With web services, you can sign message parts, encrypt
message parts, or both, based on the quality of service defined for
a policy set. You can accomplish these actions by defining the binding
information in a custom attachment binding.
Before you begin
Before you begin this task, attach a policy set to a service
artifact such as an application, service or endpoint and create a
custom attachment binding. Read about creating custom attachment bindings
for policy sets. The policy set that is attached to the service artifact
must include a WS-Security policy that specifies message parts to
be signed or encrypted. Read about securing message parts using the
administrative console.
About this task
To sign message parts, encrypt message parts, or both, based
on the quality of service defined for a policy set, perform the following
steps:
Procedure
- Open the administrative console.
- To sign and encrypt message parts for a service provider,
click Applications > Enterprise applications > application_name > Service
provider policy sets and bindings. To sign and encrypt message
parts for a service client, click Applications > Enterprise
applications > application_name > Service
client policy sets and bindings.
- Click the binding name link of the service artifact with
a custom attachment binding.
- If the binding does not contain WS-Security policy set
bindings, then click Add and select WS-Security from
the list.
- Click WS-Security policy set bindings.
- Click Authentication and protection. The
resulting panel contains the following four tables:
- Protection tokens: Specifies the tokens that are defined for the
symmetric or asymmetric signature and encryption policies in the policy
set.
- Authentication tokens: Specifies the tokens that are defined for
the request and response token policies.
- Request message signature and encryption protection: Specifies
the message parts that are defined in the Request message part protection
for the policy set.
- Response message signature and encryption protection: Specifies
the message parts that are defined in the response message part protection
in the policy set.
Initially, each table displays information that is generated
based on the policy set which is attached to the service artifact.
The possible configuration objects based on the policy set are displayed.
The Status column indicates whether the object is currently configured
in the custom attachment binding.
- If the protection tokens have a status of Not configured,
then create the protection tokens by clicking the default name, verifying
the default values. Click OK.
- [Optional] If you use the X.509 protection tokens, then
you must configure the keystores and keys to be used to sign, verify,
encrypt or decrypt message parts. You might need to also configure
keystores and keys when using custom protection tokens, depending
on the requirements of the custom tokens. When using a security context
token for protection (secure conversation), you do not need to configure
keystores or keys. If you need to configure the keystores and keys,
then perform the following actions:
- Click the token name link.
- Click the Callback handler link under Additional
bindings. If the Callback handler link is not click-able, click Apply,
then click the Callback handler link.
- Either use a predefined keystore or custom keystore.
To use a predefined keystore, select the keystore from the list. To
use a custom keystore, select Custom from the list and click
the Custom key store configuration link to specify the configuration.
- Click OK.
- Click the name of the request or response message part
reference to be signed or encrypted. The Protection column displays
whether the message part is signed or encrypted based on the policy
set.
- Specify a name for the message part.
- For encrypted parts, select the type of encryption from Usage
of key information references. For asymmetric encryption, or X.509,
select Key encryption. For symmetric encryption, or secure
conversation, select Data encryption.
- [Optional] For encrypted parts, select the Include time
stamp or Include nonce options to include a time stamp
or nonce in the encrypted message part. You can include
one or both of these options in the encrypted message part.
- For signed parts, specify one or more Message part references.
Select a reference from the Available column and click Add.
- [Optional] For signed parts, you can also choose to add
a time stamp or nonce to the signed message part. Select a Message
part reference from the Assigned column and click Edit. Select
the Include time stamp or the Include nonce options
to include a time stamp or nonce in the signed message part. You
can select one or both of these options in the signed message part.
- If there are no available key information entries, then
create one using the following actions:
- Click New.
- Specify a name.
- Select a protection token from the Token generator or
Consumer name list.
- Click OK.
- Select a key information entry from the Available list
and click Add.
- [Optional] Specify custom properties if needed.
- To use Message Transmission Optimization Mechanism (MTOM)
for the cipher text of the encrypted data, add the custom property,
com.ibm.wsspi.wssecurity.enc.MTOM.Optimize, with value true to
outbound encrypted parts for client requests or server responses.
- To use encryption headers as described in the WS-Security
1.0 specification instead of the encrypted header support described
in WS-Security 1.1, add the custom property, com.ibm.wsspi.wssecurity.encryptedHeader.generate.WSS1.0,
with value true to outbound encrypted parts for client
requests or server responses.
For Web Services Security
Version 1.1 behavior that is equivalent to WebSphere® Application Server versions prior
to version 7.0, specify the com.ibm.wsspi.wssecurity.encryptedHeader.generate.WSS1.1.pre.V7
property with a value of true on the <encryptionInfo>
element in the binding. When this property is specified, the <EncryptedHeader>
element includes a wsu:Id parameter and the <EncryptedData>
element omits the Id parameter. This property should only be used
if compliance with Basic Security Profile 1.1 is not required.
- Click OK.
- Click Save, to save the changes to the master configuration.
Results
When you finish this task, the message parts are signed and
encrypted, or both, based on the configuration used when communicating
with the service artifact.
Example
You have an application,
app1, with an attached
policy set, RAMP default and a custom attachment binding,
myBinding,
and you want to sign and encrypt the message parts.
- Click the app1 application in the Applications > Enterprise
Applications collection.
- Click the Service provider policy sets and bindings link
or the Service client policy sets and bindings link.
- Click the myBinding link.
- [Optional] If WS-Security is not listed, then select Add > WS-Security.
- Click the WS-Security link.
- Click the Authentication and protection link.
- In the Protection tokens table, click each of the four links and OK on
the resulting panel. Each entry is now shown as Configured in
the Status column.
- In the Request message signature and encryption protection table,
click request:app_encparts. Specify the name, requestEncParts.
- Click New from Key information. Specify the name, requestEncKeyInfo.
- Select SymmetricBindingRecipientEncryptionToken, and click OK.
- Select requestEncKeyinfo in the Available list, and click Add.
Click OK.
- In the Request message signature and encryption protection table,
click request:app_signparts.
- Specify the name, requestSignParts.
- Click New from Key information. Specify a name of requestSignKeyInfo.
- Select SymmetricBindingInitiatorSignatureToken, and click OK.
- Select requestSignKeyinfo in the Available list, and click Add.
Click OK.
- Repeat steps 8 to 16 for the links in the Response message signature
and encryption protection table.
- Click Save, to save the changes to the master configuration.
What to do next
Start the application.