3.3.4.1.1.1.2 GetPolicies using Certificate Authentication
The GetPolicies request message is sent from the client to the server to retrieve the certificate policies for enrollment.
-
<wsdl:message name="IPolicy_GetPolicies_InputMessage"> <wsdl:part name="request" element="xcep:GetPolicies"/> </wsdl:message>
xcep:GetPolicies: An instance of a <GetPolicies> element as specified in [MS-XCEP] section 3.1.4.1.2.1. MDE2 modifies the GetPolicies message defined in [MS-XCEP] section 3.1.4.1.1.1.
Authentication MUST be implemented for this message as defined in section 3.3. In summary, the following elements and attributes MUST be specified in the SOAP header:
wsse:Security: The <wsse:Security> element MUST be a child of <s:Header>.
u:Timestamp: The <u:Timestamp> element MUST be a child of <wsse:Security> in <s:Header> for certificate authentication.
u:Created: The <u:Created> element MUST be a child of <u:Timestamp> in <s:Header> for certificate authentication. The value is a date/time.
u:Expires: The <u:Expires> element MUST be a child of <u:Timestamp> in <s:Header> for certificate authentication. The value is a date/time.
wsse:BinarySecurityToken: The <wsse:BinarySecurityToken> element MUST be a child of <wsse:Security> in <s:Header> for certificate authentication.
wsse:BinarySecurityToken/attributes/ValueType: The value type MUST be " http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" for certificate authentication.
wsse:BinarySecurityToken/attributes/Id: The value is a string.
wsse:BinarySecurityToken/attributes/EncodingType: The
<wsse:BinarySecurityToken> EncodingType attribute MUST be http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary for certificate authentication.
ds:Signature: The <ds:Signature> element MUST be a
child of <wsse:Security> in <s:Header> for certificate
authentication.
ds:SignedInfo: The <ds:Signature> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication.
ds:CanonicalizationMethod: The <ds:CanonicalizationMethod> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.
ds:CanonicalizationMethod/attributes/Algorithm: The <ds:CanonicalizationMethod> Algorithm attribute MUST be "http://www.w3.org/2001/10/xml-exc-c14n#".
ds:SignatureMethod: The <ds:SignatureMethod> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.
ds:SignatureMethod/attributes/Algorithm: The <ds:SignatureMethod> Algorithm attribute MUST be "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".
ds:Reference: The <ds:Reference> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.
ds:Reference/attributes/URI: The <ds:Reference> URI attribute MUST be "".
ds:Transforms: The <ds:Transforms> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.
ds:Transform: The <ds:Transform> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.
ds:Transform/attributes/Algorithm: The <ds:SignatureMethod> Algorithm attribute MUST be "http://www.w3.org/2000/09/xmldsig#enveloped-signature".
ds:DigestMethod: The <ds:DigestMethod> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.
ds:DigestMethod/attributes/Algorithm: The <ds:DigestMethod> Algorithm attribute MUST be http://www.w3.org/2001/04/xmlenc#sha256".
ds:DigestValue: The <ds:DigestValue> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication. The value is a string.
ds:SignatureValue: The <ds:SignatureValue> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication. The value is a string.
ds:KeyInfo: The <ds:KeyInfo> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication.
wsse:SecurityTokenReference: The <wsse:SecurityTokenReference> element MUST be a child of
<ds:KeyInfo> in <ds:Signature> in <s:Header> for certificate
authentication.
wsse:Reference: The <wsse:Reference>
element MUST be a child of <wsse:SecurityTokenReference> in
<s:Header> for certificate authentication.
wsse:Reference/attributes/URI: The <wsse:Reference> URI attribute is a string.
wsse:Reference/attributes/ValueType: The <wsse:Reference> ValueType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509".
The following elements with their specified values MUST be included in the SOAP body of the request message.
xcep:requestfilter: MDE2 modifies the
<GetPolicies> element by setting the <requestFilter> element xsi:nil
attribute to "true" (see [MS-XCEP]
section 3.1.4.1.2.1).
xcep:lastUpdate: MDE2 modifies the
<GetPolicies> xcep:client attribute by setting the <Client>
<lastUpdate> element xsi:nil attribute to "true"
(see [MS-XCEP] section 3.1.4.1.3.9).
xcep:preferredLanguage: MDE2 modifies the
<GetPolicies> xcep:client attribute by setting the <Client>
<preferredLanguage> element xsi:nil attribute to "true" (see [MS-XCEP] section 3.1.4.1.3.9).