You can configure encryption information, used to specify how the
generators (senders) encrypt outgoing messages, for the request generator
(client side) and the response generator (server side) bindings at the application
level.
Before you begin
Configure the key information that is referenced by the key information
references in the encryption information panel.
About this task
This
task provides the steps that are needed for configuring encryption information
for the request generator (client side) and the response generator (server
side) bindings at the application level. This encryption information is used
to specify how the generators (senders) encrypt outgoing messages.
Complete
the following steps to configure the encryption information for the request
generator or response generator section of the bindings file on the application
level:
Procedure
- Locate the encryption information configuration panel in the administrative
console.
- Click Applications > Enterprise applications > application_name.
- Under Manage modules, click URI_name.
- Under Web Services Security Properties, you
can access the key information for the request generator and response generator
bindings.
- For the request generator (sender) binding, click Web services: Client
security bindings. Under Request generator (sender) binding, click Edit
custom.
- For the response generator (sender) binding, click Web services: Server
security bindings. Under Response generator (sender) binding, click Edit
custom.
- Under Required properties, click Encryption information.
- Click New to create an encryption information configuration.
Click Delete to delete an existing configuration or click the name
of an existing encryption information configuration to edit its settings.
If you are creating a new configuration, enter a name in the Encryption
information name field. For example, you might specify gen_encinfo.
- Select a data encryption algorithm from the Data encryption
algorithm field. The selection specifies the algorithm that
is used to encrypt parts of the message. WebSphere Application Server supports
the following pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- http://www.w3.org/2001/04/xmlenc#aes128-cbc
- http://www.w3.org/2001/04/xmlenc#aes256-cbc
To use this algorithm,
you must download the unrestricted Java Cryptography Extension (JCE) policy
file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#aes192-cbc
To use this algorithm,
you must download the unrestricted Java Cryptography Extension (JCE) policy
file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Do not use the 192-bit key encryption algorithm if you want
your configured application to be in compliance with the Basic Security Profile
(BSP).
The data encryption algorithm that you select for the generator side
must match the data encryption method that you select for the consumer side.
- Select a key encryption algorithm from the Key encryption algorithm field.
This selection specifies the algorithm that is used to encrypt keys.
WebSphere Application Server supports the following pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When
running with Software Development Kit (SDK) Version 1.4, the list of supported
key transport algorithms does not include this one. This algorithm appears
in the list of supported key transport algorithms when running with SDK Version
1.5.
Restriction: This algorithm is not supported when the WebSphere
Application Server is running in Federal Information Processing Standard (FIPS)
mode.
By default, the RSA-OAEP algorithm uses
the SHA1 message digest algorithm to compute a message digest as part of the
encryption operation. Optionally, you can use the SHA256 or SHA512 message
digest algorithm by specifying a key encryption algorithm property. For the
property name, you can specify
com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod.
The property value is one of the following URIs of the digest method:
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null
string for the optional encoding octet string for the OAEPParams. You can
provide an explicit encoding octet string by specifying a key encryption algorithm
property. For the property name, you can specify
com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams.
The property value is the base 64-encoded value of the octet string.
Important: You can set these digest method and OAEPParams properties
on the generator side only. On the consumer side, these properties are read
from the incoming Simple Object Access Protocol (SOAP) message.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes256
To use this algorithm, you
must download the unrestricted Java Cryptography Extension (JCE) policy file
from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#kw-aes192
To use this algorithm, you
must download the unrestricted Java Cryptography Extension (JCE) policy file
from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Do not use the 192-bit key encryption algorithm if you want
your configured application to be in compliance with the Basic Security Profile
(BSP).
The key encryption algorithm that you select for the generator side
must match the key encryption method that you select for the consumer side.
- Select an encryption key information reference from the Encryption
key information menu. This selection is a reference to the encryption
key that is used to encrypt parts of the message. To configure the key information,
see Configuring the key information using JAX-RPC for the generator binding on the application level.
- Select a part reference from the Part reference field.
This field specifies the name of the part reference for the generator
binding element in the deployment descriptor.
- Click OK and then click Save to save the configuration.
Results
The encryption information is configured for the generator binding
at the application level.
What to do next
You must specify a similar encryption information configuration for
the consumer.