If you are working
with policy sets, then you can secure
message parts using the administrative console. To secure message
parts with WS-Security using policy sets, you must define the elements
for the message parts to be protected in the WS-Security policy within
a policy set.
Before you begin
Before you can start this task, you must
have a policy set
defined for your application or service artifact. Also, if none of
the default policy sets contain the necessary policy definitions,
then you must create a custom policy set with the necessary definitions.
About this task
This task assumes that you are using policy sets and you
want to secure message parts within that context.
Procedure
-
Open the administrative console.
- Select
the policy set containing the message parts that
you want to secure.
- To secure message parts using
application policy sets click Services >
Policy sets > Application policy sets.
- To secure message
parts using system policy sets clickServices >
Policy sets > System policy sets.
-
Select the policy set that you want to use.
- If
the WS-Security policy is not listed, then click Add and
select that policy from the list.
- Click the WS-Security link.
- Click Main policy or Bootstrap policy.
The bootstrap policy is available when Secure Conversation is
used. If you want to use the bootstrap policy, then select the SecureConversation
policy set in step three.
- Make sure that Message
level protection is selected, then
click Request message part protection or Response message
part protection. When the Message level protection
checkbox is unchecked, the link to Response message part protection
is not available, because the configuration information associated
with message level security is removed when Message level protection
is deselected.
- Click Add for either
Encrypted parts or Signed parts
depending on the level of security that you want.
-
Specify a part name and add the elements to be signed or
encrypted, or both. The elements can be the message body, XPath expression,
or a QName which is for SOAP header elements only. Click OK.
Recommendation for when to use QName or XPath: If you are encrypting
or signing SOAP headers, you can use QName to select which SOAP headers
to be signed or encrypted.
Note: The elements must be a direct child
of the SOAP headers.
If you wanted to sign and encrypt other
elements in the SOAP message, then you can use XPath expression.
Use this XPath example to select, MyElement in
a namespace, http://xyz.acme.com with MyHeader, http://acme.com. /*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()=
'http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://acme.com' and local-name()=
'MyHeader']/*[namespace-uri()='http://xyz.acme.com' and local-name()='MyElement']
- Repeat steps 8 and 9 to sign or encrypt each message
part.
- To save your changes to the master configuration,
click Save.
Results
When you finish this
task, you have configured the policy
set that contains the quality of service definitions required for
signing and encrypting message parts.
Example
If you have
the policy set,
myPolicy and you want
to specify request message bodies that must be signed, you can perform
the following:
- Locate the policy set in the Services >
Policy sets >
Application policy sets collection and click the policy set name.
- Click the WS-Security link. If the link does not exist,
click Add and then select WS-Security from the list.
- Click Main policy > Request message part protection
- Click Add under the Integrity protection and Signed parts
section.
- Specify the name, messageBody.
- Select Protect message body, click Add Specified Elements,
and click OK.
- Click Save to save your changes
to the master configuration.
What to do next
You can
proceed to signing and encrypting message parts using
policy sets.