With web services, you can sign message parts, encrypt
message
parts, or both, based on the quality of service defined for a policy
set.
You can accomplish these actions by defining the binding information
in a
custom attachment binding.
Before you begin
Before you begin this task, attach a policy
set to a service artifact
such as an application, service or endpoint and create a custom attachment
binding. Read about creating custom attachment bindings for policy
sets. The
policy set that is attached to the service artifact must include a
WS-Security
policy that specifies message parts to be signed or encrypted. Read
about
securing message parts using the administrative console.
About this task
To sign message parts, encrypt message parts, or both, based
on the
quality of service defined for a policy set, perform the following
steps:
Procedure
- Open the administrative console.
- To sign and encrypt message parts for a service
provider, click Applications >
Enterprise applications > application_name > Service
provider policy sets and bindings. To sign and encrypt message
parts for
a service client, click Applications > Enterprise applications > application_name > Service
client policy sets and bindings.
- Click
the binding name link of the service artifact with a custom
attachment binding.
- If the binding does not
contain WS-Security policy set bindings,
then click Add and select WS-Security from the list.
- Click WS-Security policy set bindings.
- Click Authentication and protection.
The resulting
panel contains the following four tables:
- Protection tokens:
Specifies the tokens that are defined for the symmetric
or asymmetric signature and encryption policies in the policy set.
- Authentication tokens: Specifies the tokens that are defined for
the request
and response token policies.
- Request message signature and
encryption protection: Specifies the message
parts that are defined in the Request message part protection for
the policy
set.
- Response message signature and encryption protection:
Specifies the message
parts that are defined in the response message part protection in
the policy
set.
Initially, each table displays information that is
generated based
on the policy set which is attached to the service artifact. The possible
configuration objects based on the policy set are displayed. The Status
column
indicates whether the object is currently configured in the custom
attachment
binding.
- If the protection tokens have
a status of Not configured,
then create the protection tokens by clicking the default name, verifying
the default values. Click OK.
- [Optional]
If you use the X.509 protection tokens, then you must
configure the keystores and keys to be used to sign, verify, encrypt
or decrypt
message parts. You might need to also configure keystores and keys
when using
custom protection tokens, depending on the requirements of the custom
tokens.
When using a security context token for protection (secure conversation),
you do not need to configure keystores or keys. If you need to configure
the
keystores and keys, then perform the following actions:
- Click the token name link.
- Click
the Callback handler link under Additional bindings.
If the Callback handler link is not click-able, click Apply,
then click
the Callback handler link.
- Either
use a predefined keystore or custom keystore. To use
a predefined keystore, select the keystore from the list. To use a
custom
keystore, select Custom from the list and click the Custom
key store
configuration link to specify the configuration.
- Click OK.
-
Click the name of the request or response message part reference
to be signed or encrypted. The Protection column displays whether
the message
part is signed or encrypted based on the policy set.
-
Specify a name for the message part.
- For
encrypted parts, select the type of encryption from Usage
of key information references. For asymmetric encryption, or X.509,
select Key
encryption. For symmetric encryption, or secure conversation,
select Data
encryption.
- [Optional] For encrypted parts,
select the Include time stamp or Include
nonce options to include a time stamp or nonce in the encrypted
message
part. You can include one or both of these options in the
encrypted
message part.
- For signed parts, specify one
or more Message part references.
Select a reference from the Available column and click Add.
- [Optional] For signed parts, you can also choose
to add a time
stamp or nonce to the signed message part. Select a Message part reference
from the Assigned column and click Edit. Select the Include
time
stamp or the Include nonce options to include a time stamp
or nonce
in the signed message part. You can select one or both
of these
options in the signed message part.
- If there
are no available key information entries, then create
one using the following actions:
- Click New.
- Specify a name.
- Select
a protection token from the Token generator or Consumer
name list.
- Click OK.
- Select a key information entry from the
Available list and click Add.
- [Optional]
Specify custom properties if needed.
- To
use Message Transmission Optimization Mechanism (MTOM) for
the cipher text of the encrypted data, add the custom property, com.ibm.wsspi.wssecurity.enc.MTOM.Optimize,
with value true to outbound encrypted parts for client
requests
or server responses.
- To use encryption
headers as described in the WS-Security 1.0
specification instead of the encrypted header support described in
WS-Security
1.1, add the custom property, com.ibm.wsspi.wssecurity.encryptedHeader.generate.WSS1.0,
with value true to outbound encrypted parts for client
requests
or server responses.
For Web Services Security
Version 1.1 behavior that is equivalent to WebSphere® Application Server versions
prior to version 7.0, specify the com.ibm.wsspi.wssecurity.encryptedHeader.generate.WSS1.1.pre.V7
property with a value of true on the <encryptionInfo>
element in the binding. When this property is specified, the <EncryptedHeader>
element includes a wsu:Id parameter and the <EncryptedData>
element omits
the Id parameter. This property should only be used if compliance
with Basic
Security Profile 1.1 is not required.
- Click OK.
- Click Save,
to save the changes to the master configuration.
Results
When you finish this task, the message parts are signed and
encrypted,
or both, based on the configuration used when communicating with the
service
artifact.
Example
You have an application,
app1,
with an attached
policy set, RAMP default and a custom attachment binding,
myBinding,
and you want to sign and encrypt the message parts.
- Click
the app1 application in the Applications > Enterprise
Applications collection.
- Click the Service provider
policy sets and bindings link or the Service
client policy sets and bindings link.
- Click the myBinding link.
- [Optional] If WS-Security is not listed, then select Add > WS-Security.
- Click the WS-Security link.
- Click the Authentication
and protection link.
- In the Protection tokens table, click
each of the four links and OK on
the resulting panel. Each entry is now shown as Configured in
the Status
column.
- In the Request message signature and encryption protection
table, click request:app_encparts.
Specify the name, requestEncParts.
- Click New from
Key information. Specify the name, requestEncKeyInfo.
- Select SymmetricBindingRecipientEncryptionToken, and click OK.
- Select requestEncKeyinfo in the Available list, and click Add.
Click OK.
- In the Request message signature and encryption
protection table, click request:app_signparts.
- Specify
the name, requestSignParts.
- Click New from
Key information. Specify a name of requestSignKeyInfo.
- Select SymmetricBindingInitiatorSignatureToken, and click OK.
- Select requestSignKeyinfo in the Available list, and click Add.
Click OK.
- Repeat steps 8 to 16 for the links in the
Response message signature and
encryption protection table.
- Click Save, to save the
changes to the master configuration.
What to do next
Start
the application.