Use this page to configure the encryption and decryption
parameters for the signature method, digest method, and canonicalization
method.
The specifications that are listed on this page for the signature
method, digest method, and canonicalization method are located in
the World Wide Web Consortium (W3C) document entitled, XML Encryption
Syntax and Processing: W3C Recommendation 10 Dec 2002.
To view this administrative console page, complete the following
steps:
- Click and
complete one of the following steps:
- Click . Under Request sender binding, click Edit.
Under Web Services Security Properties, click Encryption
Information.
- Under Modules, click . Under
Response sender binding, click Edit. Under
Web Services Security Properties, click Encryption Information.
- Select None or Dedicated encryption
information. The application server can have either one
or no encryption configurations for the request sender and the response
sender bindings. If you are not using encryption, select None.
To configure encryption for either of these two bindings, select Dedicated
encryption information and specify the configuration settings
using the fields that are described in this topic.
Note: Fix packs that include updates to the
Software Development Kit (SDK) might overwrite unrestricted policy
files. Back up unrestricted policy files before you apply a fix pack
and reapply these files after the fix pack is applied.
Specifies the name that is used to reference the key locator.
You can configure these key locator
reference options on the server level and the application level. The
configurations that are listed in the field are a combination of the
configurations on these two levels.
To configure the key locators on the server level, complete the
following steps:
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere
Application Server version 6.1 or earlier, click
Web services:
Default bindings for Web Services Security.
mixv
- Under Additional properties, click Key locators.
To configure the key locators on the application level, complete
the following steps:
- Click .
- Under Modules, click .
- Under Web Services Security Properties, you can access the key
locators for the following bindings:
- For the Request sender, click Web services: Client
security bindings. Under Request sender binding, click Edit.
Under Additional properties, click Key locators.
- For the Request receiver, click Web services: Server
security bindings. Under Request receiver binding, click Edit.
Under Additional properties, click Key locators.
- For the Response sender, click Web services: Server
security bindings. Under Response sender binding, click Edit.
Under Additional properties, click Key locators.
- For the Response receiver, click Web services: Client
security bindings. Under Response receiver binding, click Edit.
Under Additional properties, click Key locators.
Specifies the algorithm uniform resource identifier (URI)
of the key encryption method.
The following algorithms are supported:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When
running with IBM® Software Development
Kit (SDK) Version 1.4, the list of supported key transport algorithms
does not include this one. This algorithm appears in the list of supported
key transport algorithms when running with JDK 1.5 or later.
By
default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm
to compute a message digest as part of the encryption operation. Optionally,
you can use the SHA256 or SHA512 message digest algorithm by specifying
a key encryption algorithm property. The property name is:
com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod.
The property value is one of the following URIs of the digest method:
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string
for the optional encoding octet string for the OAEPParams. You can
provide an explicit encoding octet string by specifying a key encryption
algorithm property. For the property name, you can specify
com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams.
The property value is the base 64-encoded value of the octet string.
Important: You can set these digest method and OAEPParams properties
on the generator side only. On the consumer side, these properties
are read from the incoming SOAP message.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5.
- http://www.w3.org/2001/04/xmlenc#kw-tripledes.
- http://www.w3.org/2001/04/xmlenc#kw-aes128.
- http://www.w3.org/2001/04/xmlenc#kw-aes192.
To use the 192-bit key encryption algorithm, you must download the
unrestricted Java Cryptography
Extension (JCE) policy file.
Restriction: Do
not use the 192-bit key encryption algorithm if you want your configured
application to be in compliance with the Basic Security Profile (BSP).
- http://www.w3.org/2001/04/xmlenc#kw-aes256.
To use the 256-bit key encryption algorithm, you must download the
unrestricted JCE policy file.
Note: If an InvalidKeyException error occurs and you are using
the 129xxx or 256xxx encryption algorithm, the unrestricted policy
files might not exist in your configuration.
Java Cryptography
Extension
By default, the Java Cryptography
Extension (JCE) is shipped with restricted or limited strength ciphers.
To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption
algorithms, you must apply unlimited jurisdiction policy files.
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
To download the policy files, complete one of the following sets
of steps:
After completing these steps, two Java archive
(JAR) files are placed in the Java virtual
machine (JVM)
jre/lib/security/ directory.
IBM i
and IBM Software Development
Kit 1.4
For the IBM i
and IBM Software Development
Kit Version 1.4, the tuning of Web Services Security is not required.
The unrestricted jurisdiction policy files for the IBM Software Development Kit Version 1.4 are
automatically configured when the prerequisite software is installed.
For
the IBM i 5.4 operating system
and IBM Software Development
Kit Version 1.4, the unrestricted jurisdiction policy files for the IBM Java Developer
Kit 1.4 are automatically configured by installing product 5722SS1
Option 3, Extended Base Directory Support.
For IBM i (formerly known as IBM i V5R3) and IBM Software
Development Kit Version 1.4, the unrestricted jurisdiction policy
files for the IBM Software Development
Kit Version 1.4 are automatically configured by installing product
5722AC3, Crypto Access Provider 128-bit.
IBM i
and IBM Software Development
Kit 1.5
For IBM i
5.4 and IBM i (formerly known
as IBM i V5R3) and IBM Software Development Kit 1.5, the restricted
JCE jurisdiction policy files are configured, by default. You can
download the unrestricted JCE jurisdiction policy files from the following
website: Security information: IBM J2SE
5 SDKs
To configure the unrestricted jurisdiction policy
files for IBM i and the IBM Software Development Kit Version
1.5:
- Make backup copies of these files:
/QIBM/ProdData/Java400/jdk15/lib/security/local_policy.jar
/QIBM/ProdData/Java400/jdk15/lib/security/US_export_policy.jar
- Download the unrestricted policy files from IBM developer
kit: Security information to the /QIBM/ProdData/Java400/jdk15/lib/security directory.
- Go to this website: IBM developer
kit: Security information
- Click J2SE 5.0.
- Scroll down and click IBM SDK Policy files.
The Unrestricted JCE Policy files for the SDK website is displayed.
- Click Sign in and provide your IBM intranet ID and password.
- Select the appropriate unrestricted JCE policy files, and then
click Continue.
- View the license agreement, and then click I Agree.
- Click Download Now.
- Use the DSPAUT command to ensure *PUBLIC is granted*RX data authority
but also ensure that no object authority is provided to both the local_policy.jar and
the US_export_policy.jar files in the /QIBM/ProdData/Java400/jdk15/lib/security directory.
For example:
DSPAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar')
- Use the CHGAUT command to change authorization, if needed. For
example:
CHGAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar')
USER(*PUBLIC) DTAAUT(*RX) OBJAUT(*NONE)
Specifies the algorithm Uniform Resource Identifiers (URI)
of the data encryption method.
The following algorithms are supported:
By default, the JCE ships with restricted or limited strength ciphers.
To use 192-bit and 256- bit AES encryption algorithms, you must apply
unlimited jurisdiction policy files. For more information, see the
Key encryption algorithm field description.