secRT

CORISECIO GmbH - Uhlandstr. 9 - 64927 Darmstadt - Germany - www.corisecio.de - Copyright 2011 - All Rights Reserved
secRT
1. System requirements ............................................................................................................................. 1
1. securityRunTime ........................................................................................................................... 1
1.1. Tomcat ............................................................................................................................. 1
2. Functional overview ............................................................................................................................... 2
1. Message types ............................................................................................................................. 2
1.1. BSFObject ......................................................................................................................... 2
1.2. HTTPObject ....................................................................................................................... 2
1.3. HTTPRequest .................................................................................................................... 2
1.4. HTTPResponse .................................................................................................................. 2
1.5. SOAPMessage ................................................................................................................... 2
2. Data types ................................................................................................................................... 2
2.1. crs:multiLineString ............................................................................................................... 2
2.2. crs:xpath ........................................................................................................................... 2
2.3. crs:certificate ...................................................................................................................... 2
2.4. crs:privateKey .................................................................................................................... 2
2.5. crs:role ............................................................................................................................. 3
3. Listener ....................................................................................................................................... 3
3.1. AppServer listener #1 .......................................................................................................... 3
3.2. Secure AppServer listener #1 ................................................................................................ 3
3.3. Authenticating Secure AppServer listener #1 ............................................................................ 3
4. Functions ..................................................................................................................................... 3
4.1. BrowserProxy ..................................................................................................................... 3
4.2. CalculateMD5Function ......................................................................................................... 4
4.3. CheckMD5Function ............................................................................................................. 4
4.4. CreateSOAPMessageFromWSDL .......................................................................................... 4
4.5. DumpHTTP ........................................................................................................................ 4
4.6. EntityHasRole .................................................................................................................... 5
4.7. EnvelopeInRequest ............................................................................................................. 5
4.8. EnvelopeInResponse ........................................................................................................... 5
4.9. ExtractFromRequest ............................................................................................................ 5
4.10. ExtractFromResponse ........................................................................................................ 6
4.11. GetFormDataValue ............................................................................................................ 6
4.12. HTTP error page ............................................................................................................... 6
4.13. HTTPResponseFromRequestBody ........................................................................................ 7
4.14. Proxy .............................................................................................................................. 7
4.15. SetExecVariableFunction .................................................................................................... 7
4.16. SetSecRTEntity ................................................................................................................. 8
4.17. SetValueOfXPath .............................................................................................................. 8
4.18. SOAPAttachmentSwitch ...................................................................................................... 9
4.19. UnwrapHTTP .................................................................................................................... 9
4.20. Webservice Dispatcher ....................................................................................................... 9
4.21. WrapHTTP ....................................................................................................................... 9
4.22. XMLValueToExecutionVariable ........................................................................................... 10
Index .................................................................................................................................................... 11

CORISECIO
Chapter 1. System requirements
1. securityRunTime
1.1. Tomcat
The statements regarding processor, RAM and hard disk memory may be taken as guideline values only, as the need for
system ressources is mainly dependent on the secRT use. Reliable statements may only be achieved by testing within your
system environment.

Table 1.1. System requirements secRT - Tomcat

Processor Intel Pentium IV 2,4 GHz or more

RAM 1024 MB or more
Free hard disk memory 10 GB or more (amongst others for Logging)
Operating system Windows XP (SP 2) - 32/64 Bit or newer
Windows 2003 (SP 1) - 32/64 Bit or newer
Suse Linux Enterprise 11
Software Java Software Development Kit 1.5 or Java Software Development Kit 1.6
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Pol-
icy
Apache Tomcat 5.5/6 with at least 40 MB PermGen Space per running se-
cRT

CORISECIO 1
Chapter 2. Functional overview
1. Message types
The functions edit message types. In the following image basic message types are shown:

Message types may be deduced from each other. This means that the deduced type also owns the propertiesof the superior
type. In the image arrows point from the deduced message types to their superior types. A function processing a message
type, may also process deduced message types.

1.1. BSFObject
The message type BSFObject is the root of the type hierarchy. BSFObject does not own visible properties and serves
as root only.

1.2. HTTPObject
An HTTPObject contains the shared data of HTTP requests and HTTP responses.

1.3. HTTPRequest
An HTTP request is represented by HTTPRequest

1.4. HTTPResponse
An HTTP response is shown as HTTPResponse in the system.

1.5. SOAPMessage
A SOAP message is represented by the message type SOAPMessage.

2. Data types
2.1. crs:multiLineString
A crs:multiLineString represents a multi-line string.

2.2. crs:xpath
A crs:xpath represents an XPath expression. Supported is XPath Version 1.0 (based on Xalan 2.7.0).
Please note that XPath is namespace-sensitive and uses //*[local-name()='CityName' and names-
pace-uri()='www.webserviceX.NET'] expressions to operate on nodes wtih namespace specified.

2.3. crs:certificate
A crs:certificate represents a Base-64 encoded X.509 (.CER) certificate.

2.4. crs:privateKey
A crs:privateKey represents a private key container (supported are .p12 and .jks) with RSA (max. key length 1024) key.

CORISECIO 2
2.5. crs:role
A crs:role represents a created role, which may be assigned to none, one or many users.

3. Listener
3.1. AppServer listener #1
The listener AppServer listener #1 is a Catalina-Engine, listening to a port and waiting for HTTPRequests. Then
HTTPRequests are processed according to the model. The result is returned to the inquirer as HTTPResponse.
The listener AppServer listener #1 contains the following configuration parameter.

Parameter Type Required Description

Listener xsd:int yes The port, the server is linked to.
port

3.2. Secure AppServer listener #1

The listener Secure AppServer listener #1 represents the SSL version of the AppServer listener #1 .
The listener Secure AppServer listener #1 contains the following configuration parameters.

Parameter Type Required Description

Listener xsd:int yes The port, the service is linked to.
port
Private crs:privateKey yes The private SSL key.
key

3.3. Authenticating Secure AppServer listener #1

The listener Secure Authenticating Secure AppServer listener #1 is an extension of the Secure AppServer
listener #1. Prior forwarding the listener verifies if the certificate given by the user originates from a trustworthy issuer
and if the user is a member of a certain role. If these requirements are fulfilled, the certificate holder's name is written into
an execution variable.
The listener Authenticating Secure AppServer listener #1 contains the following configuration parameters:

Parameter Type Required Description

Listener xsd:int yes The port, the service is linked to.
port
Private crs:privateKey yes The private SSL key.
key
Username xsd:string yes The name of the execution variable, the authorized user will be written
variable into.
Trusted A list of yes A list of certificates accepted as trustworthy issuers.
authori- crs:certificate
ties
Autho- crs:role yes The role of authorized users.
rized user
403 error crs:multi yes The response body, if the user is not authorized.
page LineString

4. Functions
4.1. BrowserProxy
The function BrowserProxy executes an HTTPRequest at the host set in Host-Header. With this function a non-trans-
parent proxy may be realized.
The function BrowserProxy contains the following configuration parameter:

CORISECIO 3
 Parameter Type Required Description
Schema xsd:string yes The URL scheme (http or https).

The function contains for HTTPRequest the following signature:

Result name Result type Type Description

response ok HTTPResponse The HTTPRequest has been executed and the appropriate
HTTPResponse has been returned by the remote station.

4.2. CalculateMD5Function
The function CalculateMD5Function calculates the md5 checksum of the HTTPRequest content respectively HTTPRe-
sponse content and adds it as the specified header field.
The function CalculateMD5Function contains the following configuration parameter:

Parameter Type Required Description

Header xsd:string yes The name of the header field holding the hash value.
Field

4.3. CheckMD5Function
The function CheckMD5Function calculates the md5 checksum of the HTTPRequest content respectively HTTPResponse
content and checks the specified header field for equality.
The function CheckMD5Function contains the following configuration parameter:

Parameter Type Required Description

Header xsd:string yes The name of the header field that hold the hash value.
Field

4.4. CreateSOAPMessageFromWSDL
The function CreateSOAPMessageFromWSDL creates a SOAPMessage from the WSDL.
SOAP 1.1 messages receive text/xml; charset=utf-8 as content type. SOAP 1.2 message content type is appli-
cation/soap+xml; charset=utf-8.
The function CreateSOAPMessageFromWSDL contains the following configuration parameters:

Parameter Type Required Description

WSDL URL xsd:string yes The url the WSDL description is downloaded from.
WSDL Ser- xsd:string yes The name of the service to be used.
vice
WSDL Port xsd:string yes The name of the port to be used.
WSDL Oper- xsd:string yes The name of the operation to be executed.
ation
Configura- crs:multi yes The xml parameter element. This is required as template and can be modified
tion LineString at runtime with SetValueOfXPath.

For BSFObject the function contains the following signature:

Result name Result type Type Description

message ok SOAPMessage The SOAPMessage was created.
error error BSFObject An error occurred at processing.

4.5. DumpHTTP
The function DumpHTTP saves SOAPMessages in the given file. At present the function does not contain support for SOAP
Attachments. Therefore, it may not be used for processing of accordant messages.

CORISECIO 4
The function DumpHTTP contains the following configuration parameter:

Parameter Type Required Description

filename xsd:string yes Path and name of logfile.

For SOAPMessage the function contains the following signature:

Result name Result type Type Description

message ok SOAPMessage The SOAPMessage has been logged.

4.6. EntityHasRole
The function EntityHasRole verifies if the variable given by the parameter entityVarName identifies a user, who has
been given a role specified by the parameter Authorized role . In the positive case the result is true, in the negative
case false. The BSFObject is not analyzed and remains unmodified. Please note that this function is only relevant for
the enterprise version of securityRunTime.
The function EntityHasRole contains the following configuration parameters:

Parameter Type Required Description

Username xsd:string yes The name of the execution variable, containing the user name to be verified.
variable
Authorized crs:role yes The role, according to which will be verified.
role

For BSFObject the function contains the following signature:

Result name Result type Type Description

true ok BSFObject The entity has the configured role.
false error BSFObject The entity does not have the configured role .
error error BSFObject An error occured at processing.

4.7. EnvelopeInRequest
The function EnvelopeInRequest adds a SOAPMessage to the body of an HTTPRequest .
The function EnvelopeInRequest does not contain any configuration parameters.
For SOAPMessage the function contains the following signature:

Result name Result type Type Description

request ok HTTPRequest The SOAPMessage has been embedded into an HTTPRe-
quest .

4.8. EnvelopeInResponse
The function EnvelopeInResponse adds a SOAPMessage to the body of an HTTPResponse.
The function EnvelopeInResponse does not contain any configuration parameters.
For SOAPMessage the function contains the following signature:

Result name Result type Type Description

response ok HTTPResponse The SOAPMessage has been embedded into an HTTPRe-
sponse .

4.9. ExtractFromRequest
The function ExtractFromRequest extracts a SOAPMessage from the body of an HTTPRequest.
The function ExtractFromRequest does not contain any configuration parameters.

CORISECIO 5
For HTTPRequest the function contains the following signature:

Result name Result type Type Description

request ok SOAPMessage The SOAPMessage has been extracted from the HTTPRe-
quest .
error error HTTPRequest An error occurred during processing.

4.10. ExtractFromResponse
The function ExtractFromResponse extracts a SOAPMessage from the body of an HTTPResponse.
The function ExtractFromResponse does not contain any configuration parameters.
For HTTPResponse the function contains the following signature:

Result name Result type Type Description

response ok SOAPMessage The SOAPMessage has been extracted from an HTTPRe-
sponse .
error error HTTPResponse An error occurred during processing.

4.11. GetFormDataValue
The function GetFormDataValue reads the value from a form-data-field specified with the name and writes it into an
execution variable.
The function GetFormDataValue contains the following configuration parameters:

Parameter Type Required Description

Field name xsd:string yes Name of field in the Content-Disposition header (multi-part message header,
used for e.g. attachments).
Variable xsd:string yes Name of execution variable, where the value should be stored. If no value
Name was found, existing values will be overwritten with null.

For HTTPRequest the function contains the following signature:

Result name Result type Type Description

ok ok HTTPRequest If the request contains the Content-Type multipart/form-data
and a part where the name of the Content-Disposition-Head-
ers equates Field name, the value has been successful-
ly written into the Execution variable . If this is not the
case, the Execution variable has been set to null .
error error HTTPRequest An error occurred during processing.

4.12. HTTP error page

The function HTTP error page states any body as HTTPResponse.
The function HTTP error page contains the following configuration parameter:

Parameter Type Required Description

Page con- crs:multi yes The body of HTTPResponse.
tent LineString

For any message type the function contains the signature:

Result name Result type Type Description

error ok HTTPResponse The result is a HTTPResponse with the parameter as con-
tent.

CORISECIO 6
4.13. HTTPResponseFromRequestBody
The function HTTPResponseFromRequestBody generates an HTTPResponse with header and body from the given
HTTPRequest.
The function HTTPResponseFromRequestBody contains the following configuration parameter:

Parameter Type Required Description

Status xsd:int yes The status code for the HTTPResponse.
Code

For HTTPRequest the function contains the following signature:

Result name Result type Type Description

ok ok HTTPResponse Generation of HTTPResponse was successful.
error error HTTPRequest An error occurred during processing.

4.14. Proxy
The function Proxy proceeds an HTTPRequest at a destination configured as parameter.
The function Proxy contains the following configuration parameters:

Parameter Type Required Description

Schema xsd:string yes The URL scheme (http or https).
Target ad- xsd:string yes The receiving system's host name
dress
Target xsd:int yes The receiving system's port number
port
Rewrite List of no The content types a URL rewriting should take place for. They are stated
content xsd:string according to RFC 2616, where the Wild Card sign * is possible (Example:
types text/plain, text/*).
Request Pairs from no All appropriate regular expressions are replaced in the HTTPRequest with
rewrite regular ex- the accordant values prior to execution. (Example: [s][e][r][v][i][c][e][.][m][y]
rules pressions/ [h][o][s][t][.][c][o][m], rz-host or [h][t][t][p][s][:][/][/], http://)
xsd:string
Response Pairs from no All appropriate regular expressions are replaced in the HTTPResponse
rewrite regular ex- with the accordant values prior execution. (Example: [/][w][e][b][A][d][m][i][n]
rules pression / [R][e][s][o][u][r][c][e][s], /path/webAdminResources or [/][?][w][i][c][k][e][t][:], /
xsd:string path/?wicket:)
Trusted List of crs: no If you are using SSL, the trusted SSL certificate(s) has to be specified here.
SSL cer- certifi- All certificates are accepted if the host name matches the common name
tificates cates and if the certificate or it's issuer is listed here.

For HTTPRequest the function contains the following signature:

Result name Result type Type Description

response ok HTTPResponse The HTTPRequest was executed and the appropriate
HTTPResponse was returned from the remote station .

4.15. SetExecVariableFunction
The function SetExecVariableFunction sets the value of an execution variable. All functions called later, do have access
to this execution variable and its value.
This function may be used in conjunction with EncryptXPath expecting an username execution variable to be set to the
owner of a certificate used for encryption.

CORISECIO 7
The function SetExecVariableFunction contains the following configuration parameters:

Parameter Type Required Description

Execution xsd:string yes The name of the execution variable.
Variable
Name
Execution xsd:string yes The value to be set.
Variable
Value

For BSFObject the function contains the following signature:

Result name Result type Type Description

ok ok BSFObject The variable was set.
error error BSFObject An error occurred during processing.

4.16. SetSecRTEntity
The function SetSecRTEntity assigns an entity to the securityRunTime. This is only effective if the securityRunTime
in the Connector will be administrated locally.
Certain functions require e.g. access to the private or public key or the name of the securityRunTime. At local administration,
the securityRunTime does not have a given entity at first. This may be changed via SetSecRTEntity. An assignment
is done only once; each further call of SetSecRTEntity does not have any effect. Usually, SetSecRTEntity is used at
the beginning of a modeled workflow.
At central administration (generation and deployment of Security Rules via the Security Broker), the securityRunTime is
automatically assigned with an entity. It results from the server name and the server's key pair. A call of SetSecRTEntity
has no effect.
The function SetSecRTEntity contains the following configuration parameter:

Parameter Type Required Description

Entity xsd:string yes The entity's required name.
name
Keystore crs:privateKey yes The keystore associated with the entity.

For BSFObject the function contains the following signature:

Result name Result type Type Description

ok ok BSFObject The entity has been assigned resp. no effect.
error error BSFObject An error has occurred.

4.17. SetValueOfXPath
The function SetValueOfXPath changes the values of the xml node given by the xpath.
The function SetValueOfXPath contains the following configuration parameters:

Parameter Type Required Description

XPath crs:xpath yes The XPath describing the nodes to be changed.
Type Value or yes The source of the value to be set.
Execution
variable
Value xsd:string yes The value to be set or the name of the execution variable containing the
value.

CORISECIO 8
For SOAPMessage the function contains the following signature:

Result name Result type Type Description

ok ok SOAPMessage The nodes were changed.
error error SOAPMessage An error occurred during processing.

4.18. SOAPAttachmentSwitch
The function SOAPAttachmentSwitch checks if a SOAPMessage contains one attachment at least.
The function SOAPAttachmentSwitch contains no configuration parameters.
For SOAPMessage the function contains the following signature:

Result name Type Description

soapWithAt- SOAPMessage At least one attachment exists.
tachments
soap SOAPMessage No attachment exists.

4.19. UnwrapHTTP
The function UnwrapHTTP decodes an HTTPRequest or an HTTPResponse, having been encoded with the function
WrapHTTP (see Section 4.21, WrapHTTP) into an XML structure.
The function UnwrapHTTP does not contain any configuration parameters.
For SOAPMessage the function contains the following signature:

Result name Result type Type Description

request ok HTTPRequest Within the XML structure an HTTPRequest is encoded, rep-
resenting the result of the function call.
response ok HTTPResponse Within the XML structure an HTTPResponse is encoded,
representing the result of the function call.

4.20. Webservice Dispatcher

The function Webservice Dispatcher checks if the requested URL ends with the specified character string.Only the part
after the last / is considered. In case of the string http://www.example.com/path1/path2/service, only service
will be checked. Please note, that this function is only relevant for the enterprise version of securityRunTime.
The function Webservice Dispatcher contains the following configuration parameter:

Parameter Type Required Description

Webservice xsd:string yes The string to be checked.

The functions contains for HTTPRequest the following signature:

Result name Type Description

isService HTTPRequest The URL ends with the specified string.
isNotService HTTPRequest The URL does not end with the specified string.

4.21. WrapHTTP
The function WrapHTTP encodes an HTTPRequest or an HTTPResponse into an XML structure, inserted to the body
of a SOAPMessage. The appropriate element may be restored with the function UnwrapHTTP (see Section 4.19, Un-
wrapHTTP) .
The function WrapHTTP does not contain any configuration parameters.
For HTTPRequest and HTTPResponse the function contains the following signature:

CORISECIO 9
 Result name Result type Type Description
enveloped ok SOAPMessage A SOAP message with the object encodes to an XML struc-
ture .

4.22. XMLValueToExecutionVariable
The function XMLValueToExecutionVariable reads the value from the location stated with the XPath and writes it into
the given execution variable.
Similar to SetExecVariable, it may be used in conjunction with EncryptXPath and, generally, with any function that
requires an execution variable to be set before calling. Could be used to extract a value from incoming SOAPMessage and
set it into an execution variable for further proceeding.
The function XMLValueToExecutionVariable contains the following configuration parameter:

Parameter Type Required Description

XPath crs:xpath yes The XML element to be read-out.
Processing xsd:string yes The name of the execution variable.
Variable
Name

For SOAPMessage the function contains the signature:

Result name Result type Type Description

ok ok SOAPMessage The value has been read-out.
notfound error SOAPMessage The value was not found in the given XPath .
error error SOAPMessage An error occurred during processing.

CORISECIO 10
 W
Index Webservice Dispatcher, 9
WrapHTTP, 9, 9
A
AppServer listener #1, 3 X
Authenticating Secure AppServer listener #1, 3 XMLValueToExecutionVariable, 10

B
BrowserProxy, 3
BSFObject, 2

C
CalculateMD5Function, 4
CheckMD5Function, 4
CreateSOAPMessageFromWSDL, 4
crs:certificate, 2
crs:multiLineString, 2
crs:privateKey, 2
crs:role, 3
crs:xpath, 2

D
DumpHTTP, 4

E
EntityHasRole, 5
EnvelopeInRequest, 5
EnvelopeInResponse, 5
ExtractFromRequest, 5
ExtractFromResponse, 6

G
GetFormDataValue, 6

H
HTTP error page, 6
HTTPObject, 2
HTTPRequest, 2
HTTPResponse, 2
HTTPResponseFromRequestBody, 7

P
Proxy, 7

S
Secure AppServer listener #1, 3
SetExecVariableFunction, 7
SetSecRTEntity, 8
SetValueOfXPath, 8
SOAPAttachmentSwitch, 9
SOAPMessage, 2

U
UnwrapHTTP, 9, 9

CORISECIO