![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
Introduction
This tutorial is about creating secure encrypted communications in a cross-platform environment. It describes the methods of creating XML encryption for an application service and then creating a secure client service that has that same encryption settings and security certificates to communicate with the service. This scenario can be implemented in any number of different permutations of open standards platforms. In Resources, you'll find other tutorials on how to create secure communications between platforms. However, if you are a .NET user, you may have to use the process described in this example. It shows one common scenario of a .NET client connecting to another waiting service running on IBM(R) WebSphere(R) Application Server. It gives not only a demonstration of interacting between application platforms but also between those written in different programming languages. This tutorial shows how to connect a .NET client to a Java Web service using XML encryption. Along the way, you will see how to create the Web service and configure it with your own security certificates. You will also see how to create and configure the clients, and what interoperability pitfalls exist when working with .NET.
In this tutorial, we will:
- Create a simple online bookstore Web service with WebSphere Studio Application Developer, starting from a Web Services Description Language (WSDL) document.
- Configure this Web service for XML encryption.
- Write a Visual Basic .NET client for this Web service and configure it to use the same XML encryption settings and security certificates that the Web service uses.
- Test this .NET client.
- See the slight jab with the what interoperability pitfalls exist when working with .NET.
This tutorial is designed to show how to link a .NET client written in Visual Basic to a Java Web service, if you have to use .NET client platforms. You should have a basic understanding of Web services and associated technologies like Web Services Description Language (WSDL), Simple Object Access Protocol (SOAP), and who want to learn how to construct a Java Web service and a Microsoft Visual Basic .NET client that communicate with one another using XML encryption. This tutorial complements my earlier tutorial on basic authentication and XML digital signatures. (See Resources for a link.)
The development tools I used to create and run the Web service used in this tutorial were:
- IBM WebSphere Studio Application Developer 5.1.0
- Microsoft Visual Studio .NET 2003 with Web Services Enhancements 1.0 SP1.
Microsoft Windows 2000 and Windows XP operating systems were used to complete the work for this tutorial. You should have a basic knowledge of security certificates and how encryption works. An overview of how encryption works can be found in Encryption: A brief introduction . You should also be familiar with IBM WebSphere Application Server -- for instance, you should know how to turn its security on and off. If you would like to read the tutorial but feel unsure about any of these subjects, Resources has links to appropriate documentation.
Before you begin working your way through the tutorial, unzip the source code archive, ws-encryptcode.zip, that is provided. There are two subdirectories in the source code folder, each containing two files.
- The
Enc_wsdl_and_Java_implementation_filedirectory contains:-
bookstoreEnc.wsdl-- This is the WSDL file you will use to create the skeleton of the Web service at the start of the tutorial, in Examine the WSDL. It defines the credit card purchase service your Web service will provide. -
CreditCardBindingImpl.java-- A Java source code file that you will use to fully implement the credit card purchase service in Create the Web service.
-
- The
Enc_cert_and_keystoredirectory contains:-
interops-enc-receiver.jceks -
interops-enc.cer
interops-enc-receiver.jcekskeystore holds the private key that your Web service will need to decrypt incoming messages. You will configure the Java Web service to use it in Security certificates.interops-enc.ceris an X.509 certificate that contains the public key that the .NET client will use to encrypt its messages. You will configure the client to use it in Installing the public key security certificate. -
Encryption: A brief introduction
Before we really get started, let's have a brief recap of how encryption works. The earliest form of computerized encryption used a symmetric, or secret key. All parties who wished to encrypt or decrypt data had to have access to the same key. An encryption algorithm called DES (later superceded by triple DES) became the standard. However, this system had a major weakness. The key needed to be distributed to all the parties wishing to encrypt and decrypt data. If the key were intercepted, a hostile party could decrypt the information.
In the 1970s, a huge breakthrough was achieved in cryptography with the invention of the public and private key encryption mechanism. This mechanism uses the class of mathematical functions called trapdoor functions. Two keys are used: one to encrypt the data and the other to decrypt it. If I want people to be able to send me encrypted data, I simply distribute my public encryption key. They use this key to encrypt the information, safe in the knowledge that only I possess the private key necessary for decryption. A number of different encryption algorithms, based on this approach, have been put forward, but by far the most commonly used is RSA.
Public and private key encryption is more secure than symmetric encryption, since it doesn't require key distribution. However, it is much slower to actually encrypt data using most asymmetric mechanisms -- so much so that encrypting large amounts of data asymmetrically is usually not feasible. To get the best of both worlds, a hybrid system has been developed:
- The sender generates a symmetric session key and encrypts data with this key.
- The sender encrypts the session key using the receiver's public key and attaches this encrypted key to the message.
- The receiver uses his or her private key to decrypt the session key, then uses that session key to decrypt the message.
Thus, we have the speed of symmetric encryption with the security of public key encryption. The session key is, as the name suggests, used only once. So, even if a hostile party somehow managed to decrypt session key, they would only be able to decrypt one message. This method is the one we will use in this tutorial, with triple DES as our symmetric algorithm and RSA as our asymmetric algorithm.
Table of contents
Next steps from IBM
WebSphere Portal can help your small and midsize business achieve better website security, along with faster time to value with easily deployable and customizable example Web sites.
- Try: Download a free trial version of IBM WebSphere Portal Express V6.1, which offers collaboration, document management, and secure Web content management.
- Article: This article provides an overview of the WebSphere Portal security architecture, including internet security, and secure connections between clients.
- Tutorial: This tutorial take you through the steps to develop and test your first portlet WebSphere Portal Test Environment.
- Demo: These demos show Web 2.0 features available today within WebSphere Portal, as well as several features planned for the future.
- Buy: IBM WebSphere Portal Express
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular tutorial tags |
My tutorial tagsSkip to tags list
Popular tutorial tags |
My tutorial tags
