-
AppExpert Applications and Templates
-
Configure application authentication, authorization, and auditing
-
-
Advanced Policy Expressions: Working with Dates, Times, and Numbers
-
Advanced Policy Expressions: Parsing HTTP, TCP, and UDP Data
-
Expressions for Identifying the Protocol in an Incoming IP Packet
-
Expressions for HTTP Status Codes and Numeric HTTP Payload Data Other Than Dates
-
Operations for HTTP, HTML, and XML Encoding and “Safe” Characters
-
Expressions for Evaluating a DNS Message and Identifying Its Carrier Protocol
-
Encrypting and Decrypting XML Payloads
-
Advanced Policy Expressions: IP and MAC Addresses, Throughput, VLAN IDs
-
-
Thank you for the feedback
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
Encrypt and decrypt XML payloads
You can use the XML_ENCRYPT() and XML_DECRYPT() functions in Advanced policy expressions to encrypt and decrypt, respectively, XML data. These functions conform to the W3C XML Encryption standard defined at “http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/.” XML_ENCRYPT() and XML_DECRYPT() support a subset of the XML Encryption specification. In the subset, data encryption uses a bulk cipher method (RC4, DES3, AES128, AES192, or AES256), and an RSA public key is used to encrypt the bulk cipher key.
Note: If you want to encrypt and decrypt text in a payload, you must use the ENCRYPT and DECRYPT functions. For more information about these functions, see Encrypt and decrypt text.
The XML_ENCRYPT() and XML_DECRYPT() functions are not dependent on the encryption/decryption service that is used by the ENCRYPT and DECRYPT commands for text. The cipher method is specified explicitly as an argument to the XML_ENCRYPT() function. The XML_DECRYPT() function obtains the information about the specified cipher method from the <xenc:EncryptedData> element. Following are synopses of the XML encryption and decryption functions:
-
XML_ENCRYPT(<certKeyName>, <method> [, <flags>])**. Returns an<xenc:EncryptedData>element that contains the encrypted input text and the encryption key, which is itself encrypted by using RSA. -
XML_DECRYPT(<certKeyName>). Returns the decrypted text from the input<xenc:EncryptedData>element, which includes the cipher method and the RSA-encrypted key.
Note: The <xenc:EncryptedData> element is defined in the W3C XML Encryption specification.
Following are descriptions of the arguments:
-
certKeyName: Selects an X.509 certificate with an RSA public key for XML_ENCRYPT() or an RSA private key for XML_DECRYPT(). The certificate key must have been previously created by an
add ssl certKeycommand. -
method: Specifies which cipher method to use for encrypting the XML data. Possible values: RC4, DES3, AES128, AES192, AES256.
-
flags: A bitmask specifying the following optional key information (
<ds:KeyInfo>) to be included in the<xenc:EncryptedData>element that is generated byXML_ENCRYPT():-
1 - Include a KeyName element with the certKeyName. The element is
<ds:KeyName>. -
2 - Include a KeyValue element with the RSA public key from the certificate. The element is
<ds:KeyValue>. -
4 - Include an X509IssuerSerial element with the certificate serial number and issuer DN. The element is
<ds:X509IssuserSerial>. -
8 - Include an X509SubjectName element with the certificate subject DN. The element is
<ds:X509SubjectName>. -
16 - Include an X509Certificate element with the entire certificate. The element is
<ds:X509Certificate>.
-
1 - Include a KeyName element with the certKeyName. The element is
Use the XML_ENCRYPT() and XML_DECRYPT() functions in expressions
The XML encryption feature uses SSL certificate-key pairs to provide X.509 certificates (with RSA public keys) for key encryption and RSA private keys for key decryption. Therefore, before you use the XML_ENCRYPT() function in an expression, you must create an SSL certificate-key pair. The following command creates an SSL certificate-key pair, my-certkey, with the X.509 certificate, my-cert.pem, and the private key file, my-key.pem.
add ssl certKey my-certkey -cert my-cert.pem -key my-key.pem -passcrypt kxPeMRYnitY=
The following CLI commands create rewrite actions and policies for encrypting and decrypting XML content.
add rewrite action my-xml-encrypt-action replace "HTTP.RES.BODY(10000).XPATH_WITH_MARKUP(xp%/%)" "HTTP.RES.BODY(10000).XPATH_WITH_MARKUP(xp%/%).XML_ENCRYPT("my-certkey", AES256, 31)" -bypassSafetyCheck YES
add rewrite action my-xml-decrypt-action replace "HTTP.REQ.BODY(10000).XPATH_WITH_MARKUP(xp%//xenc:EncryptedData%)" "HTTP.REQ.BODY(10000).XPATH_WITH_MARKUP(xp%//xenc:EncryptedData%).XML_DECRYPT("my-certkey")" -bypassSafetyCheck YES
add rewrite policy my-xml-encrypt-policy "HTTP.REQ.URL.CONTAINS("xml-encrypt")" my-xml-encrypt-action
add rewrite policy my-xml-decrypt-policy "HTTP.REQ.BODY(10000).XPATH(xp%boolean(//xenc:EncryptedData)%)" my-xml-decrypt-action
bind rewrite global my-xml-encrypt-policy 30
bind rewrite global my-xml-decrypt-policy 30
In the above example, the rewrite action my-xml-encrypt-action encrypts the entire XML document ( XPATH_WITH_MARKUP(xp%/%)) in the request by using the AES-256 bulk encryption method and the RSA public key from my-certkey to encrypt the bulk encryption key. The action replaces the document with an <xenc:EncryptedData> element containing the encrypted data and an encrypted key. The flags represented by 31 include all of the optional <ds:KeyInfo> elements.
The action my-xml-decrypt-action decrypts the first <xenc:EncryptedData> element in the response (XPATH_WITH_MARKUP(xp%//xenc:EncryptedData%)). This requires the prior addition of the xenc XML namespace by use of the following CLI command:
add ns xmlnamespace xenc http://www.w3.org/2001/04/xmlenc#
The my-xml-decrypt-action action uses the RSA private key in my-certkey to decrypt the encrypted key and then uses the bulk encryption method specified in the element to decrypt the encrypted contents. Finally, the action replaces the encrypted data element with the decrypted content.
The rewrite policy my-xml-encrypt-policy applies my-xml-encrypt-action to requests for URLs containing xml-encrypt. The action encrypts the entire response from a service configured on the Citrix ADC appliance.
The rewrite policy my-xml-decrypt-policy applies my-xml-decrypt-action to requests that contain an <xenc:EncryptedData> element ((XPATH(xp%//xenc:EncryptedData%) returns a non-empty string). The action decrypts the encrypted data in requests that are bound for a service configured on the Citrix ADC appliance.
Thank you for the feedback
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.