WebSphere Application Server Network Deployment, Version 6.0.x   Operating Systems: AIX, HP-UX, Linux, Solaris, Windows
             [TIP: Focusing the table of contents and search results]

Encryption information configuration settings: Methods

Use this page to configure the encryption and decryption parameters for the signature method, digest method, and canonicalization method.

The specifications that are listed on this page for the signature method, digest method, and canonicalization method are located in the World Wide Web Consortium (W3C) document entitled, XML Encryption Syntax and Processing: W3C Recommendation 10 Dec 2002.

To view this administrative console page, complete the following steps:
  1. Click Applications > Enterprise Applications > application_name and complete one of the following steps:
    • Under Related Items, click EJB modules or Web modules > URI_file_name > Web Services: Client Security Bindings. Under Request sender binding, click Edit. Under Additional properties, click Encryption Information.
    • Under Related Items, click EJB modules or Web modules > URI_file_name > Web Services: Server Security Bindings. Under Response sender binding, click Edit. Under Additional properties, click Encryption Information.
  2. Select None or Dedicated encryption information. The application server can have either one or no encryption configurations for the request sender and the response sender bindings. If you are not using encryption, select None. To configure encryption for either of these two bindings, select Dedicated encryption information and specify the configuration settings using the fields that are described in this topic.
Encryption information name [Version 5 only]

Specifies the name of the key locator configuration that retrieves the key for XML digital signature and XML encryption.

Key locator reference [Version 5 only]

Specifies the name that is used to reference the key locator.

You can configure these key locator reference options on the cell level, the server level, and the application level. The configurations that are listed in the field are a combination of the configurations on these three levels.

To configure the key locators on the cell level, complete the following steps:
  1. Click Security > Web services.
  2. Under Additional properties, click Key locators.
To configure the key locators on the server level, complete the following steps:
  1. Click Servers > Application servers > server_name.
  2. Under Security, click Web services: Default bindings for Web services security.
  3. Under Additional properties, click Key locators.
To configure the key locators on the application level, complete the following steps:
  1. Click Applications > Enterprise applications > application_name.
  2. Under Related items, click EJB modules > URI_name.
  3. Under Additional properties, you can access the key locators for the following bindings:
    • For the Request sender, click Web services: Client security bindings. Under Request sender binding, click Edit. Under Additional properties, click Key locators.
    • For the Request receiver, click Web services: Server security bindings. Under Request receiver binding, click Edit. Under Additional properties, click Key locators.
    • For the Response sender, click Web services: Server security bindings. Under Response sender binding, click Edit. Under Additional properties, click Key locators.
    • For the Response receiver, click Web services: Client security bindings. Under Response receiver binding, click Edit. Under Additional properties, click Key locators.
Encryption key name [Version 5 only]

Specifies the name of the encryption key that is resolved to the actual key by the specified key locator.

Data type String
Key encryption algorithm [Version 5 only]

Specifies the algorithm uniform resource identifier (URI) of the key encryption method.

The following algorithms are supported:

Java Cryptography Extension

By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, you must apply unlimited jurisdiction policy files.

Note: Before downloading these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/jre/lib/security/ directory) prior to overwriting them in case you want to restore the original files later.

Application server platforms and IBM Developer Kit, Java Technology Edition Version 1.4.2

To download the policy files, complete one of the following sets of steps:
  • [AIX] [Linux] [Windows] For application server platforms using IBM Developer Kit, Java Technology Edition Version 1.4.2, including the AIX, Linux, and Windows platforms, complete the following steps to obtain unlimited jurisdiction policy files:
    1. Go to the following Web site: IBM developer kit: Security information
    2. Click Java 1.4.2
    3. Click IBM SDK Policy files.

      The Unrestricted JCE Policy files for SDK 1.4 Web site is displayed.

    4. Enter your user ID and password or register with IBM to download the policy files. The policy files are downloaded onto your machine.
  • [Solaris] [HP-UX] For application server platforms using the Sun-based Java Development Kit (JDK) Version 1.4.2, including the Solaris environments and the HP-UX platform, complete the following steps to obtain unlimited jurisdiction policy files:
    1. Go to the following Web site: http://java.sun.com/j2se/1.4.2/download.html
    2. Click Archive area.
    3. Locate the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2 information and click Download. The jce_policy-1_4_1.zip file is downloaded onto your machine.
After following either of these sets of steps, two Java archive (JAR) files are placed in the Java virtual machine (JVM) jre/lib/security/ directory.

For the i5/OS operating system and IBM Software Development Kit Version 1.4, the tuning of Web services security is not required. The unrestricted jurisdiction policy files for the IBM Software Development Kit Version 1.4 are automatically configured when the prerequisite software is installed.

For the i5/OS operating system V5R3 and IBM Software Development Kit Version 1.4, the unrestricted jurisdiction policy files for the IBM Software Development Kit Version 1.4 are automatically configured by installing product 5722AC3, Crypto Access Provider 128-bit.

For the i5/OS operating system V5R4 and IBM Software Development Kit Version 1.4, the unrestricted jurisdiction policy files for the IBM Java Developer Kit 1.4 are automatically configured by installing product 5722SS1 Option 3, Extended Base Directory Support.

For i5/OS (both V5R3 and V5R4) and IBM Software Development Kit 1.5, the restricted JCE jurisdiction policy files are configured, by default. You can download the unrestricted JCE jurisdiction policy files from the following Web site: IBM developer kit: IBM J2SE 5 SDKs

To configure the unrestricted jurisdiction policy files for the i5/OS operating system and the IBM Software Development Kit Version 1.5:
  1. Make backup copies of these files:
    /QIBM/ProdData/Java400/jdk15/lib/security/local_policy.jar  
    /QIBM/ProdData/Java400/jdk15/lib/security/US_export_policy.jar
  2. Download the unrestricted policy files from IBM developer kit: Security information to the /QIBM/ProdData/Java400/jdk15/lib/security directory.
    1. Go to this Web site: IBM developer kit: Security information
    2. Click J2SE 5.0.
    3. Scroll down and click IBM SDK Policy files. The Unrestricted JCE Policy files for the SDK Web site is displayed.
    4. Click Sign in and provide your IBM intranet ID and password.
    5. Select the appropriate unrestricted JCE policy files, and then click Continue.
    6. View the license agreement, and then click I Agree.
    7. Click Download Now.
  3. Use the DSPAUT command to ensure *PUBLIC is granted*RX data authority but also ensure that no object authority is provided to both the local_policy.jar and the US_export_policy.jar files in the /QIBM/ProdData/Java400/jdk15/lib/security directory. For example:
    DSPAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar') 
  4. Use the CHGAUT command to change authorization, if needed. For example:
    CHGAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar') 
    USER(*PUBLIC) DTAAUT(*RX) OBJAUT(*NONE)
Data encryption algorithm [Version 5 only]

Specifies the algorithm Uniform Resource Identifiers (URI) of the data encryption method.

By default, the JCE ships with restricted or limited strength ciphers. To use 192-bit and 256- bit AES encryption algorithms, you must apply unlimited jurisdiction policy files. For more information, see the Key encryption algorithm field description.




Related tasks
Configuring encryption using JAX-RPC to protect message confidentiality at the application level
Related reference
Encryption information collection
Key locator collection
Reference topic    

Terms of Use | Feedback

Last updated: Mar 8, 2007 8:14:28 PM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/uwbs_encryptrsb.html

© Copyright IBM Corporation 2004, 2006. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)