Policy Sets and Policy Set Bindings editor: Message Level Protection panel

Use this panel, which is in the Policy Sets section of the editor, to apply signatures and encryption to the whole message, whether inbound or outbound.

Field Description and valid options
Message level protection Select this check box to specify that message level protection (using digital signatures or encryption) is required. If this check box is selected the other fields on this panel are available, and you can use the associated panels to define signature and encryption policies. This field is cleared by default.
Require signature confirmation Select this check box to require signature confirmation.
Include timestamp in security header Select this check box to include a time stamp in the header. You can specify where the time stamp is placed in the header by using Security header layout.
Security header layout Specify rules for the layout of the security header:
Strict - declarations must precede use
The declarations in the header must precede the use. This is the default value.
Lax - order of contents can vary
The order of contents in the header can vary.
Lax but timestamp required first in header
The timestamp must be first in the header but the order of the remaining elements can vary.
Lax but timestamp required last in header
The timestamp must be last in the header but the order of the remaining elements can vary.

Tokens

Use this panel to define symmetric and asymmetric tokens to be used for signature and encryption.

Associate the asymmetric tokens that you define here with parts of the message that require signature and encryption. The tokens are also associated with private keys or X.509 Public Key Certificates (PKCs), which are part of public/private key pairs. Define one token for each distinct private key and PKC. The administrator can create any number of asymmetric X.509 tokens.

Associate the symmetric tokens that you define here with parts of the message that require signature and encryption. Only symmetric Kerberos tokens are supported. The administrator can create any number of Kerberos tokens.

You can edit this panel only if the Message level protection check box is selected on the Message Level Protection panel.

Field Name Description and valid options
Token Name Enter a name for the token.
Token Type Either:
Initiator
The initiator of the request and response conversation, who owns the public/private pair of keys for which this token refers.
Recipient
The recipient of the request and response conversation, who owns the public/private pair of keys for which this token refers.
When you add a new row, this field defaults to Initiator. You can change this value.
WS-Security Version Either:
  • 1.0
  • 1.1
When you add a new row, this field defaults to 1.0. You can change this value.
Token Type (Asymmetric) Any of:
  • X.509 Version 3
  • X.509 PKCS7
  • X.509 PKI Path Version 1
When you add a new row, this field defaults to X.509 Version 3. You can change this value.
Token Type (Symmetric) Any of:
  • GSS_Kerberos5_AP_REQ
  • Kerberos5_AP_REQ
When you add a new row, this field defaults to GSS_Kerberos5_AP_REQ. You can change this value.

Algorithms

Use this panel to set the supported cryptographic and canonicalization algorithms. Algorithms are used to reconcile XML differences.

You can edit this panel only if Message level protection is selected on the Message Level Protection panel.
Field Name Description and valid options
Algorithm suite Select the algorithm that is required for performing cryptographic operations with symmetric or asymmetric key-based security tokens. All of the algorithm values in this field specify an algorithm suite. Algorithm suites and the values they each represent are detailed in the Web Services Security Policy Language (WS-SecurityPolicy) July 2005 Version 1.1 specification. The default algorithm is Basic128Rsa15.
  • Basic256
  • Basic192
  • Basic128
  • TripleDes
  • Basic256Rsa15
  • Basic192Rsa15
  • Basic128Rsa15
  • TripleDesRsa15
  • Basic256Sha256
  • Basic192Sha256
  • Basic128Sha256
  • TripleDesSha256
  • Basic256Sha256Rsa15
  • Basic192Sha256Rsa15
  • Basic128Sha256Rsa15
  • TripleDesSha256Rsa15
Canonicalization algorithm Select the type of canonicalization. The following supported canonicalization algorithms are available in this list:
  • Exclusive canonicalization
  • Inclusive canonicalization
The default value is Exclusive canonicalization.
Use security token reference transformation Select this check box to specify that the security token reference is transformed. The default state is cleared.
This table defines values for the components of each algorithm suite.
Algorithm suite Digest Encryption Symmetric Key Wrap Asymmetric Key Wrap Encryption key derivation Signature key derivation Minimum symmetric key length
Basic256 Sha1 Aes256 KwAes256 KwRsaOaep PSha1L256 PSha1L192 256
Basic192 Sha1 Aes192 KwAes192 KwRsaOaep PSha1L192 PSha1L192 192
Basic128 Sha1 Aes128 KwAes128 KwRsaOaep PSha1L128 PSha1L128 128
TripleDes Sha1 TripleDes KwTripleDes KwRsaOaep PSha1L192 PSha1L192 192
Basic256Rsa15 Sha1 Aes256 KwAes256 KwRsa15 PSha1L256 PSha1L192 256
Basic192Rsa15 Sha1 Aes192 KwAes192 KwRsa15 PSha1L192 PSha1L192 192
Basic128Rsa15 Sha1 Aes128 KwAes128 KwRsa15 PSha1L128 PSha1L128 128
TripleDesRsa15 Sha1 TripleDes KwTripleDes KwRsa15 PSha1L192 PSha1L192 192
Basic256Sha256 Sha256 Aes256 KwAes256 KwRsaOaep PSha1L256 PSha1L192 256
Basic192Sha256 Sha256 Aes192 KwAes192 KwRsaOaep PSha1L192 PSha1L192 192
Basic128Sha256 Sha256 Aes128 KwAes128 KwRsaOaep PSha1L128 PSha1L128 128
TripleDesSha256 Sha256 TripleDes KwTripleDes KwRsaOaep PSha1L192 PSha1L192 192
Basic256Sha256Rsa15 Sha256 Aes256 KwAes256 KwRsa15 PSha1L256 PSha1L192 256
Basic192Sha256Rsa15 Sha256 Aes192 KwAes192 KwRsa15 PSha1L192 PSha1L192 192
Basic128Sha256Rsa15 Sha256 Aes128 KwAes128 KwRsa15 PSha1L128 PSha1L128 128
TripleDesSha256Rsa15 Sha256 TripleDes KwTripleDes KwRsa15 PSha1L192 PSha1L192 192