Choosing decryption methods for the consumer binding
To configure the client for response decryption for the consumer binding, specify which data and transform algorithm methods to use when the client decrypts the SOAP messages.
Before you begin
Prior to completing these steps, read the XML encryption information to become familiar with encrypting and decrypting SOAP messages.
To complete decryption configuration to secure SOAP messages, you must complete the following tasks:
- Configure decryption of the SOAP message parts
- Specify the decryption methods.
You can configure the decryption methods using the WSSDecryption and WSSDecryptPart APIs. Or you can also configure policy sets using the administrative console to configure the decryption methods.
About this task
Some of the encryption-related definitions are based on the XML-Encryption specification. The following information defines some data encryption-related terms:
- Data encryption method algorithm
- Data encryption algorithms specify the algorithm uniform resource
identifier (URI) of the data encryption method. This algorithm encrypts
and decrypts data in fixed size, multiple octet blocks.
By default, the Java™ Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, you must apply unlimited jurisdiction policy files.
For the AES256-cbc and the AES192-cbc algorithms, you must download the unrestricted Java™ Cryptography Extension (JCE) policy files from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- Key encryption method algorithm
- Key encryption algorithms specify the algorithm uniform resource
identifier (URI) of the key encryption method. The algorithm represents
public key encryption algorithms that are specified for encrypting
and decrypting keys. By default, the RSA_OAEP algorithm uses the SHA1 message digest algorithm to compute a message digest as part of the encryption operation. Optionally, you can use the SHA256 or SHA512 message digest algorithm by specifying a key encryption algorithm property. The property name is: com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod. The property value is one of the following URIs of the digest method:
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA_OAEP algorithm uses a null string for the optional encoding octet string for the OAEPParams. You can provide an explicit encoding octet string by specifying a key encryption algorithm property. For the property name, you can specify com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams. The property value is the base 64-encoded value of the octet string.
Important: You can set these digest method and OAEPParams properties on the generator side only. On the consumer side, these properties are read from the incoming SOAP message.For the KW_AES256 and the KW_AES192 key encryption algorithms, you must download the unrestricted JCE policy files from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, you must check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
To complete the decryption configuration, you must specify the algorithm uniform resource identifier (URI) and its usage type. If the URI is used for multiple usage types, then you must define the URI to each usage type. WebSphere® Application Server supports the following decryption usage types:
Usage types | Description |
---|---|
Data encryption | Specifies the algorithm URI that is used for both encrypting and decrypting data. Encrypts and decrypts data in fixed size, multiple octet blocks. |
Key encryption | Specifies the algorithm URI that is used for encrypting and decrypting the encryption key. |
To configure the decryption and decrypted part algorithms, use the WSSDecryption and WSSDecryptPart APIs, or configure policy sets using the administrative console.
- Use the WSSDecryption API to configure the data encryption algorithm and the key encryption algorithm methods.
- Use the WSSDecryptPart API to configure a transform algorithm method.
The WSS API process completes the following high-level steps to specify which decryption and decrypted part algorithm methods to use when configuring the client for response decryption:
Procedure
Results
Example
The following example provides sample WSS API code for decrypting the body content as well as changing the data encryption and key encryption algorithms from the default values:
// Get the message context
Object msgcontext = getMessageContext();
// Generate the WSSFactory instance
WSSFactory factory = WSSFactory.getInstance();
// Generate the WSSConsumingContext instance
WSSConsumingContext gencont = factory.newWSSConsumingContext();
// Generate the callback handler
X509ConsumeCallbackHandler callbackHandler = new
X509ConsumeCallbackHandler(
"",
"enc-sender.jceks",
"jceks",
"storepass".toCharArray(),
"alice",
"keypass".toCharArray(),
"CN=Alice, O=IBM, C=US");
// Generate WSSDecryption instance
WSSDecryption dec = factory.newWSSDecryption(X509Token.class,
callbackHandler);
// Set the candidates for the data encryption method
// DEFAULT : WSSDecryption.AES128
dec.addAllowedEncryptionMethod(WSSDecryption.AES128);
dec.addAllowedEncryptionMethod(WSSDecryption.AES192);
// Set the candidates for the key encryption method
// DEFAULT : WSSDecryption.KW_RSA_OAEP
dec.addAllowedKeyEncryptionMethod(WSSDecryption.KW_TRIPLE_DES);
// Add the WSSDecryption to WSSConsumingContext
concont.add(dec);
// Validate the WS-Security header
concont.process(msgcontext);