Skip to content

Appendix D: Annotated SOAP Message

An annotated example of a SOAP message follows, which includes the required security elements. The example is divided into numbered sections using comment blocks with explanatory notes . In order to improve readability, some attributes that have URI values have been shortened. These will be notated using a preceding ellipse. For example ValueType="...#X509v3"

The example does not include any namespace declarations. The table below lists the namespaces used in this example.

Prefix Description Namespace
ds XML Digital Signature
wsse Web Service Security Extensions
wsu Web Services Security Utility
xsd XML Schema
msg An private namespace for specifying elements and attributes that are specific to ERCOT Web Services TBD
            1 - This section starts the SOAP envelope and the SOAP header


            2 - This section starts the Web Services Security Extensions, which includes security tokens and the digital signature. 
            The first element in this section is the signer's X.509 certificate, which is encoded in Base 64 binary. Note the 
            identification of this element (CertId-1776694). The ID is later used in Section 7 to reference this certificate. 
            Note that there is only one certificate in this message. The message verifier must ensure that the certificate 
            chains to a trusted root.

        <wsse:Security SOAP-ENV:mustUnderstand="1">

                    3 - This section starts the digital signature block of the SOAP message. The signature is computed using the SHA-1
                    hash algorithm with RSA encryption. 

                    <ds:CanonicalizationMethod Algorithm=""/>
                    <ds:SignatureMethod Algorithm="" /> 

                        4 - This section designates the first of two objects that are signed. This one points to the entire message
                        body (#id-1464350), which is specified in Section  The hashing algorithm is SHA-1.

                    <ds:Reference URI="#id-1464350">
                            <ds:Transform Algorithm="" /> 
                        <ds:DigestMethod Algorithm="" /> 

                        5 - This section designates the second of two objects that are signed. This one points to the reference to 
                        the certificate (#STRId-13498124), which is specified in Section 7

                    <ds:Reference URI="#id-13498124">
                            <ds:Transform Algorithm="...xml-exc-c14n#">
                                    <ds:CanonicalizationMethod Algorithm="...xml-exc-c14n#"/> 
                        <ds:DigestMethod Algorithm="" /> 

                    6 - This section specifies the value of the signature. That is, the SHA-1 hash of references to Sections 7 and 8
                    and the encryption of this hash using the signer's private key.

                    AwPcnqmcP5ROshjJparaPGuvQhbFR7zCxet2aoawJFWgG8jIeuDZDE8y6n+kbBzxadF2tGN8/nH6IlKg0+onD09i81rPHDAa 2kstCclX2NDet1Rnmfs=

                    7 - This section designates a reference to the signer's certificate. In this case, the certificate is embedded 
                    in this SOAP message, and is referenced via the ID #CertId-1776694. This ID instructs the message verifier to 
                    get the certificate from Section 2 of this SOAP message. 

                    <wsse:SecurityTokenReference wsu:Id="id-13498124">
                        <wsse:Reference URI="#CertId-1776694" ValueType="...#X509v3" /> 

        8 - This section starts the SOAP message body. It is designated using ID id-1464350, which is referenced as a signed element 
        in Section 2. Note that the message body includes an element called ReplayDetection, which consists of a timestamp indicating 
        when the message was signed and a unique number (the nonce). These two elements help detect and prevent replay attacks. The 
        rest of the message body (i.e., the business transaction) is not shown.

    <SOAP-ENV:Body wsu:Id="id-1464350" >
                    <wsse:Nonce EncodingType="#Base64Binary">
                <msg:Source>market participant ID</msg:Source>