You can
configure the encryption information for the request
consumer (server side) and response consumer (client side) bindings
at the application level.
About this task
This task provides the steps that are needed for configuring
the encryption information for the request consumer (server side)
and response consumer (client side) bindings at the application level.
The encryption information on the consumer side is used for decrypting
the encrypted message parts in the incoming SOAP message.
Complete
the following steps to configure the encryption information for the
request consumer or response consumer section of the bindings file
on the application level:
Procedure
- Locate the
Encryption information configuration panel in
the administrative console.
- Click .
- Under Manage modules, click URI_name.
- Under Web Services Security Properties you
can access
the encryption information for the request consumer and response consumer
bindings.
- For the request consumer (receiver) binding,
click Web
services: Server security bindings. Under Request consumer
(receiver) binding, click Edit custom.
- For
the response consumer (receiver) binding, click Web
services: Client security bindings. Under Response consumer
(receiver) binding, click Edit custom.
- Under Required properties, click Encryption
information.
- Click New to
create an encryption
information configuration, click Delete to
delete an existing configuration, or click the name of an existing
encryption information configuration to edit its settings. If
you are creating a new configuration, enter a name in the Encryption
information name field. For example, you might specify cons_encinfo.
- Select a data encryption algorithm
from the Data
encryption algorithm field. The data encryption
algorithm is used for encrypting or decrypting parts of a SOAP message
such as the SOAP body or the username token. WebSphere® Application
Server supports the following pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- http://www.w3.org/2001/04/xmlenc#aes128-cbc
- http://www.w3.org/2001/04/xmlenc#aes256-cbc
To
use this algorithm,
you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#aes192-cbc
To use this algorithm,
you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Restriction: Do not use the 192-bit key encryption algorithm
if you want your configured application to be in compliance with the
Basic Security Profile (BSP).
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
The data encryption algorithm that you select for the consumer
side must match the data encryption method that you select for the
generator side.
- Select a key encryption
algorithm from the Key
encryption algorithm field. The key encryption
algorithm is used for encrypting the key that is used for encrypting
the message parts within the SOAP message. Select (none) if
the data encryption key, which is the key that is used for encrypting
the message parts, is not encrypted. WebSphere Application
Server supports the following pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When
running with Software Development Kit (SDK) Version 1.4, the list
of supported key transport algorithms does not include this one. This
algorithm appears in the list of supported key transport algorithms
when running with SDK Version 1.5.
Restriction: This algorithm
is not supported when the WebSphere Application Server
is running in Federal Information Processing Standard (FIPS) mode.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes256
To
use the http://www.w3.org/2001/04/xmlenc#aes256-cbc
algorithm, you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#kw-aes192
To use the http://www.w3.org/2001/04/xmlenc#kw-aes192
algorithm, you must download the unrestricted Java Cryptography
Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Restriction: Do not use the 192-bit key encryption algorithm
if you want your configured application to be in compliance with the
Basic Security Profile (BSP).
The
key encryption algorithm that you select for the consumer
side must match the key encryption method that you select for the
generator side.
- Optional: Select
a part reference in the Part
reference field. The part reference specifies
the name of the message part that is encrypted and is defined in the
deployment descriptor. For example, you can encrypt the bodycontent
message part in the deployment descriptor. The name of this Required
Confidentiality part is conf_con. This message
part is shown as an option in the Part reference field.
- Under Additional properties, click Key
information
references.
- Click New to
create a key information
configuration, click Delete to delete an existing
configuration, or click the name of an existing key information configuration
to edit its settings. If you are creating a new configuration,
enter a name in the Name field. For example,
you might specify con_ekeyinfo. This entry
is the name of the <encryptionKeyInfo> element in the binding
file.
- Select a key information reference from
the Key
information reference field. This reference
is the value of the keyinfoRef attribute of the <encryptionKeyInfo>
element and it is the name of the <keyInfo> element that is
referenced by this key information reference. Each key information
reference entry generates an <encryptionKeyInfo> element under
the <encryptionInfo> element in the binding configuration file.
For example, if you enter con_ekeyinfo in the Name field
and dec_keyinfo in the Key information
reference field, the following <encryptionKeyInfo>
element is generated in the binding file:
<encryptionKeyInfo xmi:id="EncryptionKeyInfo_1085092248843"
keyinfoRef="dec_keyinfo” name="con_ekeyinfo"/>
- Click OK and then click Save to
save the configuration.
Results
You have configured
the encryption information for the consumer
binding at the application level
What to do next
You must specify
a similar encryption information configuration
for the generator.