You can use an assembly tool and the administrative console
to configure the Web Services Security extensions and Web Services
Security bindings.
Before you begin
Important: There is an important
distinction between Version 5.x and Version 6 and later applications.
The information in this article supports Version 5.x applications
only that are used with WebSphere® Application Server
Version 6.0.x and later. The information does not apply to
Version 6.0.x and later applications.
Prior to completing
these steps, read either of the following topics to become familiar
with the
WS Extensions tab and the
WS
Bindings tab:
These two tabs are used to configure the Web Services
Security extensions and Web Services Security bindings, respectively.
About this task
Complete this task to specify which decryption method
is used by the server to decrypt the request message. You must know
which decryption method the client uses because the server must use
the same method.
Procedure
- Launch an assembly tool. For more information,
see the related information on Assembly Tools.
- Switch to the Java Platform,
Enterprise Edition (Java EE)
perspective. Click .
- Click .
- Right-click the webservices.xml file,
select .
- Click the Binding Configurations tab,
which is located at the bottom of the web services editor within the
assembly tool.
- Expand the section.
- Click Edit to view the encryption
information. The following table describes the purpose
for each of these selections. Some definitions are taken from the
XML-Encryption specification , which is located at the following web
address: http://www.w3.org/TR/xmlenc-core
- Encryption name
- Represents the name of this encryption information entry; an alias
for the entry.
- Data encryption method algorithm
- Encrypts and decrypts data in fixed size, multiple octet blocks.
This algorithm must be the same as the algorithm selected in the client
request sender configuration.
- Key encryption method algorithm
- Represents algorithms specified for encrypting and decrypting
keys. This algorithm must be the same as the algorithm selected in
the client request sender configuration.
- Encryption key name
- Represents a Subject from a personal certificate, which is typically
a distinguished name (DN) that is found by the encryption key locator.
The subject is used by the key encryption method algorithm to decrypt
the secret key, and the secret key is used to decrypt the data.
The
key chosen must be a private key in the key store configured by the
key locator. The key requires the same Subject used by the client
to encrypt the data. Encryption must be done using the public key
and decryption by using the private key (personal certificate). To
ensure that the client encrypts the data with the correct public or
private key, you must extract the public key from the server key store
and add it to the key store specified in the encryption configuration
information for the client request sender.
For example, the
personal certificate of a server is CN=Bob, O=IBM, C=US.
Therefore the server contains the public and private key pair. The
client sending the request should encrypt the data using the public
key for CN=Bob, O=IBM, C=US. The server decrypts
the data using the private key for CN=Bob, O=IBM, C=US.
- Encryption key locator
- Represents a reference to a key locator implementation class that
finds the correct keystore where the alias and the certificate exist.
For more information on configuring key locators, go to the following
sections: Configuring key locators using an assembly tool and Configuring key locators using the administrative console.
- Optional: Select Show only FIPS
Compliant Algorithms if you only want the FIPS compliant
algorithms to be shown in the Data Encryption method algorithm and
Key Encryption method algorithm dropdown lists. Use this option if
you expect this application to be run on a WebSphere Application
Server that has set the Use the United States Federal Information
Processing Standard (FIPS) algorithms option in the SSL
certificate and key management panel of the administrative console
for WebSphere Application Server.
Results
It is important to note that for decryption, the encryption
key name chosen must refer to a personal certificate that can be located
by the key locator of the server referenced in the encryption information.
Enter the Subject of the personal certificate here, which is typically
a Distinguished Name (DN). The Subject uses the default key locator
to find the key. If a custom key locator is written, the encryption
key name can be anything used by the key locator to find the correct
encryption key. The encryption key locator references the implementation
class that finds the correct key store where this alias and certificate
exist. Refer to Configuring key locators using an assembly tool and Configuring key locators using the administrative console for
more information.