You can configure the encryption information for the request consumer
(server side) and response consumer (client side) bindings at the application
level.
About this task
This task provides the steps that are needed for configuring the
encryption information for the request consumer (server side) and response
consumer (client side) bindings at the application level. The encryption
information on the consumer side is used for decrypting the encrypted message
parts in the incoming SOAP message.
Complete the following steps to configure
the encryption information for the request consumer or response consumer section
of the bindings file on the application level:
Procedure
- Locate the Encryption information configuration panel in the administrative
console.
- Click Applications > Enterprise applications > application_name.
- Under Related Items, click EJB Modules or Web
Modules > URI_name.
- Under Additional properties you can access
the encryption information for the request consumer and response consumer
bindings.
- For the request consumer (receiver) binding, click Web services: Server
security bindings. Under Request consumer (receiver) binding, click Edit
custom.
- For the response consumer (receiver) binding, click Web services: Client
security bindings. Under Response consumer (receiver) binding, click Edit
custom.
- Under Required properties, click Encryption information.
- Click New to create an encryption information configuration,
click Delete to delete an existing configuration, or click the name
of an existing encryption information configuration to edit its settings.
If you are creating a new configuration, enter a name in the Encryption
information name field. For example, you might specify cons_encinfo.
- Select a data encryption algorithm from the Data encryption
algorithm field. The data encryption algorithm is used for
encrypting or decrypting parts of a SOAP message such as the SOAP body or
the username token. WebSphere Application Server supports the following pre-configured
algorithms:
The data encryption algorithm that you select for the consumer side
must match the data encryption method that you select for the generator side.
- Select a key encryption algorithm from the Key encryption algorithm field.
The key encryption algorithm is used for encrypting the key that is
used for encrypting the message parts within the SOAP message. Select (none) if
the data encryption key, which is the key that is used for encrypting the
message parts, is not encrypted. WebSphere Application Server supports the
following pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#rsa-1_5
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes256
To use the http://www.w3.org/2001/04/xmlenc#aes256-cbc
algorithm, you must download the unrestricted Java Cryptography Extension
(JCE) policy file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#kw-aes192
To use the http://www.w3.org/2001/04/xmlenc#kw-aes192
algorithm, you must download the unrestricted Java Cryptography Extension
(JCE) policy file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html.
The key encryption algorithm that you select for the consumer side
must match the key encryption method that you select for the generator side.
- Optional: Select a part reference in the Part reference field.
The part reference specifies the name of the message part that is encrypted
and is defined in the deployment descriptor. For example, you can encrypt
the bodycontent message part in the deployment descriptor. The name of this
Required Confidentiality part is conf_con. This message part is shown
as an option in the Part reference field.
- Under Additional properties, click Key information references.
- Click New to create a key information configuration, click Delete to
delete an existing configuration, or click the name of an existing key information
configuration to edit its settings. If you are creating a new configuration,
enter a name in the Name field. For example, you might specify con_ekeyinfo.
This entry is the name of the <encryptionKeyInfo> element in the binding
file.
- Select a key information reference from the Key information
reference field. This reference is the value of the keyinfoRef
attribute of the <encryptionKeyInfo> element and it is the name of the <keyInfo>
element that is referenced by this key information reference. Each key information
reference entry generates an <encryptionKeyInfo> element under the <encryptionInfo>
element in the binding configuration file. For example, if you enter con_ekeyinfo in
the Name field and dec_keyinfo in the Key information reference field,
the following <encryptionKeyInfo> element is generated in the binding
file:
<encryptionKeyInfo xmi:id="EncryptionKeyInfo_1085092248843"
keyinfoRef="dec_keyinfo” name="con_ekeyinfo"/>
- Click OK and then click Save to save the configuration.
Results
You have configured the encryption information for the consumer binding
at the application level
What to do next
You must specify a similar encryption information configuration for
the generator.