Configuring encryption using JAX-RPC to protect message confidentiality at the server or cell level

You can configure the encryption information for the generator binding on the server or cell level.

About this task

The encryption information for the default generator specifies how to encrypt the information on the sender side if these bindings are not defined at the application level. WebSphere® Application Server provides default values for the bindings. However, an administrator must modify the defaults for a production environment.

You can configure the encryption information for the generator binding on the server level and the cell level. In the following steps, use the first step to configure the encryption information for the server level and use the second step to configure the encryption information for the cell level:

Procedure

  1. Access the default bindings for the server level.
    1. Click Servers > Server Types > WebSphere application servers > server_name.
    2. Under Security, click JAX-WS and JAX-RPC security runtime.
      Mixed-version environment Mixed-version environment: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv
  2. Click Security > Web services to access the default bindings on the cell level.
  3. Under Default generator bindings, click Encryption information.
  4. Click New to create an encryption information configuration, click Delete to delete an existing configuration, or click the name of an existing encryption information configuration to edit the settings. If you are creating a new configuration, enter a unique name for the encryption configuration in the Encryption information name field. For example, you might specify gen_encinfo.
    Avoid trouble Avoid trouble: If you create more than one encryption information configuration, the WS-Security runtime environment only honors the first configuration listed in the bindings file.gotcha
  5. Select a data encryption algorithm from the Data encryption algorithm field. This algorithm is used to encrypt the data. WebSphere Application Server supports the following pre-configured algorithms:
    • http://www.w3.org/2001/04/xmlenc#tripledes-cbc
    • http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • http://www.w3.org/2001/04/xmlenc#aes256-cbc

      To use this algorithm, you must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

    • http://www.w3.org/2001/04/xmlenc#aes192-cbc

      To use this algorithm, you must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

      Restriction: Do not use this algorithm, the 192-bit key encryption algorithm, if you want your configured application to be in compliance with the Basic Security Profile (BSP).
    Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, you must check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.

    The data encryption algorithm that you select for the generator side must match the data encryption algorithm that you select for the consumer side.

  6. Select a key encryption algorithm from the Key encryption algorithm field. This algorithm is used to encrypt the key. WebSphere Application Server supports the following pre-configured algorithms:
    • http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
      When running with JDK 1.4, the list of supported key transport algorithms will not include this one. This algorithm will appear in the list of supported key transport algorithms when running with JDK 1.5.
      Restriction: This algorithm is not supported when the WebSphere Application Server is running in Federal Information Processing Standard (FIPS) mode.
      By default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm to compute a message digest as part of the encryption operation. Optionally, you can use the SHA256 or SHA512 message digest algorithm by specifying a key encryption algorithm property. The property name is: com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod. The property value is one of the following URIs of the digest method:
      • http://www.w3.org/2001/04/xmlenc#sha256
      • http://www.w3.org/2001/04/xmlenc#sha512
      By default, the RSA-OAEP algorithm uses a null string for the optional encoding octet string for the OAEPParams. You can provide an explicit encoding octet string by specifying a key encryption algorithm property. For the property name, you can specify com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams. The property value is the base 64-encoded value of the octet string.
      Important: You can set these digest method and OAEPParams properties on the generator side only. On the consumer side, these properties are read from the incoming SOAP message.
    • http://www.w3.org/2001/04/xmlenc#rsa-1_5
    • http://www.w3.org/2001/04/xmlenc#kw-tripledes
    • http://www.w3.org/2001/04/xmlenc#kw-aes128
    • http://www.w3.org/2001/04/xmlenc#kw-aes256

      To use this algorithm, you must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

    • http://www.w3.org/2001/04/xmlenc#kw-aes192

      To use this algorithm, you must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

      Restriction: Do not use this algorithm, the 192-bit key encryption algorithm, if you want your configured application to be in compliance with the Basic Security Profile (BSP).

    If you select None, the key is not encrypted.

    The key encryption algorithm that you select for the generator side must match the key encryption algorithm that you select for the consumer side.

  7. Select a encryption key configuration from the Encryption key information field. This attribute specifies the name of the key that is used to encrypt the message. To configure the key information, see Configuring the key information for the generator binding using JAX-RPC on the server or cell level.
  8. Click OK and then click Save to save the configuration.

Results

You have configured the encryption information for the generator binding at the server or cell level.

What to do next

You must specify a similar encryption information configuration for the consumer.
Task topic    

Terms and conditions for information centers | Feedback

Last updated: April 20, 2014 08:46 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=twbs_configencryptinfogensvrcell
File name: twbs_configencryptinfogensvrcell.html