WS-Security Confidentiality
In WebSphere V6.0, multiple and arbitrary parts of the message can be encrypted, for example a message body, security token and so on.
Confidentiality is the process by which a SOAP message is protected so that only authorized recipients can read it. Confidentiality is provided by XML encryption of the contents of the SOAP message. If the SOAP message is encrypted, only one who knows the key for confidentiality can decrypt and read the message.
Steps to enable confidentiality in your application
The simplified steps to enable confidentiality follow.
- Client side
To specify confidentiality of part of a SOAP message, specify the part which should be encrypted and the manner of encryption in the client's WS-Security configuration.
- Specify the parts of the message that have to be encrypted at Request Generator configuration. The message parts can be specified by the predefined keyword or XPath expression. Also, we can specify multiple parts that need encryption.
- Specify key-related information which includes the location of the client's key, type of key and a password for protecting the key.
- Specify encryption information which defines how to encrypt the specified part. You need to specify some options for encryption such as an encryption method algorithm, and key-related information. Application Developer helps you to specify these options.
- If a client expects a response that includes confidentiality by the server, then the client also has to be configured to decrypt the server's encryption of the response message at Response Consumer configuration.
- Server side
To specify required confidentiality for part of a SOAP message, specify the part which should be encrypted and the way of decrypting the encryption in the server's WS-Security configuration.
- Specify the parts of the message which require decryption at Request Consumer configuration. The message parts can be specified by the predefined keyword or XPath expression. Also, we can specify multiple parts that need a signature.
- Specify key-related information, including the location of the server's key, a type of key and a password for protecting the key.
- Specify encryption information which defines how to decrypt the specified part. You need to specify some options for encryption such as an encryption method algorithm and key-related information. Application Developer helps you to specify these options.
- A token consumer should be specified at Request Consumer configuration. This token consumer's role is to receive information for message decryption. In this case, a token consumer for X.509 certificate token, X509TokenConsumer, should be specified; it is provided by the WebSphere Web services security runtime as a default implementation.
- If a server needs a response that includes confidentiality by the server, then the server also has to be configured to encrypt the response message at Response Generator configuration.