Configuring encryption to protect message confidentiality at the server or cell level

The encryption information for the default consumer specifies how to process the encryption information on the receiver side if these bindings are not defined at the application level. WebSphere® Application Server provides default values for the bindings. However, an administrator must modify the defaults for a production environment.

About this task

You can configure the encryption information for the consumer binding on the server level and the cell level. In the following steps, use the first step to access the server-level default bindings and use the second step to access the cell-level bindings.

Procedure

  1. Access the default bindings for the server level.
    1. Click Servers > Server Types > WebSphere application servers > server_name.
    2. Under Security, click JAX-WS and JAX-RPC security runtime.
      混合版本環境 混合版本環境: In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv
  2. Click Security > Web services to access the default bindings on the cell level.
  3. Under Default consumer bindings, click Encryption information.
  4. Click New to create an encryption information configuration, click Delete to delete an existing configuration, or click the name of an existing encryption information configuration to edit the settings. If you are creating a new configuration, enter a unique name for the encryption configuration in the Encryption information name field. For example, you might specify con_encinfo.
    避免困難 避免困難: If you create more than one encryption information configuration, the WS-Security runtime environment only honors the first configuration listed in the bindings file.gotcha
  5. Select a data encryption algorithm from the Data encryption algorithm field. This algorithm is used to encrypt the data. WebSphere Application Server supports the following pre-configured algorithms:
    • http://www.w3.org/2001/04/xmlenc#tripledes-cbc
    • http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • http://www.w3.org/2001/04/xmlenc#aes256-cbc

      To use this algorithm, you must download the unrestricted Java™ Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

    • http://www.w3.org/2001/04/xmlenc#aes192-cbc

      To use this algorithm, you must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

      Restriction: Do not use the 192-bit key encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).
      Important: 您的原住地對於加密軟體的輸入、佔有、使用或重新輸出至另一個國家或地區等方面可能會有一些限制。在下載或使用未限定的原則檔之前,您必須先查核您所在國家或地區的法令、規章,以及其對於加密軟體的輸入、佔有、使用或重新輸出等方面的政策,來判定是否允許這麼做。

    The data encryption algorithm that you select for the consumer side must match the data encryption algorithm that you select for the generator side.

  6. Select a key encryption algorithm from the Key encryption algorithm field. This algorithm is used to encrypt the key. WebSphere Application Server supports the following pre-configured algorithms:
    • http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
      When running with Software Development Kit (SDK) Version 1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK Version 1.5.
      Restriction: This algorithm is not supported when the WebSphere Application Server is running in Federal Information Processing Standard (FIPS) mode.
    • http://www.w3.org/2001/04/xmlenc#rsa-1_5
    • http://www.w3.org/2001/04/xmlenc#kw-tripledes
    • http://www.w3.org/2001/04/xmlenc#kw-aes128
    • http://www.w3.org/2001/04/xmlenc#kw-aes256

      To use this algorithm, you must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

    • http://www.w3.org/2001/04/xmlenc#kw-aes192

      To use this algorithm, you must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

      Restriction: Do not use the 192-bit key encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).

    If you select None, the key is not encrypted.

    The key encryption algorithm that you select for the consumer side must match the key encryption algorithm that you select for the generator side.

  7. Under Additional properties, click Key information references.
  8. Click New to create a key information configuration, click Delete to delete an existing configuration, or click the name of an existing key information configuration to edit the settings. If you are creating a new configuration, enter a unique name for the key information configuration in the name field. For example, you might specify con_enckeyinfo.
  9. Select a key information reference from the Key information reference field. This selection refers to the name of the key information that is used for encryption. For more information, see Configuring the key information for the consumer binding using JAX-RPC on the server or cell level.
  10. Click OK and Save to save the configuration.

Results

You have configured the encryption information for the consumer binding at the server or cell level.

What to do next

You must specify a similar encryption information configuration for the generator.

指出主題類型的圖示 作業主題



時間戳記圖示 前次更新: July 9, 2016 11:17
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twbs_configencryptinfoconssvrcell
檔名:twbs_configencryptinfoconssvrcell.html