Use this page to configure the encryption and decryption
parameters. You can use these parameters to encrypt and decrypt various
parts of the message, including the body and the token.
To
view the administrative console panel for the encryption information
on the cell level, complete the following steps:
- Click Security > Web services.
- Under either Default generator bindings or Default consumer bindings,
click Encryption information.
- Click New to create a new encryption configuration or click
the name of an existing encryption configuration.
To view the administrative console panel for the encryption information
on the server level, complete the following steps:
- Click Servers > Application servers > server_name.
- Under Security, click Web services: Default bindings for Web
services security.
- Under either Default generator bindings or Default consumer bindings,
click Encryption information.
- Click New to create a new encryption configuration or click
the name of an existing encryption configuration.
To view this administrative console page for the encryption information
on the application level, complete the following steps:
- Click Applications > Enterprise applications > application_name.
- Under Modules, click Module update > module_name.
Under Web Services Security
Properties, you can access encryption information for the following
bindings:
- For the Request generator, click Web services: Client security
bindings. Under Request generator (sender) binding, click Edit
custom. Under Required properties, click Encryption information.
- For the Request consumer, click Web services: Server security
bindings. Under Request consumer (receiver) binding, click Edit
custom. Under Required properties, click Encryption information.
- For the Response generator, click Web services: Server security
bindings. Under Response generator (sender) binding, click Edit
custom. Under Required properties, click Encryption information.
- For the Response consumer, click Web services: Client security
bindings. Under Response consumer (receiver) binding, click Edit
custom. Under Required properties, click Encryption information.
- Click either New to create a new encryption configuration
or click the name of an existing encryption configuration.
Specifies the algorithm Uniform Resource Identifier (URI)
of the data encryption method.
The following algorithms are supported:
By default, the Java Cryptography Extension (JCE) is shipped with
restricted or limited strength ciphers. To use 192-bit and 256-bit
Advanced Encryption Standard (AES) encryption algorithms, you must
apply unlimited jurisdiction policy files. For more information, see
the Key encryption algorithm field description.
Specifies the name of the key locator configuration that
retrieves the key for XML digital signature and XML encryption.
The Key locator reference field is displayed for the request receiver
and response receiver bindings, which are used by Version 5.x applications.
You
can configure these key locator reference options on the server level,
the cell level, and the application level. The configurations that
are listed in the field are a combination of the configurations on
these three levels.
You can specify an encryption key configuration for the following
bindings on the following levels:
Binding name |
Server level, cell level, or
application level |
Path |
Default generator binding |
Cell level |
- Click Security > Web services.
- Under Additional properties, click Key locators.
|
Default consumer bindings |
Cell level |
- Click Security > Web services.
- Under Additional properties, click Key locators.
|
Default generator binding |
Server level |
- Click Servers > Application servers > server_name.
- Under Security, click Web services: Default bindings for Web
services security.
- Under Additional properties, click Key locators.
|
Default consumer binding |
Server level |
- Click Servers > Application servers > server_name.
- Under Security, click Web services: Default bindings for Web
services security.
- Under Additional properties, click Key locators.
|
Request sender |
Application level |
- Click Applications > Enterprise applications > application_name.
- Click Manage modules > URI_name.
- Click Web services: Client security bindings. Under Request
sender binding, click Edit.
- Under Additional properties, click Key locators.
|
Request receiver |
Application level |
- Click Applications > Enterprise applications > application_name.
- Click Manage modules> URI_name.
- Click Web services: Server security bindings. Under Request
receiver binding, click Edit.
- Under Additional properties, click Key locators.
|
Response sender |
Application level |
- Click Applications > Enterprise applications > application_name.
- Click Manage modules> URI_name.
- Click Web services: Server security bindings. Under Response
sender binding, click Edit.
- Under Additional properties, click Key locators.
|
Response receiver |
Application level |
- Click Applications > Enterprise applications > application_name.
- Click Manage modules> URI_name.
- Click Web services: Client security bindings. Under Response
receiver binding, click Edit.
- Under Additional properties, click Key locators.
|
Specifies the algorithm Uniform Resource Identifier (URI)
of the key encryption method.
The following algorithms are provided by the application server:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When
running with Software Development Kit (SDK) Version 1.4, the list
of supported key transport algorithms does not include this one. This
algorithm appears in the list of supported key transport algorithms
when running with Software Development Kit (SDK) Version 1.5 or later.
By
default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm
to compute a message digest as part of the encryption operation. Optionally,
you can use the SHA256 or SHA512 message digest algorithm by specifying
a key encryption algorithm property. The property name is:
com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod.
The property value is one of the following URIs of the digest method:
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string
for the optional encoding octet string for the OAEPParams. You can
provide an explicit encoding octet string by specifying a key encryption
algorithm property. For the property name, you can specify
com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams.
The property value is the base 64-encoded value of the octet string.
Important: You can set these digest method and OAEPParams properties
on the generator side only. On the consumer side, these properties
are read from the incoming SOAP message.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes192
Do not use the 192-bit data encryption algorithm
if you want your configured application to be in compliance with the
Basic Security Profile (BSP).
- http://www.w3.org/2001/04/xmlenc#kw-aes256
Application server platforms and
IBM Developer Kit, Java Technology Edition Version 1.4.2
By
default, the Java Cryptography Extension (JCE) ships with restricted
or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption
Standard (AES) encryption algorithms, you must apply unlimited jurisdiction
policy files. Before downloading these policy files, back up the existing
policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/jre/lib/security/ directory)
prior to overwriting them in case you want to restore the original
files later.
Attention: Fix packs that include updates to the Software Development
Kit (SDK) might overwrite unrestricted policy files. Back up unrestricted
policy files before you apply a fix pack and reapply these files after
the fix pack is applied.
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
To
download the policy files, complete one of the following sets of steps:
After following either of these sets of steps, two Java archive
(JAR) files are placed in the Java virtual machine (JVM)
jre/lib/security/ directory.
Application server platform and
IBM Developer Kit, Java Technology Edition Version 5
By
default, the Java Cryptography Extension (JCE) ships with restricted
or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption
Standard (AES) encryption algorithms, you must apply unlimited jurisdiction
policy files. Before downloading these policy files, back up the existing
policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/jre/lib/security/ directory)
prior to overwriting them in case you want to restore the original
files later.
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
To
download the policy files, complete one of the following sets of steps:
- For application server platforms using IBM Developer Kit, Java
Technology Edition Version 5, you can obtain unlimited jurisdiction
policy files by completing the following steps:
- Go to the following Web site: IBM developer works: Security Information
- Click Java 5
- Click IBM SDK Policy files.
The Unrestricted JCE Policy
files for SDK 5 Web site is displayed.
- Enter your user ID and password or register with IBM to download
the policy files. The policy files are downloaded onto your machine.
After following these sets of steps, two Java archive (JAR) files
are placed in the Java virtual machine (JVM)
jre/lib/security/ directory.
IBM Software
Development Kit Version 1.4:
For i5/OS and IBM Software
Development Kit Version 1.4, the tuning of Web services security is
not required. The unrestricted jurisdiction policy files for IBM Software
Development Kit Version 1.4 are automatically configured when the
prerequisite software is installed.
- For the i5/OS V5R3 and IBM Software Development Kit Version 1.4,
install product 5722AC3, Crypto Access Provider 128-bit.
- For the i5/OS V5R4 and IBM Software Development Kit Version 1.4,
install product 5722SS1 Option 3, Extended Base Directory Support.
IBM Software
Development Kit Version 1.5:
For i5/OS (both V5R3 and V5R4)
and IBM Software Development Kit 1.5, the restricted JCE jurisdiction
policy files are configured, by default. You can download the unrestricted
JCE jurisdiction policy files from the following Web site: IBM developer works: Security Information, Version
5
Note: If Java 2 Standard Edition (J2SE) 32-bit for i5/OS
is the enabled Java virtual machine (JVM) for your profile, substitute /QOpenSys/QIBM/ProdData/JavaVM/jdk50/32bit/jre for /QIBM/ProdData/Java400/jdk15 as
the path name in the following steps.
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
To configure the unrestricted jurisdiction policy files
for the i5/OS operating system and the IBM Software Development Kit
Version 1.5:
- Make backup copies of these files:
/QIBM/ProdData/Java400/jdk15/lib/security/local_policy.jar
/QIBM/ProdData/Java400/jdk15/lib/security/US_export_policy.jar
- Download the unrestricted policy files from IBM developer works: Security Information to
the /QIBM/ProdData/Java400/jdk15/lib/security directory.
- Go to this Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html
- Click J2SE 5.0.
- Scroll down and click IBM SDK Policy files. The Unrestricted
JCE Policy files for the SDK Web site is displayed.
- Click Sign in and provide your IBM intranet ID and password.
- Select the appropriate unrestricted JCE policy files, and then
click Continue.
- View the license agreement, and then click I Agree.
- Click Download Now.
- Use the DSPAUT command to ensure *PUBLIC is granted*RX data authority
but also ensure that no object authority is provided to both the local_policy.jar and
the US_export_policy.jar files in the /QIBM/ProdData/Java400/jdk15/lib/security directory.
For example:
DSPAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar')
- Use the CHGAUT command to change authorization, if needed. For
example:
CHGAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar')
USER(*PUBLIC) DTAAUT(*RX) OBJAUT(*NONE)
Custom
algorithms on the cell level
To specify custom algorithms
on the cell level, complete the following steps:
- Click Security > Web services.
- Under Additional properties, click Algorithm mappings.
- Click New to specify a new algorithm mapping or click the
name of an existing configuration to modify its settings.
- Under Additional properties, click Algorithm URI.
- Click New to create a new algorithm URI. You must specify Key
encryption in the Algorithm type field to have the configuration
display in the Key encryption algorithm field on the Encryption
information configuration settings panel.
Custom algorithms on the server level
To
specify custom algorithms on the server level, complete the following
steps:
- Click Servers > Application servers > server_name .
- Under Security, click Web services: Default bindings for Web
services security.
- Under Additional properties, click Algorithm mappings.
- Click New to specify a new algorithm mapping or click the
name of an existing configuration to modify its settings.
- Under Additional properties, click Algorithm URI.
- Click New to create a new algorithm URI. You must specify Key
encryption in the Algorithm type field to have the configuration
display in the Key encryption algorithm field on the Encryption
information configuration settings panel.
Specifies the name of the key information reference that
is used for encryption. This reference is resolved to the actual key
by the specified key locator and defined in the key information.
You must specify either one or no encryption key
configurations for the request generator and response generator bindings.
For the response consumer and the request consumer
bindings, you can configure multiple encryption key references. To
create a new encryption key reference, under Additional properties,
click Key information references.
You can specify an encryption key configuration for the following
bindings on the following levels:
Binding name |
Server level, cell
level, or application level |
Path |
Default generator binding |
Cell level |
- Click Security > Web services.
- Under Default generator binding, click Key information.
|
Default consumer binding |
Cell level |
- Click Security > Web services.
- Under Default consumer binding, click Key information.
|
Default generator binding |
Server level |
- Click Servers > Application servers > server_name .
- Under Security, click Web services: Default bindings for Web
services security.
- Under Default generator binding, click Key information.
|
Default consumer binding |
Server level |
- Click Servers > Application servers > server_name .
- Under Security, click Web services: Default bindings for Web
services security.
- Under Default consumer binding, click Key information.
|
Request generator (sender) binding |
Application level |
- Click Applications > Enterprise applications > application_name .
- Click Manage modules > URI_name.
- Under Web Services Security Properties, click Web
services: Client security bindings.
- Under Request generator (sender) binding, click Edit custom.
- Under Required properties, click Key information.
|
Response generator (sender) binding |
Application level |
- Click Applications > Enterprise applications > application_name.
- Click Manage modules > URI_name .
- Under Web Services Security Properties, click Web
services: Server security bindings.
- Under Response generator (sender) binding, click Edit custom.
- Under Required properties, click Key information.
|
Specifies the name of the <confidentiality> element
for the generator binding or the <requiredConfidentiality> element
for the consumer binding element in the deployment descriptor.
This field is available on the application level only.