Encryption information configuration settings: Message parts

Use this page to configure the encryption and decryption parameters. You can use these parameters to encrypt and decrypt various parts of the message, including the body and the token.

To view the administrative console panel for the encryption information on the server level, complete the following steps:
  1. Click Servers > Server Types > WebSphere application servers > server_name.
  2. Under Security, click JAX-WS and JAX-RPC security runtime.
    Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web services security.mixv
  3. Under either JAX-RPC Default Generator Bindings or JAX-RPC Default Consumer Bindings, click Encryption information.
  4. Click New to create a new encryption configuration or click the name of an existing encryption configuration.
To view this administrative console page for the encryption information on the application level, complete the following steps:
  1. Click Applications > Application Types > WebSphere enterprise applications > application_name.
  2. Under Modules, click Module update > module_name.
  3. Under Web Services Security Properties, you can access encryption information for the following bindings:
    • For the Request generator, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom. Under Required properties, click Encryption information.
    • For the Request consumer, click Web services: Server security bindings. Under Request consumer (receiver) binding, click Edit custom. Under Required properties, click Encryption information.
    • For the Response generator, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom. Under Required properties, click Encryption information.
    • For the Response consumer, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom. Under Required properties, click Encryption information.
  4. Click either New to create a new encryption configuration or click the name of an existing encryption configuration.

Encryption information name

[Version 5 and 6 only]

Specifies the name for the encryption information.

Data type String

Data encryption algorithm

[Version 5 and 6 only]

Specifies the algorithm Uniform Resource Identifier (URI) of the data encryption method.

The following algorithms are supported:

By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, you must apply unlimited jurisdiction policy files. For more information, see the Key encryption algorithm field description.

Key locator reference

[Version 5 only]

Specifies the name of the key locator configuration that retrieves the key for XML digital signature and XML encryption.

The Key locator reference field is displayed for the request receiver and response receiver bindings, which are used by Version 5.x applications.

You can configure these key locator reference options on the server level and the application level. The configurations that are listed in the field are a combination of the configurations on these two levels.

You can specify an encryption key configuration for the following bindings on the following levels:
Table 1. Encryption key binding configurations. Use these configurations to encrypt and decrypt various parts of a message.
Binding name Server level or application level Path
Default generator binding Server level
  1. Click Servers > Server Types > WebSphere application servers > server_name.
  2. Under Security, click JAX-WS and JAX-RPC security runtime.
    Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web services security.mixv
  3. Under Additional properties, click Key locators.
Default consumer binding Server level
  1. Click Servers > Server Types > WebSphere application servers > server_name.
  2. Under Security, click JAX-WS and JAX-RPC security runtime.
    Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web services security.mixv
  3. Under Additional properties, click Key locators.
Request sender Application level
  1. Click Applications > Application Types > WebSphere enterprise applications > application_name.
  2. Under Modules, click Manage modules > URI_name.
  3. Click Web services: Client security bindings. Under Request sender binding, click Edit.
  4. Under Additional properties, click Key locators.
Request receiver Application level
  1. Click Applications > Application Types > WebSphere enterprise applications > application_name.
  2. Under Modules, click Manage modules> URI_name.
  3. Click Web services: Server security bindings. Under Request receiver binding, click Edit.
  4. Under Additional properties, click Key locators.
Response sender Application level
  1. Click Applications > Application Types > WebSphere enterprise applications > application_name.
  2. Under Modules, click Manage modules> URI_name.
  3. Click Web services: Server security bindings. Under Response sender binding, click Edit.
  4. Under Additional properties, click Key locators.
Response receiver Application level
  1. Click Applications > Application Types > WebSphere enterprise applications > application_name.
  2. Under Modules, click Manage modules> URI_name.
  3. Click Web services: Client security bindings. Under Response receiver binding, click Edit.
  4. Under Additional properties, click Key locators.

Key encryption algorithm

[Version 5 and 6 only]

Specifies the algorithm Uniform Resource Identifier (URI) of the key encryption method.

The following algorithms are provided by the application server:

IBM Software Development Kit Version 1.4:

For IBM i and IBM Software Development Kit Version 1.4, the tuning of Web services security is not required. The unrestricted jurisdiction policy files for IBM Software Development Kit Version 1.4 are automatically configured when the prerequisite software is installed.
  • For IBM i (formerly known as IBM i V5R3) and IBM Software Development Kit Version 1.4, install product 5722AC3, Crypto Access Provider 128-bit.
  • For IBM i 5.4 and IBM Software Development Kit Version 1.4, install product 5722SS1 Option 3, Extended Base Directory Support.

IBM Software Development Kit Version 1.5:

For IBM i 5.4 and IBM i (formerly known as IBM i V5R3) and IBM Software Development Kit 1.5, the restricted JCE jurisdiction policy files are configured, by default. You can download the unrestricted JCE jurisdiction policy files from the following Web site: IBM developer works: Security Information, Version 5

Note: If Java Platform, Standard Edition 6 (Java SE 6) 32-bit for IBM i is the enabled Java virtual machine (JVM) for your profile, substitute /QOpenSys/QIBM/ProdData/JavaVM/jdk50/32bit/jre for /QIBM/ProdData/Java400/jdk15 as the path name in the following steps.
Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, you must check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
To configure the unrestricted jurisdiction policy files for IBM i and the IBM Software Development Kit Version 1.5:
  1. Make backup copies of these files:
    /QIBM/ProdData/Java400/jdk15/lib/security/local_policy.jar  
    /QIBM/ProdData/Java400/jdk15/lib/security/US_export_policy.jar
  2. Download the unrestricted policy files from IBM developer works: Security Information to the /QIBM/ProdData/Java400/jdk15/lib/security directory.
    1. Go to this Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html
    2. Click J2SE 5.0.
    3. Scroll down and click IBM SDK Policy files. The Unrestricted JCE Policy files for the SDK Web site is displayed.
    4. Click Sign in and provide your IBM intranet ID and password.
    5. Select the appropriate unrestricted JCE policy files, and then click Continue.
    6. View the license agreement, and then click I Agree.
    7. Click Download Now.
  3. Use the DSPAUT command to ensure *PUBLIC is granted*RX data authority but also ensure that no object authority is provided to both the local_policy.jar and the US_export_policy.jar files in the /QIBM/ProdData/Java400/jdk15/lib/security directory. For example:
    DSPAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar') 
  4. Use the CHGAUT command to change authorization, if needed. For example:
    CHGAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar') 
    USER(*PUBLIC) DTAAUT(*RX) OBJAUT(*NONE)

Custom algorithms on the server level

To specify custom algorithms on the server level, complete the following steps:
  1. Click Servers > Server Types > WebSphere application servers > server_name.
  2. Under Security, click JAX-WS and JAX-RPC security runtime.
    Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web services security.mixv
  3. Under Additional properties, click Algorithm mappings.
  4. Click New to specify a new algorithm mapping or click the name of an existing configuration to modify its settings.
  5. Under Additional properties, click Algorithm URI.
  6. Click New to create a new algorithm URI. You must specify Key encryption in the Algorithm type field to have the configuration display in the Key encryption algorithm field on the Encryption information configuration settings panel.

Encryption key information

[Version 5 and 6 only]

Specifies the name of the key information reference that is used for encryption. This reference is resolved to the actual key by the specified key locator and defined in the key information.

[Version 6 only] You must specify either one or no encryption key configurations for the request generator and response generator bindings.

[Version 6 only] For the response consumer and the request consumer bindings, you can configure multiple encryption key references. To create a new encryption key reference, under Additional properties, click Key information references.

You can specify an encryption key configuration for the following bindings on the following levels:
Table 2. Encryption key binding configurations. Use these configurations to encrypt and decrypt various parts of a message.
Binding name Server level or application level Path
Default generator binding Server level
  1. Click Servers > Server Types > WebSphere application servers > server_name.
  2. Under Security, click JAX-WS and JAX-RPC security runtime.
    Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web services security.mixv
  3. Under JAX-RPC Default generator binding, click Key information.
Default consumer binding Server level
  1. Click Servers > Server Types > WebSphere application servers > server_name.
  2. Under Security, click JAX-WS and JAX-RPC security runtime.
    Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web services security.mixv
  3. Under JAX-RPC Default consumer binding, click Key information.
Request generator (sender) binding Application level
  1. Click Applications > Application Types > WebSphere enterprise applicationsapplication_name.
  2. Under Modules, click Manage modules > URI_name.
  3. Under Web Services Security Properties, click Web services: Client security bindings.
  4. Under Request generator (sender) binding, click Edit custom.
  5. Under Required properties, click Key information.
Response generator (sender) binding Application level
  1. Click Applications > Application Types > WebSphere enterprise applicationsapplication_name.
  2. Under Modules, click Manage modules > URI_name.
  3. Under Web Services Security Properties, click Web services: Server security bindings.
  4. Under Response generator (sender) binding, click Edit custom.
  5. Under Required properties, click Key information.

Part Reference

[Version 6 only]

Specifies the name of the <confidentiality> element for the generator binding or the <requiredConfidentiality> element for the consumer binding element in the deployment descriptor.

This field is available on the application level only.




Related concepts
Basic Security Profile compliance tips
Related tasks
Configuring encryption using JAX-RPC to protect message confidentiality at the application level
Related reference
Encryption information collection
Key locator collection
Encryption information configuration settings: Methods
Reference topic    

Terms of Use | Feedback

Last updated: Oct 20, 2010 11:50:58 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-base-iseries&topic=uwbs_encryptrrb
File name: uwbs_encryptrrb.html