Encryption information configuration settings

Use this page to configure the encryption and decryption parameters. You can use these parameters to encrypt and decrypt various parts of the message, including the body and user name token.

To view the WebSphere® Application Server administrative console panel for the encryption information on the server level, complete the following steps:

1. Click Servers > Application servers > server_name.

2. Under Security, click Web services: Default bindings for Web services security.

3. Under either Default generator bindings or Default consumer bindings, click Encryption information.

4. Click either New to create a new encryption configuration or click the name of an existing encryption configuration.

To view this WAS administrative console page for the collection certificate store on the application level, complete the following steps:

1. Click Applications > Enterprise applications > application_name.

2. Under Related items, click EJB modules or Web modules > URI_name.

3. Under Additional properties, you can access encryption information for the following bindings:

   • For the Request generator, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom. Under Required properties, click Encryption information.

   • For the Request consumer, click Web services: Server security bindings. Under Request consumer (receiver) binding, click Edit custom. Under Required properties, click Encryption information.

   • For the Response generator, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom. Under Required properties, click Encryption information.

   • For the Response consumer, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom. Under Required properties, click Encryption information.

4. Click either New to create a new encryption configuration or click the name of an existing encryption configuration.

 

Related reference

Encryption information collection

Key locator collection

Encryption information configuration settings

 

Encryption information name

Specifies the name for the encryption information.

Data type

String

 

Data encryption algorithm

Specifies the algorithm URI of the data encryption method.

The following algorithms are supported:

• http://www.w3.org/2001/04/xmlenc#tripledes-cbc

• http://www.w3.org/2001/04/xmlenc#aes128-cbc

• http://www.w3.org/2001/04/xmlenc#aes256-cbc. To use this algorithm, download the unrestricted Java™ Cryptography Extension (JCE) policy file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html. For more information, see Encryption information configuration settings.

• http://www.w3.org/2001/04/xmlenc#aes192-cbc. To use this algorithm, download the unrestricted Java Cryptography Extension (JCE) policy file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html. For more information, see Encryption information configuration settings.

By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256- bit Advanced Encryption Standard (AES) encryption algorithms, apply unlimited jurisdiction policy files. For more information, see the Key encryption algorithm field description.

 

Key encryption algorithm

Specifies the algorithm Uniform Resource Identifier (URI) of the key encryption method.

The following algorithms are provided by WAS:

• http://www.w3.org/2001/04/xmlenc#rsa-1_5

• http://www.w3.org/2001/04/xmlenc#kw-tripledes

• http://www.w3.org/2001/04/xmlenc#kw-aes128

• http://www.w3.org/2001/04/xmlenc#kw-aes192

• http://www.w3.org/2001/04/xmlenc#kw-aes256

By default, the Java Cryptography Extension (JCE) ships with restricted or limited strength ciphers. To use 192-bit and 256- bit Advanced Encryption Standard (AES) encryption algorithms, apply unlimited jurisdiction policy files. Before downloading these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/jre/lib/security/ directory) prior to overwriting them in case you want to restore the original files later. To download the policy files, complete either of the following sets of steps:

• For WAS platforms using IBM® Developer Kit, Java Technology Edition Version 1.4.2, including the AIX®, Linux®, and Windows® platforms, you can obtain unlimited jurisdiction policy files by completing the following steps:

  1. Go to the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html

  2. Click JAVA 1.4.2 material > IBM SDK Policy files.

  3. Register, if necessary, and log into the Web site.

  4. Locate the correct version of the Java Cryptography Extension (JCE) policy file and click Download now.

     The unrestrict.zip file is downloaded onto your machine.

After following either of these sets of steps, two Java archive (JAR) files are placed in the Java virtual machine (JVM) jre/lib/security/ directory.

To specify custom algorithms on the server level, complete the following steps:

1. Click Servers > Application servers > server_name.

2. Under Security, click Web services: Default bindings for Web services security.

3. Under Additional properties, click Algorithm mappings.

4. Click New to specify a new algorithm mapping or click the name of an existing configuration to modify its settings.

5. Under Additional properties, click Algorithm URI.

6. Click New to create a new algorithm URI. You must specify Key encryption in the Algorithm type field to have the configuration display in the Key encryption algorithm field on the Encryption information configuration settings panel.

 

Encryption key information

Specifies the name of the key information reference that is used for encryption. This reference is resolved to the actual key by the specified key locator and defined in the key information.

You must specify either one or no encryption key configurations for the request generator and response generator bindings.

For the response consumer and the request consumer bindings, you can configure multiple encryption key references. To create a new encryption key reference, under Additional properties, click Key information references.

You can specify an encryption key configuration for the following bindings on the following levels:

Binding name	Cell level, server level, or application level	Path
Default generator binding	Cell level	Click Security > Web services. Under Default generator binding, click Key information.
Default consumer binding	Cell level	Click Security > Web services. Under Default consumer binding, click Key information.
Default generator binding	Server level	Click Servers > Application servers > server_name. Under Security, click Web services: Default bindings for Web services security. Under Default generator binding, click Key information.
Default consumer binding	Server level	Click Servers > Application servers > server_name. Under Security, click Web services: Default bindings for Web services security. Under Default consumer binding, click Key information.
Request generator (sender) binding	Application level	Click Applications > Enterprise applications > application_name. Under Related items, click EJB modules or Web modules > URI_name. Under Additional properties, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom. Under Required properties, click Key information.
Response generator (sender) binding	Application level	Click Applications > Enterprise applications > application_name. Under Related items, click EJB modules or Web modules > URI_name. Under Additional properties, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom. Under Required properties, click Key information.

 

Part Reference

Specifies the name of the <confidentiality> element for the generator binding or the <requiredConfidentiality> element for the consumer binding element in the deployment descriptor.

This field is available on the application level only.

---