You can configure the encryption information for the request
consumer (server side) and response consumer (client side) bindings
at the application level.
About this task
This task provides the steps that are needed for configuring
the encryption information for the request consumer (server side)
and response consumer (client side) bindings at the application level.
The encryption information on the consumer side is used for decrypting
the encrypted message parts in the incoming SOAP message.
Complete
the following steps to configure the encryption information for the
request consumer or response consumer section of the bindings file
on the application level:
Procedure
- Locate the Encryption information configuration panel in
the administrative console.
- Click Applications > Enterprise applications > application_name.
- Under Manage modules, click URI_name.
- Under Web Services Security Properties
you can access the encryption information for the request consumer
and response consumer bindings.
- For the request consumer (receiver) binding, click Web services:
Server security bindings. Under Request consumer (receiver) binding,
click Edit custom.
- For the response consumer (receiver) binding, click Web services:
Client security bindings. Under Response consumer (receiver) binding,
click Edit custom.
- Under Required properties, click Encryption information.
- Click New to create an encryption information
configuration, click Delete to delete an existing configuration,
or click the name of an existing encryption information configuration
to edit its settings. If you are creating a new configuration,
enter a name in the Encryption information name field. For
example, you might specify cons_encinfo.
- Select a data encryption algorithm from the Data encryption
algorithm field. The data encryption algorithm is used
for encrypting or decrypting parts of a SOAP message such as the SOAP
body or the username token. WebSphere Application Server supports
the following pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- http://www.w3.org/2001/04/xmlenc#aes128-cbc
- http://www.w3.org/2001/04/xmlenc#aes256-cbc
To use this algorithm,
you must download the unrestricted Java Cryptography Extension (JCE)
policy file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#aes192-cbc
To use this algorithm,
you must download the unrestricted Java Cryptography Extension (JCE)
policy file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Do not use the 192-bit key encryption algorithm if
you want your configured application to be in compliance with the
Basic Security Profile (BSP).
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
The data encryption algorithm that you select for the consumer
side must match the data encryption method that you select for the
generator side.
- Select a key encryption algorithm from the Key encryption
algorithm field. The key encryption algorithm is used
for encrypting the key that is used for encrypting the message parts
within the SOAP message. Select (none) if the data encryption
key, which is the key that is used for encrypting the message parts,
is not encrypted. WebSphere Application Server supports the following
pre-configured algorithms:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When
running with Software Development Kit (SDK) Version 1.4, the list
of supported key transport algorithms does not include this one. This
algorithm appears in the list of supported key transport algorithms
when running with SDK Version 1.5.
Restriction: This algorithm
is not supported when the WebSphere Application Server is running
in Federal Information Processing Standard (FIPS) mode.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes256
To use the http://www.w3.org/2001/04/xmlenc#aes256-cbc
algorithm, you must download the unrestricted Java Cryptography Extension
(JCE) policy file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html.
- http://www.w3.org/2001/04/xmlenc#kw-aes192
To use the http://www.w3.org/2001/04/xmlenc#kw-aes192
algorithm, you must download the unrestricted Java Cryptography Extension
(JCE) policy file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html.
Do not use the 192-bit key encryption algorithm if
you want your configured application to be in compliance with the
Basic Security Profile (BSP).
The key encryption algorithm that you select for the consumer
side must match the key encryption method that you select for the
generator side.
- Optional: Select a part reference in the Part
reference field. The part reference specifies the name
of the message part that is encrypted and is defined in the deployment
descriptor. For example, you can encrypt the bodycontent message part
in the deployment descriptor. The name of this Required Confidentiality
part is conf_con. This message part is shown as an option
in the Part reference field.
- Under Additional properties, click Key information references.
- Click New to create a key information configuration,
click Delete to delete an existing configuration, or click
the name of an existing key information configuration to edit its
settings. If you are creating a new configuration, enter
a name in the Name field. For example, you might specify con_ekeyinfo.
This entry is the name of the <encryptionKeyInfo> element in the
binding file.
- Select a key information reference from the Key information
reference field. This reference is the value of the
keyinfoRef attribute of the <encryptionKeyInfo> element and it
is the name of the <keyInfo> element that is referenced by this
key information reference. Each key information reference entry generates
an <encryptionKeyInfo> element under the <encryptionInfo> element
in the binding configuration file. For example, if you enter con_ekeyinfo in
the Name field and dec_keyinfo in the Key information
reference field, the following <encryptionKeyInfo> element
is generated in the binding file:
<encryptionKeyInfo xmi:id="EncryptionKeyInfo_1085092248843"
keyinfoRef="dec_keyinfo” name="con_ekeyinfo"/>
- Click OK and then click Save to save the
configuration.
Results
You have configured the encryption information for the consumer
binding at the application level
What to do next
You must specify a similar encryption information configuration
for the generator.