How to run SoapUI during MLE Testing using Two-way SSL Connection

Visa Employee

In this developer guide, we will show you how to test Message Level Encryption (MLE) enabled APIs using SoapUI.




Before we start with MLE we have to make sure we are connected to the Visa Developer (VDP) Sandbox through Two-way SSL: 



Enable MLE for Project


Now that we have the basics completed. Let's get started with enabling MLE.


Start by logging in to your Dashboard and go to your project. It's important that we enable MLE for the APIs that need it. If you see "Enforced" under MLE Verification, this means it needs to be active on your project. You do this by toggling the button for which MLE needs to be enforced, see below.


Screen Shot 2020-09-03 at 11.04.55 PM.jpg


Next, you will need to get Credentials for MLE. Click on the credentials button from the navigation button. Once there click on Generate Key-ID button.


Screen Shot 2020-09-03 at 11.08.29 PM.jpg


You will then get a Key-ID. Copy it and paste somewhere for your reference.  Notice, the status will say PENDING. You will have to ADD CSR to activate this. Click on the ADD CSR link. You'll get the option to Generate a CSR for me (default) or submit my own CSR. Let's chose the default and press confirm. Remember to save your certificate Private Key - you can only do this one time. 


Screen Shot 2020-09-03 at 11.10.09 PM.jpg


After you've downloaded confirm and click continue. You'll see the status has changed and is ACTIVE. Next to REVOKE click on the info button "i" to download your certificates. 


Screen Shot 2020-09-03 at 11.11.25 PM.jpg



Configure SOAPUI and Test MLE 


Time to test our connection! 


  • Download SOAPUI 5.4 from SoapUI. Once installed, open SOAPUI and go to File > Preferences as show belowScreen Shot 2020-09-03 at 11.12.59 PM.jpg
  • Select the SSL Settings Tab, browse to your KeyStore file (either JKS or P12 file) that was created during Pre-Requisites steps at the beginning of this guide. Provide the Keystore password and make sure to check the "Requires Client Authentication" checkbox.

    Screen Shot 2020-09-03 at 11.13.50 PM.jpg


    Remember, to generate a P12 file run this command (this is example only):


    openssl pkcs12 -export -in cert.pem -inkey "key_8abd1fc0-f70e-42f1-aedf-cb318b923b3b.pem" -certfile cert.pem -out myProject_keyAndCertBundle.p12



    And if you need a Java Key Store, run the following Java keytool command to convert your P12 file into a JKS file.


    keytool -importkeystore -srckeystore myProject_keyAndCertBundle.p12 -srcstoretype PKCS12 -destkeystore myProject_keyAndCertBundle.jks


  • Place the required jar files in lib folder of SOAPUI (path where app is installed)
    • Required Jars Names: bcprov-ext-jdk14-1.47.jar, bouncycastle-jce-jdk13-112.jar, common-lang3.jar, nimbus-jose-jwt-8.2.jar, nio_char-src.jar, nio.jar, org.json.jar, slf4j.jar.

Jar Name




<!-- -->




<!-- -->




<!-- -->




<!-- -->




<!-- -->








<!-- -->




  • Import the REST project (MLTEST-soapui-projectxml) in SOAPUI via File>Import Project (Unzip attached to get the MLETest-soapui-project.xml)Screen Shot 2020-09-03 at 11.16.26 PM.jpg
  • Once import is done, you can see the project in your SOAPUI as belowScreen Shot 2020-09-03 at 11.18.34 PM.jpg
  • Fully expand the newly created project and navigate to MLETest->TestSuite1->MLEtest->Test Steps->2-Groovy Script-EncryptRequest and do the below mentioned changes: 

    • Give Key Id at line: keyID="Placeholder for project specific KEY ID";   
    • Provide path to MLE server key certificate (used for encrypting the payload) at line: String pathToClientEncPrivateKey = "Placeholder for MLE Server key certificate downloaded from VDP";
    • Provide the path of toEncrypt.json at line: File file = new File("Placeholder for Path to file toEncrypt.json");


  • Navigate to MLETest->TestSuite1->MLEtest->Test Steps->4-Groovy Script-DecryptResponse and do the below mentioned changes:
    • Please provide path to MLE private key (used for decrypting the response) at line: String pathToClientEncPrivateKey = "Placeholder for MLE Private Key";
    •  Provide the path of toDecrypt.json at line: File file = new File("Placeholder for Path to file toDecrypt.json");


  • Navigate to Request Execution test step (3-TestMLE-Request)and do the below mentioned changes: Screen Shot 2020-09-03 at 11.20.58 PM.jpg


  • Navigate to Request Execution test step (3-TestMLE- Request) and do the below mentioned changes:

Make sure to add keyId as one of the headers along with other required headers. The value of header keyId will be the MLE key ID of your VDP project.


Test Execution 


Input your plain request payload that needs to be encrypted in a file toEncrypt.json which was created as a mentioned in Pre-Requisites.


For this guide, we will test Create Alias API. You can find the request payload to test from the Create Alias API documentation here. We’ve also copied the Sample payload below.


To give some introduction, Create Alias is basically a short linkage of the Primary account number say my PAN can be mapped to email address or phone number as an alias. This linkage will be stored in Alias Directory Service which will be further used in doing financial transactions.





"guid": "574f4b6a4c2b70472f306f300099515a789092348832455975343637a4d3170",
"recipientFirstName": "Jamie",
"recipientMiddleName": "M",
"recipientLastName": "Bakari",
"address1": "Street 1",
"address2": "Region 1",
"city": "Nairobi",
"country": "KE",
"postalCode": "00111",
"consentDateTime": "2018-03-01 01:02:03",
"recipientPrimaryAccountNumber": "4895140000066666",
"issuerName": "Test Bank 1",
"cardType": "Visa Classic",
"alias": "254711333888",
"aliasType": "01"





Execute the test step "Groovy Script-EncryptRequest" which will internally encrypt your plain payload that was saved in toEncrypt.json.




Then, execute the API via Step 3-TestMLE- Request. The API will be executed, and encrypted response will be shown as you see below.





Next, take the encrypted response and copy in toDecrypt.json file.




Execute test step "4-Groovy Script-DecryptResponse"




This will give you the decrypted response as shown in above screen shot.


There you have it! Hope you find this guide helpful 😀. Please make sure to save this and refer to this guide when testing MLE using SoapUI and if you have any questions comment below, ask in our forums or email us at - we're here to help. 


Have feedback? Share below. 


Regular Visitor

Will it work the same for Postman?

Kindly share your feedback in case the steps are different.


Visa Employee

It needs changes to be able to run on Postman. We are also working on Postman Steps and the article will be there on VDP soon.

Regular Visitor

I have tried the above mentioned steps in SoapUI, but encountered an JOSE Exception while running Step no. 2 EncryptRequest. I am using soapui version 5.3.0 and java version "1.8.0_171". I have also downloaded the mentioned jars separately and copied them in lib folder. Is there any version mismatch error ??

Please find screenshot for reference.Screenshot from 2020-09-14 11-08-24.png

Visa Employee

Could you please check that the version of nimbus jar you are using is nimbus-jose-jwt-8.2.jar. Also verify if you have nio_char-src.jar also in the lib folder.

Regular Visitor

I have cross checked the version of jars and also added missing jars, but facing the same issue.

Herewith I have attached screenshots in which logs are present.

Is there something I am missing?? Please suggest.Thanks for your quick response.Screenshot from 2020-09-19 15-25-24.pngScreenshot from 2020-09-19 15-25-14.pngScreenshot from 2020-09-19 15-17-43.png

Visa Employee


Hi, I can see you are getting unsigned class files error . Some plugin is not downloaded properly.


You need to download and install SOAP UI again . Please ensure you download for OS you are using(Window/MAC)

Also download the higher version SOAPUI 5.4.0


Regular Visitor

This worked in my case when I updated my java 8 version from jdk 8u241 to jdk 8u261. Also I have included all the jars as per versions mentioned by you and using the SoapUI version 5.4.

Thanks for the support.

New Contributor

For the JAR fils that need to be downloaded the instructions indicate downloading org.json.jar, but there is not such file in the Maven repository - you may want to update your instructions



New Contributor

In the above posting you mention that nio_char-src.jar needs to be in the SoapUI lib folder, which I do not have. Any idea where I can get it? I am getting "com.nimbusds.jose.util.Base64 @ line 10, column 1. import com.nimbusds.jose.util.Base64; ^ " when trying to run step 2

Visa Employee

Hi @asaldanha , Thanks for reaching out.

You can download the nio_char-src.jar file from:


New Contributor

Thanks Nikita


I now can get step 2  to work.


But when I try step 3 - TestMLE request I get In-correct credentials (below)

For the project I am using I added the "Visa Direct API"  so I could call "createalias"


Would appreciate any feedback






HTTP/1.1 401
Server: nginx
Date: Mon, 21 Jun 2021 18:56:42 GMT
Content-Type: application/json;charset=UTF-8
Content-Length: 119
Connection: keep-alive
X-SERVED-BY: l73c013
X-CORRELATION-ID: 1624301802_972_466799479_l73c013_VDP_WS
x-vdp-normalized-url: /visaaliasdirectory/v1/manage/createalias
x-vdp-authn-api-visa-id: ALIAS.100
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=2592000;includeSubdomains
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1

{"responseStatus":{"status":401,"code":"9124","severity":"ERROR","message":"Incorrect credentials supplied","info":""}}


New Contributor

Ignore my last post.


Looks like I was pointing to the wrong project certificate in Soap UI.  Once I corrected that I got encData back



Visa Employee

@asaldanha  Please check the username and password you are giving in the basic Auth  as mentioned in the screen shot for step 3.


This username  and password should be the taken from the VDP project that you have created.


Also make sure that you have created the keystore file using your project certs and imported the same keystore in SSL preferences on soap UI.


All these steps are mentioned in the blog above. If anything is not clear please let us now. Thanks!