This example shows how to configure the message-level WS-Security
policy set and bindings to send a Username token in a JAX-WS request,
and to encrypt the Username token using asymmetric encryption.
Before you begin
Make a copy of the
Username WSSecurity default policy
set and give it a unique name. This example illustrates how to modify
a copy of the default policy set. For more information, read about
copying default policy set and bindings settings.
About this task
By default, the Username WSSecurity policy set signs the
WS-Addressing headers and body in the request and the response, and
encrypts the body and signature in the request and the response. However,
in this example, the goal is to encrypt only the Username token in
the request from the client to the service, but not to encrypt any
part of the response from the service to the client. In addition,
no part of the request or the response will be signed. Therefore,
the policy set must be modified to remove several message protection
parts. You must also configure the client and server bindings.
First,
configure the policy set by modifying your copy of the Username WSSecurity
default policy set.
What to do next
The second part of the process is to configure the client
and server bindings.
Avoid trouble: When
working with the client binding, be careful when choosing the protection
token that you want to edit. The names of the tokens are represented
from the perspective of the protector. For instance, on a client,
even though the word recipient is in its name, the AsymmetricBindingRecipientEncryptionToken0
is a generator. The best way to make sure that you are choosing the
correct token is to look at the Usage column in the Protection tokens
table.
gotcha
- Configure the client binding, as follows:
- Attach the policy to a service resource and create a new binding
for that resource that includes the WSSecurity policy.
- Click on WSSecurity in the new binding
to display the main WSSecurity binding panel. For example, click Enterprise
applications > WSSampleServiceSei > Service client policy sets and
bindings > binding_name > WS-Security.
- Click Authentication and protection.
- Under Protection tokens, click AsymmetricBindingRecipientEncryptionToken0 (the
Asymmetric encryption generator).
- Click Apply.
- Click Callback handler.
- Select Custom from the Keystore menu.
- Click Custom keystore configuration.
- Enter the keystore path. For example: ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks.
- Select JCEKS for the Type.
- Enter the password in the Password and Confirm password fields.
For example, storepass.
- Enter a Key Name. For example, CN=Bob, O=IBM, C=US.
- Enter a Key Alias. For example, bob.
- Click OK.
- Click OK again.
- Click OK one more time to return to the Enterprise
Applications > WSSampleServicesSei > Service client policy sets and
bindings > binding_name > WS-Security > Authentication
and protection panel.
- The status of AsymmetricBindingRecipientEncryptionToken0 should
display as Configured.
- Modify the encrypted parts settings for the client binding, as
follows:
- Click request:app_encparts under Request
message signature and encryption protection.
- Enter a Name. For example, MyEncPart.
- Click New under Key information.
- Fill in a Name. For example, MyEncKeyInfo.
- Click OK.
- Select MyEncKeyInfo (or the name that you
specified for the encrypted part) from the Available box and click Add.
MyEncKeyInfo appears in the Assigned box.
- Click OK to return to the Enterprise
Applications > WSSampleServicesSei > Service client policy sets and
bindings > binding_name > WS-Security > Authentication
and protection panel.
- The status of request:app_encparts should display as Configured.
- Configure the Username token settings in the client binding, as
follows:
- Click request:myUserNameToken under Authentication
tokens.
- Click Apply.
- Click Callback handler.
- Specify the User name. For example, LDAPSunuser6.
- Specify the password, and confirm the password.
- Click OK.
- Under Custom properties, click New to
add the properties for enabling nonce and timestamp.
- Enter the property name com.ibm.wsspi.wssecurity.token.username.addNonce to
enable nonce, and the property value true.
- Enter the property name com.ibm.wsspi.wssecurity.token.username.addTimestamp to
enable timestamp, and the property value true.
- Click OK again.
- The status of request:myUserNameToken should now display as Configured.
- Click Save to save your client bindings.
- Configure the server binding, as follows:
- Attach the policy to a service resource and create a new binding
for that resource that includes the WSSecurity policy.
- Click on WSSecurity in the new binding
to display the main WSSecurity binding panel. For example, click Enterprise
Applications > WSSampleServiceSei > Service client policy sets and
bindings > binding_name > WS-Security.
- Click Authentication and protection.
- Under Protection tokens, click AsymmetricBindingRecipientEncryptionToken0
(the Asymmetric encryption consumer)
- Click Apply.
- Click Callback handler.
- Select Custom from the Keystore menu.
- Click Custom keystore configuration.
- Enter the keystore path. For example: ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks.
- Select JCEKS for the Type.
- Enter the password in the Password and Confirm password fields.
For example, storepass.
- Enter a Key Name. For example, CN=Bob, O=IBM, C=US.
- Enter a Key Alias. For example, bob.
- Enter the password for the keypass in the Password and Confirm
password fields.
- Click OK.
- Click OK again.
- Click OK one more time to get return to
the Enterprise Applications > WSSampleServicesSei > Service
client policy sets and bindings > binding_name >
WS-Security > Authentication and protection panel.
- The status of AsymmetricBindingRecipientEncryptionToken0 should
display as Configured.
- Modify the encrypted parts settings for the server binding, as
follows:
- Click request:app_encparts under Request
message signature and encryption protection.
- Enter a Name. For example, MyEncPart.
- Click New under Key information.
- Fill in a Name. For example, MyEncKeyInfo.
- Click OK.
- Select MyEncKeyInfo (or the name that you
specified for the encrypted part) from the Available box and click Add.
MyEncKeyInfo appears in the Assigned box.
- Click OK to return to the Enterprise
Applications > WSSampleServicesSei > Service client policy sets and
bindings > binding_name > WS-Security > Authentication
and protection panel.
- The status of request:app_encparts should display as Configured.
- Configure the Username token settings in the server binding, as
follows:
- Click request:myUserNameToken under Authentication
tokens.
- Click Apply.
- Click Callback handler.
- Click OK.
- Under Custom properties, click New to
add the properties for verifying nonce and timestamp.
- Enter the property name com.ibm.wsspi.wssecurity.token.username.verifyNonce to
verify nonce, and the property value true.
- Enter the property name com.ibm.wsspi.wssecurity.token.username.verifyTimestamp to
verify timestamp, and the property value true.
- Click OK again.
- The status of request:myUserNameToken should display as Configured.
- Click Save to save the server bindings.