When working with policy sets
in the administrative console, you
can customize policies to ensure message security. The WS-Security
policy
can be configured to apply a message security (WS-Security) profile
to requests.
Message security policies are applied to requests and enforced on
responses
to support interoperability.
Before you begin
You can configure
some settings for default policies for custom policy
sets. The provided default policy sets cannot be edited. You must
create a
copy of the default policy set or create a completely new policy set
in order
to specify the policies for it.
About this task
Message security
policies are applied to requests and enforced
on responses to support interoperability.
Depending on your assigned security role
when security is enabled, you might not have access to text entry
fields or buttons to create or edit configuration data. Review the
administrative roles documentation to learn more about the valid roles
for the application server.
Procedure
- Use the WS-Security policy panel to begin configuring
the WS-Security
policy. To access the WS-Security policy panel, from the
administrative
console, click Services > Policy sets > Application policy
sets > policy_set_name >
WS-Security policy.
- Choose which type
of message security to configure.
- Click the Main
policy link to specify how message security policies are
applied to requests and enforced on responses to support interoperability.
- Click the Bootstrap policy link to configure how secure conversations
are established. A bootstrap policy might already be configured. If
no bootstrap
policy is currently configured, first ensure that you have enabled
message
security with symmetric signature and encryption policies and secure
conversation
tokens for both integrity and confidentiality protection.
- Use the Main policy settings panel or the Bootstrap
policy settings
panel to specify how message security policies are applied to requests
and
enforced on responses. Assertions for WS-Security versions
are
already generated based on assertions in the policy set. If the policy
set
includes a WS-S 1.1 assertion, then WS-S 1.1 itself is asserted. Configure
the settings on this panel to configure main or bootstrap policy settings:
- Select whether Message level protection is
required. Select
this check box if any of the message parts should be digitally signed
or encrypted
or if a timestamp should be inserted in the message. It this box is
unchecked,
the Signature confirmation, Key symmetry, and Timestamp and Security
header
layout options are disabled.
- Specify
whether signature confirmation is required. Click
this check box to require signature confirmation.
- Configure the settings in the Key Symmetry® section.
The following
fields can be configured in the Key symmetry section:
- Use
symmetric tokens
- Click this radio button to use symmetric
tokens. You can then configure
symmetric tokens with the Symmetric signature and encryption policies link.
Click this link to access the Symmetric Signature and Encryption Policies
panel where you can create the trust context in which to use symmetric
tokens.
Using the same token for signing and validating messages and encrypting
and
decrypting messages provides better performance than can be achieved
with
asymmetric tokens. Symmetric tokens should be used within a trust
context.
- Use asymmetric tokens
- Click
this link to access the Asymmetric Signature and Encryption Policies
panel where you can create the trust context (message integrity and
confidentiality)
in which to use asymmetric tokens. You can do this by specifying which
token
type to use for the initiator and recipient signature as well as the
initiator
and recipient encryption.
- Include timestamp
in header
- Click this check box to include a timestamp in the
header. You can then
specify if the timestamp is positioned first or last in the header
by using
the Security header layout radio button options:
- Strict:
Declarations must precede use
- Layout
(Lax): Order of contents can vary
- Lax
but timestamp required first in header
- Lax
but timestamp required last in header
- Optional: Click
the Algorithms link under
the Policy Details section if you want to access the Algorithms
panel
to view and select from available algorithms. The available
algorithms
include cryptographic algorithms and their key lengths, as well as
canonicalization
algorithms for reconciling XML differences. Click this link to view
the cryptographic
and cannonicalization algorithms that are supported.
- Optional: Configure the request settings.
Click either of the following links to configure request settings:
- Request message part protection
- Links to configuration
for request message part protection. Click this
link to define which message parts are to be protected and how that
protection
is provided.
- Request token policies
- Links
to configuration for request token policies. Click this link to
define policies that specify which types of security tokens are supported
and the properties of those token types.
- Optional: Configure the response
settings. Click either of the following links to configure
response settings:
- Response message part protection
- Links to configuration for response message part protection. Click
this
link to define which message parts are to be protected and how that
protection
is provided.
- Response token policies
- Links
to configuration for response token policies. Click this link to
define policies that specify which types of security tokens are supported
and the properties of those token types.
Results
Once you have customized
the WS-Security policy, the associated policy
set uses this policy to protect messages.