With web services, you can sign message parts, encrypt message parts, or both, based on
the quality of service defined for a policy set. You can accomplish these actions by defining the
binding information in a custom attachment binding.
Before you begin
Before you begin this task, attach a policy set to a service artifact such as an
application, service or endpoint and create a custom attachment binding. Read about creating custom
attachment bindings for policy sets. The policy set that is attached to the service artifact must
include a WS-Security policy that specifies message parts to be signed or encrypted. Read about
securing message parts using the administrative console.
About this task
To sign message parts, encrypt message parts, or both, based on the quality of service
defined for a policy set, perform the following steps:
Procedure
- Open the administrative console.
- To sign and encrypt message parts for a service provider, click Applications >
Enterprise applications > application_name > Service provider policy sets
and bindings. To sign and encrypt message parts for a service client, click Applications >
Enterprise applications > application_name > Service client policy sets
and bindings.
- Click the binding name link of the service artifact with a custom attachment
binding.
- If the binding does not contain WS-Security policy set bindings, then click Add
and select WS-Security from the list.
- Click WS-Security policy set bindings.
- Click Authentication and protection.
The resulting panel contains the
following four tables:
- Protection tokens: Specifies the tokens that are defined for the symmetric or asymmetric
signature and encryption policies in the policy set.
- Authentication tokens: Specifies the tokens that are defined for the request and response token
policies.
- Request message signature and encryption protection: Specifies the message parts that are
defined in the Request message part protection for the policy set.
- Response message signature and encryption protection: Specifies the message parts that are
defined in the response message part protection in the policy set.
Initially, each table displays information that is generated based on the policy set which
is attached to the service artifact. The possible configuration objects based on the policy set are
displayed. The Status column indicates whether the object is currently configured in the custom
attachment binding.
- If the protection tokens have a status of Not configured, then create the
protection tokens by clicking the default name, verifying the default values. Click
OK.
- [Optional] If you use the X.509 protection tokens, then you must configure the keystores
and keys to be used to sign, verify, encrypt or decrypt message parts. You might need to also
configure keystores and keys when using custom protection tokens, depending on the requirements of
the custom tokens. When using a security context token for protection (secure conversation), you do
not need to configure keystores or keys. If you need to configure the keystores and keys, then
perform the following actions:
- Click the token name link.
- Click the Callback handler link under Additional bindings. If the Callback
handler link is not click-able, click Apply, then click the Callback handler
link.
- Either use a predefined keystore or custom keystore. To use a predefined keystore,
select the keystore from the list. To use a custom keystore, select Custom from the list and
click the Custom key store configuration link to specify the configuration.
- Click OK.
- Click the name of the request or response message part reference to be signed or
encrypted. The Protection column displays whether the message part is signed or encrypted based on
the policy set.
- Specify a name for the message part.
- For encrypted parts, select the type of encryption from Usage of key information
references. For asymmetric encryption, or X.509, select Key encryption. For symmetric
encryption, or secure conversation, select Data encryption.
- [Optional] For encrypted parts, select the Include time stamp or Include
nonce options to include a time stamp or nonce in the encrypted message part.
You can
include one or both of these options in the encrypted message part.
- For signed parts, specify one or more Message part references. Select a reference from
the Available column and click Add.
- [Optional] For signed parts, you can also choose to add a time stamp or nonce to the
signed message part. Select a Message part reference from the Assigned column and click Edit.
Select the Include time stamp or the Include nonce options to include a time stamp or
nonce in the signed message part.
You can select one or both of these options in the
signed message part.
- If there are no available key information entries, then create one using the following
actions:
- Click New.
- Specify a name.
- Select a protection token from the Token generator or Consumer name
list.
- Click OK.
- Select a key information entry from the Available list and click Add.
- [Optional] Specify custom properties if needed.
- To use Message Transmission Optimization Mechanism (MTOM) for the cipher text of the
encrypted data, add the custom property, com.ibm.wsspi.wssecurity.enc.MTOM.Optimize, with value
true
to outbound encrypted parts for client requests or server responses.
- To use encryption headers as described in the WS-Security 1.0 specification instead of
the encrypted header support described in WS-Security 1.1, add the custom property,
com.ibm.wsspi.wssecurity.encryptedHeader.generate.WSS1.0, with value
true
to
outbound encrypted parts for client requests or server responses.
For Web Services Security Version 1.1 behavior that is equivalent to WebSphere® Application Server versions prior to version 7.0, specify the
com.ibm.wsspi.wssecurity.encryptedHeader.generate.WSS1.1.pre.V7 property with a value of
true on the <encryptionInfo> element in the binding. When this property
is specified, the <EncryptedHeader> element includes a wsu:Id parameter and the
<EncryptedData> element omits the Id parameter. This property should only be used if
compliance with Basic Security Profile 1.1 is not required.
- Click OK.
- Click Save, to save the changes to the master configuration.
Results
When you finish this task, the message parts are signed and encrypted, or both, based on the
configuration used when communicating with the service artifact.
Example
You have an application, app1
, with an attached policy set, RAMP default
and a custom attachment binding, myBinding
, and you want to sign and encrypt the
message parts.
- Click the
app1
application in the Applications > Enterprise
Applications collection.
- Click the Service provider policy sets and bindings link or the Service client policy
sets and bindings link.
- Click the
myBinding
link.
- [Optional] If WS-Security is not listed, then select Add > WS-Security.
- Click the WS-Security link.
- Click the Authentication and protection link.
- In the Protection tokens table, click each of the four links and OK on the resulting
panel. Each entry is now shown as Configured in the Status column.
- In the Request message signature and encryption protection table, click
request:app_encparts. Specify the name,
requestEncParts
.
- Click New from Key information. Specify the name,
requestEncKeyInfo
.
- Select SymmetricBindingRecipientEncryptionToken, and click OK.
- Select requestEncKeyinfo in the Available list, and click Add. Click
OK.
- In the Request message signature and encryption protection table, click
request:app_signparts.
- Specify the name,
requestSignParts
.
- Click New from Key information. Specify a name of
requestSignKeyInfo
.
- Select SymmetricBindingInitiatorSignatureToken, and click OK.
- Select requestSignKeyinfo in the Available list, and click Add. Click
OK.
- Repeat steps 8 to 16 for the links in the Response message signature and encryption protection
table.
- Click Save, to save the changes to the master configuration.
What to do next
Start the application.