With Web services, you can sign message parts, encrypt message
parts, or both, based on the quality of service defined for a policy set.
You can accomplish these actions by defining the binding information in a
custom attachment binding.
Before you begin
Before you begin this task, attach a policy set to a service artifact
such as an application, service or endpoint and create a custom attachment
binding. Read about creating custom attachment bindings for policy sets. The
policy set that is attached to the service artifact must include a WS-Security
policy that specifies message parts to be signed or encrypted. Read about
securing message parts using the administrative console.
About this task
To sign message parts, encrypt message parts, or both, based on the
quality of service defined for a policy set, perform the following steps:
Procedure
- Open the administrative console.
- To sign and encrypt message parts for a service provider, click Applications
> Enterprise Applications > application_name > Service
provider policy sets and bindings. To sign and encrypt message parts for
a service client, click Applications > Enterprise Applications > application_name > Service
client policy sets and bindings.
- Click the binding name link of the service artifact with a custom
attachment binding.
- If the binding does not contain WS-Security policy set bindings,
then click Add and select WS-Security from the list.
- Click WS-Security policy set bindings.
- Click Authentication and protection. The resulting
panel contains the following four tables:
- Protection tokens: Specifies the tokens that are defined for the symmetric
or asymmetric signature and encryption policies in the policy set.
- Authentication tokens: Specifies the tokens that are defined for the request
and response token policies.
- Request message signature and encryption protection: Specifies the message
parts that are defined in the Request message part protection for the policy
set.
- Response message signature and encryption protection: Specifies the message
parts that are defined in the response message part protection in the policy
set.
Initially, each table displays information that is generated based
on the policy set which is attached to the service artifact. The possible
configuration objects based on the policy set are displayed. The Status column
indicates whether the object is currently configured in the custom attachment
binding.
- If the protection tokens have a status of Not configured,
then create the protection tokens by clicking the default name, verifying
the default values. Click OK.
- [Optional] If you use the X.509 protection tokens, then you must
configure the keystores and keys to be used to sign, verify, encrypt or decrypt
message parts. You might need to also configure keystores and keys when using
custom protection tokens, depending on the requirements of the custom tokens.
When using a security context token for protection (secure conversation),
you do not need to configure keystores or keys. If you need to configure the
keystores and keys, then perform the following actions:
- Click the token name link.
- Click the Callback handler link under Additional bindings.
If the Callback handler link is not click-able, click Apply, then click
the Callback handler link.
- Either use a predefined keystore or custom keystore. To use
a predefined keystore, select the keystore from the list. To use a custom
keystore, select Custom from the list and click the Custom key store
configuration link to specify the configuration.
- Click OK.
- Click the name of the request or response message part reference
to be signed or encrypted. The Protection column displays whether the message
part is signed or encrypted based on the policy set.
- Specify a name for the message part.
- For encrypted parts, select the type of encryption from Usage
of key information references. For asymmetric encryption, or X.509, select Key
encryption. For symmetric encryption, or secure conversation, select Data
encryption.
- [Optional] For encrypted parts, select the Include time stamp or Include
nonce options to include a time stamp or nonce in the encrypted message
part. You can include one or both of these options in the encrypted
message part.
- For signed parts, specify one or more Message part references.
Select a reference from the Available column and click Add.
- [Optional] For signed parts, you can also choose to add a time
stamp or nonce to the signed message part. Select a Message part reference
from the Assigned column and click Edit. Select the Include time
stamp or the Include nonce options to include a time stamp or nonce
in the signed message part. You can select one or both of these
options in the signed message part.
- If there are no available key information entries, then create
one using the following actions:
- Click New.
- Specify a name.
- Select a protection token from the Token generator or Consumer
name list.
- Click OK.
- Select a key information entry from the Available list and click Add.
- [Optional] Specify custom properties if needed.
- To use Message Transmission Optimization Mechanism (MTOM) for
the cipher text of the encrypted data, add the custom property, com.ibm.wsspi.wssecurity.enc.MTOM.Optimize,
with value true to outbound encrypted parts for client requests
or server responses.
- To use encryption headers as described in the WS-Security 1.0
specification instead of the encrypted header support described in WS-Security
1.1, add the custom property, com.ibm.wsspi.wssecurity.encryptedHeader.generate.WSS1.0,
with value true to outbound encrypted parts for client requests
or server responses.
- Click OK.
- Click Save, to save the changes to the master configuration.
Results
When you finish this task, the message parts are signed and encrypted,
or both, based on the configuration used when communicating with the service
artifact.
Example
You have an application,
app1, with an attached
policy set, RAMP default and a custom attachment binding,
myBinding,
and you want to sign and encrypt the message parts.
- Click the app1 application in the Applications > Enterprise
Applications collection.
- Click the Service provider policy sets and bindings link or the Service
client policy sets and bindings link.
- Click the myBinding link.
- [Optional] If WS-Security is not listed, then select Add > WS-Security.
- Click the WS-Security link.
- Click the Authentication and protection link.
- In the Protection tokens table, click each of the four links and OK on
the resulting panel. Each entry is now shown as Configured in the Status
column.
- In the Request message signature and encryption protection table, click request:app_encparts.
Specify the name, requestEncParts.
- Click New from Key information. Specify the name, requestEncKeyInfo.
- Select SymmetricBindingRecipientEncryptionToken, and click OK.
- Select requestEncKeyinfo in the Available list, and click Add.
Click OK.
- In the Request message signature and encryption protection table, click request:app_signparts.
- Specify the name, requestSignParts.
- Click New from Key information. Specify a name of requestSignKeyInfo.
- Select SymmetricBindingInitiatorSignatureToken, and click OK.
- Select requestSignKeyinfo in the Available list, and click Add.
Click OK.
- Repeat steps 8 to 16 for the links in the Response message signature and
encryption protection table.
- Click Save, to save the changes to the master configuration.
What to do next
Start the application.