Message flows are imported without WS-Security being enabled. Anyone can call the Web service to consume the messages, similar to the TCP/IP Monitor with SOAP over HTTP. To enable WS-Security in the form of encryption (confidentiality) and signing (integrity), see Extending the Address Book sample.
Enabling WS-Security is an administrative task that is performed at the WebSphere Message Broker level. You cannot configure security when developing your message flows; you must configure policies and bindings in the broker and associate them with message flows in a broker archive (BAR) file.
In the Address Book extension sample both the consumer and the provider have the same security requirements:
All of this information is captured in the security policy by using WS-Policy. Policies must be interoperable between WS-Security providers. The policy you create is the same as the default WS-Security policy in WebSphere Application Server, which enables you to exchange the provider and consumer for the broker with the provider and consumer for WebSphere Application Server, after you have added the WS-Security.
The implementation of this policy is captured in the security binding. Bindings are specific to the WS-Security provider and, if you want to be able to interoperate with WebSphere Application Server, you must create a WebSphere Application Server binding for the policy for the WebSphere Application Server consumer and provider. The Address Book extension sample shows you how to create the policy and the bindings for the broker within the workbench.
For effective interability of the consumer and provider, the security policy is shared, and the same encryption and signing of outbound messages and inbound messages applies. The bindings for the consumer and the provider are different because their perspectives are different, and different keys are used for encryption and signing. For example, for the provider the request message is the incoming message, but for the consumer the request message is the outgoing message.
To understand the sample you must have a basic knowledge of public key cryptography, see Public key cryptography. The sample uses two X.509 public key certificates: a public key and a private key. If data is encrypted with one key, it can only be decrypted with the other key. To encrypt a message for someone, you must use their public key, only they can decrypt it with their private key. To sign a message you must encrypt it with your private key, anyone can decrypt it by using your public key. You can give your public key to anyone with whom you want to communicate. Keep your private key secret.
The details of how to sign and encrypt specific parts of the message are in the preceding security policy and bindings section. The following diagram shows that the entire SOAP message is encrypted and signed. The diagram shows the keys that the consumer and provider have access to in their keystores, and which keys they use for encryption and signing.
The consumer has access to its public key (Cpub), its private key (Cpriv), and the public key of the provider (Ppub). The provider has access to its private key (Ppriv), its public key (Ppub), and the public key of the consumer (Cpub).
The consumer signs the message with its private key (Cpriv) and encrypts the message with the public key of the provider (Ppub). The provider decrypts the message with its own private key (Ppriv), and verifies the signature with the public key of the consumer (Cpub).
When constructing the response, the provider signs the message with its private key (Ppriv), and encrypts the message with the public key of the consumer (Cpub). The consumer decrypts the message with its private key (Cpriv), and verifies the signing with the public key of the provider (Ppub).
The details about which key to use, and the order in which the consumer and provider must encrypt and decrypt, are contained within the security bindings. You create two security bindings in the setup sections: one for the consumer and one for the provider, see Setting up the Address Book sample to use HTTP or Setting up the Address Book sample to use JMS transport. Use the previous diagram for reference.