You can configure encryption information, used to specify
how the generators (senders) encrypt outgoing messages, for the request
generator (client side) and the response generator (server side) bindings
at the application level.
Before you begin
Configure the key information that is referenced by the key
information references in the encryption information panel.
About this task
This task provides the steps that are needed for configuring
encryption information for the request generator (client side) and
the response generator (server side) bindings at the application level.
This encryption information is used to specify how the generators
(senders) encrypt outgoing messages.
Complete the following
steps to configure the encryption information for the request generator
or response generator section of the bindings file on the application
level:
Procedure
- Locate the encryption information configuration panel in
the administrative console.
- Click .
- Under Manage modules, click URI_name.
- Under Web Services Security Properties, you can access
the key information for the request generator and response generator
bindings.
- For the request generator (sender) binding, click Web
services: Client security bindings. Under Request generator
(sender) binding, click Edit custom.
- For the response generator (sender) binding, click Web
services: Server security bindings. Under Response generator
(sender) binding, click Edit custom.
- Under Required properties, click Encryption
information.
- Click New to create an encryption
information configuration. Click Delete to
delete an existing configuration or click the name of an existing
encryption information configuration to edit its settings. If
you are creating a new configuration, enter a name in the Encryption
information name field. For example, you might specify gen_encinfo.
- Select a data encryption algorithm from the Data
encryption algorithm field. The selection specifies
the algorithm that is used to encrypt parts of the message. WebSphere® Application Server supports the
following pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- http://www.w3.org/2001/04/xmlenc#aes128-cbc
- http://www.w3.org/2001/04/xmlenc#aes256-cbc
To use this algorithm,
you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#aes192-cbc
To use this algorithm,
you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Restriction: Do not use the 192-bit key encryption algorithm
if you want your configured application to be in compliance with the
Basic Security Profile (BSP).
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
The data encryption algorithm that you select for the generator
side must match the data encryption method that you select for the
consumer side.
- Select a key encryption algorithm from the Key
encryption algorithm field. This selection
specifies the algorithm that is used to encrypt keys. WebSphere Application
Server supports the following pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When
running with Software Development Kit (SDK) Version 1.4, the list
of supported key transport algorithms does not include this one. This
algorithm appears in the list of supported key transport algorithms
when running with SDK Version 1.5.
Restriction: This algorithm
is not supported when the WebSphere Application Server
is running in Federal Information Processing Standard (FIPS) mode.
By
default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm
to compute a message digest as part of the encryption operation. Optionally,
you can use the SHA256 or SHA512 message digest algorithm by specifying
a key encryption algorithm property. For the property name, you can
specify
com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod.
The property value is one of the following URIs of the digest method:
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string
for the optional encoding octet string for the OAEPParams. You can
provide an explicit encoding octet string by specifying a key encryption
algorithm property. For the property name, you can specify
com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams.
The property value is the base 64-encoded value of the octet string.
Important: You can set these digest method and OAEPParams properties
on the generator side only. On the consumer side, these properties
are read from the incoming SOAP message.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes256
To use this algorithm,
you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#kw-aes192
To use this algorithm,
you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Restriction: Do not use the 192-bit key encryption algorithm
if you want your configured application to be in compliance with the
Basic Security Profile (BSP).
The key encryption algorithm that you select for the generator
side must match the key encryption method that you select for the
consumer side.
- Select an encryption key information reference from the
Encryption key information menu. This selection is a reference
to the encryption key that is used to encrypt parts of the message.
To configure the key information, see Configuring the key information using JAX-RPC for the generator binding on the application level.
- Select a part reference from the Part reference field. This field specifies the name of the part reference for the
generator binding element in the deployment descriptor.
- Click OK and then click Save to
save the configuration.
Results
The encryption information is configured for the generator
binding at the application level.
What to do next
You must specify a similar encryption information configuration
for the consumer.