Use this page to configure the encryption and decryption
parameters for the signature method, digest method, and canonicalization
method.
The specifications that are listed on this page for the signature
method, digest method, and canonicalization method are located in
the World Wide Web Consortium (W3C) document entitled, XML Encryption
Syntax and Processing: W3C Recommendation 10 Dec 2002.
To view this administrative console page, complete the following
steps:
- Click Applications > Enterprise Applications > application_name and
complete one of the following steps:
- Click Manage modules > URI_file_name > Web
Services: Client Security Bindings. Under Request sender binding,
click Edit. Under Web Service Security Properties, click Encryption
Information.
- Click Manage modules > URI_file_name > Web
Services: Server Security Bindings. Under Response sender binding,
click Edit. Under Web Service Security Properties, click Encryption
Information.
- Select None or Dedicated encryption information.
The application server can have either one or no encryption configurations
for the request sender and the response sender bindings. If you are
not using encryption, select None. To configure encryption
for either of these two bindings, select Dedicated encryption information and
specify the configuration settings using the fields that are described
in this topic.
Specifies the name that is used to reference the key locator.
You
can configure these key locator reference options on the cell level,
the server level, and the application level. The configurations that
are listed in the field are a combination of the configurations on
these three levels.
To
configure the key locators on the cell level, complete the following
steps:
- Click Security > Web services.
- Under Additional properties, click Key locators.
To configure the key locators on the server level, complete the
following steps:
- Click Servers > Application servers > server_name.
- Under Security, click Web services: Default bindings for Web
services security.
- Under Additional properties, click Key locators.
To configure the key locators on the application level, complete
the following steps:
- Click Applications > Enterprise applications > application_name.
- Click Manage modules > URI_name.
- Under Web Service Security Properties, you can
access the key locators for the following bindings:
- For the Request sender, click Web services: Client security
bindings. Under Request sender binding, click Edit. Under
Additional properties, click Key locators.
- For the Request receiver, click Web services: Server security
bindings. Under Request receiver binding, click Edit. Under
Additional properties, click Key locators.
- For the Response sender, click Web services: Server security
bindings. Under Response sender binding, click Edit. Under
Additional properties, click Key locators.
- For the Response receiver, click Web services: Client security
bindings. Under Response receiver binding, click Edit.
Under Additional properties, click Key locators.
Specifies the algorithm uniform resource identifier (URI)
of the key encryption method.
The following algorithms are supported:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When
running with IBM Software Development Kit (SDK) Version 1.4, the list
of supported key transport algorithms does not include this one. This
algorithm appears in the list of supported key transport algorithms
when running with JDK 1.5 or later.
By default, the RSA-OAEP
algorithm uses the SHA1 message digest algorithm to compute a message
digest as part of the encryption operation. Optionally, you can use
the SHA256 or SHA512 message digest algorithm by specifying a key
encryption algorithm property. The property name is: com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod.
The property value is one of the following URIs of the digest method:
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string
for the optional encoding octet string for the OAEPParams. You can
provide an explicit encoding octet string by specifying a key encryption
algorithm property. For the property name, you can specify
com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams.
The property value is the base 64-encoded value of the octet string.
Important: You can set these digest method and OAEPParams properties
on the generator side only. On the consumer side, these properties
are read from the incoming SOAP message.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5.
- http://www.w3.org/2001/04/xmlenc#kw-tripledes.
- http://www.w3.org/2001/04/xmlenc#kw-aes128.
- http://www.w3.org/2001/04/xmlenc#kw-aes192.
To use the 192-bit key encryption algorithm, you must download the
unrestricted Java Cryptography Extension (JCE) policy file.
Note: Do not use the 192-bit key encryption algorithm if
you want your configured application to be in compliance with the
Basic Security Profile (BSP).
- http://www.w3.org/2001/04/xmlenc#kw-aes256.
To use the 256-bit key encryption algorithm, you must download the
unrestricted JCE policy file.
Note: If an InvalidKeyException error occurs and you are using
the 129xxx or 256xxx encryption algorithm, the unrestricted policy
files might not exist in your configuration.
Java Cryptography Extension
By default,
the Java Cryptography Extension (JCE) is shipped with restricted or
limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption
Standard (AES) encryption algorithms, you must apply unlimited jurisdiction
policy files.
Note: Before downloading these policy files, back
up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/jre/lib/security/ directory)
prior to overwriting them in case you want to restore the original
files later.
Important: Your country of origin
might have restrictions on the import, possession, use, or re-export
to another country, of encryption software. Before downloading or
using the unrestricted policy files, you must check the laws of your
country, its regulations, and its policies concerning the import,
possession, use, and re-export of encryption software, to determine
if it is permitted.
Application server platforms and
IBM Developer Kit, Java Technology Edition Version 1.4.2
For application server platforms
using IBM Developer Kit, Java Technology Edition Version 1.4.2, complete
the following steps to obtain unlimited jurisdiction policy files:
- Go to the following Web site: IBM developer kit: Security information
- Click Java 1.4.2
- Click IBM SDK Policy files.
The Unrestricted JCE Policy
files for SDK 1.4 Web site is displayed.
- Enter your user ID and password or register with IBM to download
the policy files. The policy files are downloaded onto your machine.
After completing these steps, two Java archive (JAR)
files are placed in the Java virtual machine (JVM) jre/lib/security/ directory.
Specifies the algorithm Uniform Resource Identifiers (URI)
of the data encryption method.
The following algorithms are supported:
By default, the JCE ships with restricted or limited strength ciphers.
To use 192-bit and 256- bit AES encryption algorithms, you must apply
unlimited jurisdiction policy files. For more information, see the
Key encryption algorithm field description.