Choosing encryption methods for generator bindings
To configure the client for request encryption for the generator binding, you must specify which encryption methods to use when the client encrypts the SOAP messages.
Before you begin
Prior to completing these steps, read the XML encryption information to become familiar with encrypting and decrypting SOAP messages.
- Use the WSSEncryption API to configure the data encryption algorithm and the key encryption algorithm methods.
- Use the WSSEncryptPart API to configure a transform algorithm method, if needed. The default is no transform algorithm.
About this task
Some of the encryption-related definitions are based on the XML-Encryption specification. The following information defines some data encryption-related terms:
- Data encryption method algorithm
- Data encryption algorithms specify the algorithm uniform resource
identifier (URI) of the data encryption method. This algorithm encrypts
and decrypts data in fixed size, multiple octet blocks.
By default, the Java™ Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, you must apply unlimited jurisdiction policy files.
For the AES256-cbc and the AES192-cbc algorithms, you must download the unrestricted Java™ Cryptography Extension (JCE) policy files from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- Key encryption method algorithm
- Key encryption algorithms specify the algorithm uniform resource
identifier (URI) of the method to encrypt the key that is used to
encrypt data. The algorithm represents public key encryption algorithms
that are specified for encrypting and decrypting keys.
By default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm to compute a message digest as part of the encryption operation. Optionally, you can use the SHA256 or SHA512 message digest algorithm by specifying a key encryption algorithm property.
The property name is: com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod. The property value is one of the following URIs of the digest method:- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string for the optional encoding octet string for the OAEPParams. You can provide an explicit encoding octet string by specifying a key encryption algorithm property. For the property name, you can specify com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams. The property value is the base 64-encoded value of the octet string.
Important: You can set these digest method and OAEPParams properties on the generator side only. On the consumer side, these properties are read from the incoming SOAP message.For the KW-AES256 and the KW-AES192 key encryption algorithms, you must download the unrestricted JCE policy files from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Important: 您的原住地對於加密軟體的輸入、佔有、使用或重新輸出至另一個國家或地區等方面可能會有一些限制。在下載或使用未限定的原則檔之前,您必須先查核您所在國家或地區的法令、規章,以及其對於加密軟體的輸入、佔有、使用或重新輸出等方面的政策,來判定是否允許這麼做。
Usage types | Description |
---|---|
Data encryption | Specifies the algorithm URI that is used for both encrypting and decrypting data. Encrypts and decrypts data in fixed size, multiple octet blocks. |
Key encryption | Specifies the algorithm URI that is used for encrypting and decrypting the encryption key. |
Data encryption
WebSphere® Application Server supports the following pre-configured data encryption algorithms:
Data encryption name | Algorithm URI |
---|---|
WSSEncryption.AES128 (the default value) | A URI of data encryption algorithm, AES 128: http://www.w3.org/2001/04/xmlenc#aes128-cbc |
WSSEncryption.AES192 | A URI of data encryption algorithm, AES 192: http://www.w3.org/2001/04/xmlenc#aes192-cbc |
WSSEncryption.AES256 | A URI of data encryption algorithm, AES 256: http://www.w3.org/2001/04/xmlenc#aes256-cbc |
WSSEncryption.TRIPLE_DES | A URI of data encryption algorithm, 3DES: http://www.w3.org.2001/04/xmlenc#tripledes-cbc |
Key encryption
WebSphere Application Server supports the following pre-configured key encryption algorithms:
Key encryption name | Algorithm URI |
---|---|
WSSEncryption.KW_AES128 | A URI of key encryption algorithm, key wrap AES 128: http://www.w3.org/2001/04/xmlenc#kw-aes128 |
WSSEncryption.KW_AES192 | A URI of key encryption algorithm, key wrap
AES 192: http://www.w3.org/2001/04/xmlenc#kw-aes192 Restriction: Do not use the 192-bit key encryption algorithm
if you want your configured application to be in compliance with the
Basic Security Profile (BSP).
|
WSSEncryption.KW_AES256 | A URI of key encryption algorithm, key wrap AES 256: http://www.w3.org/2001/04/xmlenc#kw-aes256 |
WSSEncryption.KW_RSA_OAEP (the default value) | A URI of key encryption algorithm, key wrap RSA OAEP: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p |
WSSEncryption.KW_RSA15 | A URI of key encryption algorithm, key wrap RSA 1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5 |
WSSEncryption.KW_TRIPLE_DES | http://www.w3.org/2001/04/xmlenc#kw-tripledes |
To configure the encryption and encrypted part algorithm methods, use the WSSEncryption API, or configure policy sets using the administrative console.
The WSS API process completes the following high-level steps to specify which encryption methods to use when configuring the client for request encryption:
Procedure
Results
Example
The following example provides sample WSS API code using WSSEncryption.setEncryptionMethod() and WSSEncryption.setKeyEncryptionMethod().
// Get the message context
Object msgcontext = getMessageContext();
// Generate the WSSFactory instance
WSSFactory factory = WSSFactory.getInstance();
// Generate the WSSGenerationContext instance
WSSGenerationContext gencont = factory.newWSSGenerationContext();
// Generate callback handler
X509GenerateCallbackHandler callbackHandler = new
X509GenerateCallbackHandler(
"",
"enc-sender.jceks",
"jceks",
"storepass".toCharArray(),
"bob",
null,
"CN=Bob, O=IBM, C=US",
null);
// Generate the security token used for encryption
SecurityToken token = factory.newSecurityToken(X509Token.class , callbackHandler);
// Generate WSSEncryption instance
WSSEncryption enc = factory.newWSSEncryption(token);
// Set the data encryption method
// DEFAULT: WSSEncryption.AES128
enc.setEncryptionMethod(WSSEncryption.TRIPLE_DES);
// Set the key encryption method
// DEFAULT: WSSEncryption.KW_RSA_OAEP
enc.setEncryptionMethod(WSSEncryption.KW_RSA15);
// Add the WSSEncryption to the WSSGenerationContext
gencont.add(enc);
// Generate the WS-Security header
gencont.process(msgcontext);
What to do next
Next, if you want to add a transform algorithm, review the WSSEncryptPart API process task.