Creating the WS-Security policy

To create your policy and add your tokens, use the WebSphere Message Broker Explorer to complete the following steps:

  1. Right-click the broker (MB8BROKER), select Properties > Security and Policy, and click Policy Sets.
  2. Select Policy Sets in the left menu, and click Add to create a new entry with a default name. To rename your policy set, select it and enter the new name under Use the field below to rename this Policy Set. Then click Rename.
  3. Click Add WS-Security under Use the buttons below to add and remove policy types to this Policy Set.
  4. Expand your policy set. Expand WS-Security. Select Message Level Protection. Select the Message level protection check box. Select Include timestamp in security header. Set Security header layout to Strict - declarations must precede use.
  5. Expand Message Level Protection. Select Tokens. (Two tokens are required, one to represent the certificate for the provider and one to represent the certificate for the consumer.)
  6. Click Add to add Asymmetric Tokens. In Token Name enter initToken. Set Token Type to Initiator. Set WS-Security Version to 1.0. Set X.509 Type to X.509 Version 3.
  7. To add the second token click Add. In Token Name enter the name recipToken. Set Token Type to Recipient. Set WS-Security Version to 1.0. Set X.509 Type to X.509 Version 3.
    Token Name Token Type WS-Security Version X.509 Version Type
    initToken Initiator 1.0 X.509 Version 3
    recipToken Recipient 1.0 X.509 Version 3
  8. Under Message Level Protection, select Algorithms. Set Algorithm Suite to Basic128Rsa15. Leave the remaining values as their defaults.
  9. Select Message Part Protection.
  10. In the Names with Security Type, SOAP Message and Message Body table, click Add to create the Parts, as shown in the following table.
    Name Security Type SOAP Message Message Body
    app_encparts_response Encryption Response Yes
    app_signparts_response Signature Response Yes
    app_encparts_request Encryption Request Yes
    app_signparts_request Signature Request Yes
  11. Expand Message Part Protection. Select QName to set up the QNames. (This section of the policy specifies that the WS-Addressing headers must be signed. Two entries for the response and request exist because WS-Addressing uses two Addressing namespaces.)
  12. In the QNames table, click Add to create the QNames, as shown in the following table.
    Name Local Part Namespace
    app_signparts_response <empty> http://schemas.xmlsoap.org/ws/2004/08/addressing
    app_signparts_response <empty> http://www.w3.org/2005/08/addressing
    app_signparts_request <empty> http://schemas.xmlsoap.org/ws/2004/08/addressing
    app_signparts_request <empty> http://www.w3.org/2005/08/addressing
  13. Under Message Part Protection select XPath to set up the XPath Expressions. (All the required XPath Expressions are built into the broker. This section of the policy specifies which parts must be signed and which parts must be encrypted by using predefined XPath expressions. If you want to change specific parts of the message you can write your own XPath.)
  14. In the XPath Expressions table, click Add to associate XPath to each of the parts that you created in Step 10, as shown in the following table.
    Name XPath
    app_encparts_response Envelope, Header, Security, Signature
    app_signparts_response Envelope, Header, Security, Timestamp
    app_encparts_request Envelope, Header, Security, Signature
    app_signparts_request Envelope, Header, Security, Timestamp
  15. Click Finish to save the policy that you have created.

You have set up your security policy. Both the client and the server use the same policy to ensure they are interoperable.

Back to Extending the sample to create and apply policies

Back to Extending the Address Book sample

Back to sample home