You can configure the encryption information for the generator
binding on the server or cell level.
About this task
The encryption information for the default generator specifies
how to encrypt the information on the sender side if these bindings
are not defined at the application level. WebSphere
® Application
Server provides default values for the bindings. However, an administrator
must modify the defaults for a production environment.
You
can configure the encryption information for the generator binding
on the server level and the cell level. In the following steps, use
the first step to configure the encryption information for the server
level and use the second step to configure the encryption information
for the cell level:
Procedure
- Access the default bindings for the server level.
- Click .
- Under Security, click JAX-WS and JAX-RPC
security runtime.
Mixed-version environment: In
a mixed node cell with a server using Websphere Application Server
version 6.1 or earlier, click
Web services: Default bindings
for Web Services Security.
mixv
- Click to access the default
bindings on the cell level.
- Under Default generator bindings, click Encryption
information.
- Click New to create an encryption
information configuration, click Delete to delete an existing
configuration, or click the name of an existing encryption information
configuration to edit the settings. If you are creating
a new configuration, enter a unique name for the encryption configuration
in the Encryption information name field. For example, you might specify gen_encinfo.
Avoid trouble: ![[Updated in July 2011]](../../delta.gif)
If you create more than one encryption
information configuration, the WS-Security runtime environment only
honors the first configuration listed in the bindings file.
![[Updated in July 2011]](../../deltaend.gif)
jul2011
gotcha
- Select a data encryption algorithm from the Data encryption
algorithm field. This algorithm is used to encrypt the
data. WebSphere Application Server supports the
following pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- http://www.w3.org/2001/04/xmlenc#aes128-cbc
- http://www.w3.org/2001/04/xmlenc#aes256-cbc
To use this algorithm,
you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#aes192-cbc
To use this algorithm,
you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Restriction: Do not use this algorithm, the 192-bit key encryption
algorithm, if you want your configured application to be in compliance
with the Basic Security Profile (BSP).
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
The
data encryption algorithm that you select for the generator side must
match the data encryption algorithm that you select for the consumer
side.
- Select a key encryption algorithm from the Key encryption
algorithm field. This algorithm is used to encrypt the
key. WebSphere Application Server supports the
following pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When
running with JDK 1.4, the list of supported key transport algorithms
will not include this one. This algorithm will appear in the list
of supported key transport algorithms when running with JDK 1.5.
Restriction: This algorithm is not supported when the WebSphere Application Server is running
in Federal Information Processing Standard (FIPS) mode.
By
default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm
to compute a message digest as part of the encryption operation. Optionally,
you can use the SHA256 or SHA512 message digest algorithm by specifying
a key encryption algorithm property. The property name is:
com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod.
The property value is one of the following URIs of the digest method:
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string
for the optional encoding octet string for the OAEPParams. You can
provide an explicit encoding octet string by specifying a key encryption
algorithm property. For the property name, you can specify
com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams.
The property value is the base 64-encoded value of the octet string.
Important: You can set these digest method and OAEPParams properties
on the generator side only. On the consumer side, these properties
are read from the incoming SOAP message.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes256
To use this algorithm,
you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#kw-aes192
To use this algorithm,
you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Restriction: Do not use this algorithm, the 192-bit key encryption
algorithm, if you want your configured application to be in compliance
with the Basic Security Profile (BSP).
If you select None, the key is not
encrypted.
The key encryption algorithm that you select for
the generator side must match the key encryption algorithm that you
select for the consumer side.
- Select a encryption key configuration from the Encryption
key information field. This attribute specifies the name
of the key that is used to encrypt the message. To configure the key
information, see Configuring the key information for the generator binding using JAX-RPC on the server or cell level.
- Click OK and then click Save to
save the configuration.
Results
You have configured the encryption information for the generator
binding at the server or cell level.
What to do next
You must specify a similar encryption information configuration
for the consumer.