password required to extract the private key from the secret key. This is the password provided while generating the secret key.
keyStoreAlias
String Optional. Applies only to JCE. The keystore alias that contains the private key.
keyAlias
String Optional. Applies only to JCE. The private key alias in the keystore specified by the keyStoreAlias parameter.
Note:
This parameter is required only when you use keyStoreAlias.
signingAlgorithm
String. The signing algorithm to use.
*For PGP, select one of the following:
*MD5
*SHA256
*SHA384
*SHA512
The default value is SHA256 for PGP.
*For JCE, select one of the following:
*RSA
*SHA256withRSA
*SHA512withRSA
*SHA3-256withRSA
*SHA3-384withRSA
*SHA3-512withRSA
Note:
If the FIPS (Federal Information Processing Standards) mode is enabled, this service does not support the MD5 signing algorithm. FIPS mode can be enabled or disabled using the watt.security.fips.mode parameter. This is applicable only for PGP.
Note:
If the secret key for signing the data is of the DSA (Digital Signature Algorithm) key type, this service does not support the MD5 signing algorithm. This is applicable only for PGP.
cipher
String Optional. Applies only to JCE. The cipher for encryption. Select one of the following:
*RSA
*RSA/ECB/PKCS1Padding
*RSA/ECB/OAEPWithSHA-1AndMGF1Padding
*RSA/ECB/OAEPWithSHA-256AndMGF1Padding
*RSA/ECB/OAEPWithSHA-512AndMGF1Padding
*RSA/ECB/OAEPPadding
The default value is RSA.
Output Parameters
stream
java.io.OutputStream Conditional. Signed and encrypted data as an output stream. Returned when the loadAs input parameter is set to stream.
bytes
byte[ ] Conditional. Signed and encrypted data as bytes. Returned when the loadAs input parameter is set to bytes.
string
String Conditional. Signed and encrypted data as a string in the ASCII-armored format. Returned when the loadAs input parameter is set to string.
status
String Indicates whether the data is successfully signed and encrypted or not. If successful, status is success. Otherwise, status contains failure along with an error message.
Usage Notes
Use the pub.security:signAndEncrypt service when an external system connected to Integration Server requires signed and encrypted data. The service accepts multiple public keys to encrypt the same data for many users.
Prerequisites to use the pub.security:signAndEncrypt service:
*Make sure that Integration Server has access to the external system's public key to encrypt data.
*Generate a secret key for Integration Server to sign the data.
Signing and encryption work as follows:
1. The service uses the secret key to sign the data.
2. The service then uses the external system's public key to encrypt the data.
3. The service returns the signed and encrypted data.
For PGP, consider the following point:
*To sign and encrypt the data for multiple users, provide your secret key and the users' public keys to the service. You can provide the public keys to the service as a list of byte arrays, strings, or a keyring file. If you provide a keyring file, you must also provide the public key aliases.
*Authentication keys used in this service must be in the PGP format and generated using the RSA encryption algorithm.
Note:
Authentication keys in the .ecc format are not supported.
For JCE, you can sign and encrypt the data for a single user only.