Creating the WS-Security policy
To create your policy and add your tokens,
use the WebSphere Message Broker Explorer to complete the following steps:
- Right-click the broker (MB8BROKER), select Properties > Security and Policy,
and click Policy Sets.
- Select Policy Sets in the left menu, and
click Add to create a new entry with a default name.
To rename your policy set, select it and enter the new name under
Use the field below to rename this Policy Set.
Then click Rename.
- Click Add WS-Security under
Use the buttons below to add and remove policy types to this Policy Set.
- Expand your policy set. Expand WS-Security.
Select Message Level Protection.
Select the Message level protection check box.
Select Include timestamp in security header.
Set Security header layout to Strict - declarations must precede use.
- Expand Message Level Protection. Select Tokens.
(Two tokens are required, one to represent the certificate for the provider and one to represent the certificate for the consumer.)
- Click Add to add Asymmetric Tokens.
In Token Name enter initToken.
Set Token Type to Initiator.
Set WS-Security Version to 1.0.
Set X.509 Type to X.509 Version 3.
- To add the second token click Add.
In Token Name enter the name recipToken.
Set Token Type to Recipient.
Set WS-Security Version to 1.0.
Set X.509 Type to X.509 Version 3.
Token Name |
Token Type |
WS-Security Version |
X.509 Version Type |
initToken |
Initiator |
1.0 |
X.509 Version 3 |
recipToken |
Recipient |
1.0 |
X.509 Version 3 |
- Under Message Level Protection, select Algorithms.
Set Algorithm Suite to Basic128Rsa15. Leave
the remaining values as their defaults.
- Select Message Part Protection.
- In the Names with Security Type, SOAP Message and Message Body table,
click Add to create the Parts, as shown in the following table.
Name |
Security Type |
SOAP Message |
Message Body |
app_encparts_response |
Encryption |
Response |
Yes |
app_signparts_response |
Signature |
Response |
Yes |
app_encparts_request |
Encryption |
Request |
Yes |
app_signparts_request |
Signature |
Request |
Yes |
- Expand Message Part Protection. Select QName to set up the QNames.
(This section of the policy specifies that the WS-Addressing headers must be signed.
Two entries for the response and request exist because WS-Addressing uses two Addressing namespaces.)
- In the QNames table, click Add to create the QNames,
as shown in the following table.
Name |
Local Part |
Namespace |
app_signparts_response |
<empty> |
http://schemas.xmlsoap.org/ws/2004/08/addressing |
app_signparts_response |
<empty> |
http://www.w3.org/2005/08/addressing |
app_signparts_request |
<empty> |
http://schemas.xmlsoap.org/ws/2004/08/addressing |
app_signparts_request |
<empty> |
http://www.w3.org/2005/08/addressing |
- Under Message Part Protection select XPath to set up the XPath Expressions.
(All the required XPath Expressions are built into the broker.
This section of the policy specifies which parts must be signed
and which parts must be encrypted by using predefined XPath expressions.
If you want to change specific parts of the message you can write your own XPath.)
- In the XPath Expressions table,
click Add to associate XPath to each of the parts that you created in Step 10,
as shown in the following table.
Name |
XPath |
app_encparts_response |
Envelope, Header, Security, Signature |
app_signparts_response |
Envelope, Header, Security, Timestamp |
app_encparts_request |
Envelope, Header, Security, Signature |
app_signparts_request |
Envelope, Header, Security, Timestamp |
- Click Finish to save the policy that you have created.
You have set up your security policy. Both
the client and the server use the same policy to ensure they are
interoperable.
Back to Extending the sample to create and apply policies
Back to Extending the Address Book sample
Back to sample home