Encryption information configuration settings: Message parts
Use this page to configure the encryption and decryption parameters. You can use these parameters to encrypt and decrypt various parts of the message, including the body and the token. To view the console panel for the encryption information on the cell level...
- Click Security > Web services.
- Under either Default generator bindings or Default consumer bindings, click Encryption information.
- Click New to create a new encryption configuration or click the name of an existing encryption configuration.
To view the console panel for the encryption information on the server level...
- Click Servers > Application servers > server.
- Under Security, click Web services: Default bindings for Web services security.
- Under either Default generator bindings or Default consumer bindings, click Encryption information.
- Click New to create a new encryption configuration or click the name of an existing encryption configuration.
To view this console page for the encryption information on the application level...
- Click Applications > Enterprise applications > application.
- Under Modules, click Module update > module_name.
Under Web Services Security Properties, you can access encryption information for the following bindings:
- For the Request generator, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom. Under Required properties, click Encryption information.
- For the Request consumer, click Web services: Server security bindings. Under Request consumer (receiver) binding, click Edit custom. Under Required properties, click Encryption information.
- For the Response generator, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom. Under Required properties, click Encryption information.
- For the Response consumer, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom. Under Required properties, click Encryption information.
- Click either New to create a new encryption configuration or click the name of an existing encryption configuration.
- Encryption information name
- Name for the encryption information.
Data type String
- Data encryption algorithm
Specify the algorithm URI of the data encryption method. The following algorithms are supported:
- http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- http://www.w3.org/2001/04/xmlenc#aes128-cbc
- http://www.w3.org/2001/04/xmlenc#aes256-cbc. To use this algorithm, download the unrestricted Java Cryptography Extension (JCE) policy file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html. For more information, see Encryption information configuration settings: Methods.
- http://www.w3.org/2001/04/xmlenc#aes192-cbc. To use this algorithm, download the unrestricted JCE policy file from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html. For more information, see Encryption information configuration settings: Methods.
Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).
By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, apply unlimited jurisdiction policy files. For more information, see the Key encryption algorithm field description.
- Key locator reference
- Name of the key locator configuration that retrieves the key for XML digital signature and XML encryption.
The Key locator reference field is displayed for the request receiver and response receiver bindings, which are used by V5.x applications.
You can configure these key locator reference options on the server level, the cell level, and the application level. The configurations that are listed in the field are a combination of the configurations on these three levels. You can specify an encryption key configuration for the following bindings on the following levels:
Binding name Serverlevel, cell level, or application level Path Default generator binding Cell level
- Click Security > Web services.
- Under Additional properties, click Key locators.
Default consumer bindings Cell level
- Click Security > Web services.
- Under Additional properties, click Key locators.
Default generator binding Server level
- Click Servers > Application servers > server.
- Under Security, click Web services: Default bindings for Web services security.
- Under Additional properties, click Key locators.
Default consumer binding Server level
- Click Servers > Application servers > server.
- Under Security, click Web services: Default bindings for Web services security.
- Under Additional properties, click Key locators.
Request sender Application level
- Click Applications > Enterprise applications > application.
- Click Manage modules > URI_name.
- Click Web services: Client security bindings. Under Request sender binding, click Edit.
- Under Additional properties, click Key locators.
Request receiver Application level
- Click Applications > Enterprise applications > application.
- Click Manage modules> URI_name.
- Click Web services: Server security bindings. Under Request receiver binding, click Edit.
- Under Additional properties, click Key locators.
Response sender Application level
- Click Applications > Enterprise applications > application.
- Click Manage modules> URI_name.
- Click Web services: Server security bindings. Under Response sender binding, click Edit.
- Under Additional properties, click Key locators.
Response receiver Application level
- Click Applications > Enterprise applications > application.
- Click Manage modules> URI_name.
- Click Web services: Client security bindings. Under Response receiver binding, click Edit.
- Under Additional properties, click Key locators.
- Key encryption algorithm
Specify the algorithm URI of the key encryption method. The following algorithms are provided by the appserver:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When running with Software Development Kit (SDK) V1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with Software Development Kit (SDK) V1.5 or later. By default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm to compute a message digest as part of the encryption operation. Optionally, you can use the SHA256 or SHA512 message digest algorithm by specifying a key encryption algorithm property. The property name is: com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod. The property value is one of the following URIs of the digest method:
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string for the optional encoding octet string for the OAEPParams. You can provide an explicit encoding octet string by specifying a key encryption algorithm property. For the property name, you can specify com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams. The property value is the base 64-encoded value of the octet string.
You can set these digest method and OAEPParams properties on the generator side only. On the consumer side, these properties are read from the incoming SOAP message.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes192
Do not use the 192-bit data encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).
- http://www.w3.org/2001/04/xmlenc#kw-aes256
Application server platforms and IBM Developer Kit, Java Technology Edition V1.4.2
By default, the Java Cryptography Extension (JCE) ships with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, apply unlimited jurisdiction policy files. Before downloading these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/jre/lib/security/ directory) prior to overwriting them in case you want to restore the original files later. To download the policy files, complete one of the following sets of steps:
For appserver platforms using IBM Developer Kit, Java Technology Edition V1.4.2, including the AIX, Linux, and Windows platforms, complete the following steps to obtain unlimited jurisdiction policy files:
- Go to the following Web site: IBM developer works: Security Information
- Click Java 1.4.2
- Click IBM SDK Policy files.
The Unrestricted JCE Policy files for SDK 1.4 Web site is displayed.
- Enter your user ID and password or register with IBM to download the policy files. The policy files are downloaded onto your machine.
- For appserver platforms using the Sun-based Java Development Kit (JDK) V1.4.2, including the Solaris environments and the HP-UX platform, complete the following steps to obtain unlimited jurisdiction policy files:
- Go to the following Web site: Download Java 2 Platform, Standard Edition, v 1.4.2 (J2SE)
- Click Archive area.
- Locate the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2 information and click Download. The policy file is downloaded onto your machine.
After following either of these sets of steps, two Java archive (JAR) files are placed in the JVM jre/lib/security/ directory.
Application server platform and IBM Developer Kit, Java Technology Edition V5
By default, the Java Cryptography Extension (JCE) ships with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, apply unlimited jurisdiction policy files. Before downloading these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/jre/lib/security/ directory) prior to overwriting them in case you want to restore the original files later. To download the policy files, complete one of the following sets of steps:
For appserver platforms using IBM Developer Kit, Java Technology Edition V5, including the AIX, Linux, and Windows platforms, you can obtain unlimited jurisdiction policy files by completing the following steps:
- Go to the following Web site: IBM developer works: Security Information
- Click Java 5
- Click IBM SDK Policy files.
The Unrestricted JCE Policy files for SDK 5 Web site is displayed.
- Enter your user ID and password or register with IBM to download the policy files. The policy files are downloaded onto your machine.
- For appserver platforms using the Sun-based Java Development Kit (JDK) V5, including the Solaris environments and the HP-UX platform, you can obtain unlimited jurisdiction policy files by completing the following steps:
- Go to the following Web site: Sun Java SE Downloads
- Click Archive area.
- Locate the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.5.1 information and click Download. The policy file is downloaded onto your machine.
After following either of these sets of steps, two Java archive (JAR) files are placed in the JVM jre/lib/security/ directory.
Custom algorithms on the cell level
To specify custom algorithms on the cell level...
- Click Security > Web services.
- Under Additional properties, click Algorithm mappings.
- Click New to specify a new algorithm mapping or click the name of an existing configuration to modify its settings.
- Under Additional properties, click Algorithm URI.
- Click New to create a new algorithm URI. You must specify Key encryption in the Algorithm type field to have the configuration display in the Key encryption algorithm field on the Encryption information configuration settings panel.
Custom algorithms on the server level
To specify custom algorithms on the server level...
- Click Servers > Application servers > server .
- Under Security, click Web services: Default bindings for Web services security.
- Under Additional properties, click Algorithm mappings.
- Click New to specify a new algorithm mapping or click the name of an existing configuration to modify its settings.
- Under Additional properties, click Algorithm URI.
- Click New to create a new algorithm URI. You must specify Key encryption in the Algorithm type field to have the configuration display in the Key encryption algorithm field on the Encryption information configuration settings panel.
- Encryption key information
- Name of the key information reference that is used for encryption. This reference is resolved to the actual key by the specified key locator and defined in the key information.
You must specify either one or no encryption key configurations for the request generator and response generator bindings.
For the response consumer and the request consumer bindings, you can configure multiple encryption key references. To create a new encryption key reference, under Additional properties, click Key information references. You can specify an encryption key configuration for the following bindings on the following levels:
Binding name Server level, cell level, or application level Path Default generator binding Cell level
- Click Security > Web services.
- Under Default generator binding, click Key information.
Default consumer binding Cell level
- Click Security > Web services.
- Under Default consumer binding, click Key information.
Default generator binding Server level
- Click Servers > Application servers > server .
- Under Security, click Web services: Default bindings for Web services security.
- Under Default generator binding, click Key information.
Default consumer binding Server level
- Click Servers > Application servers > server .
- Under Security, click Web services: Default bindings for Web services security.
- Under Default consumer binding, click Key information.
Request generator (sender) binding Application level
- Click Applications > Enterprise applications > application .
- Click Manage modules > URI_name.
- Under Web Services Security Properties, click Web services: Client security bindings.
- Under Request generator (sender) binding, click Edit custom.
- Under Required properties, click Key information.
Response generator (sender) binding Application level
- Click Applications > Enterprise applications > application.
- Click Manage modules > URI_name .
- Under Web Services Security Properties, click Web services: Server security bindings.
- Under Response generator (sender) binding, click Edit custom.
- Under Required properties, click Key information.
- Part Reference
- Name of the <confidentiality> element for the generator binding or the <requiredConfidentiality> element for the consumer binding element in the deployment descriptor.
This field is available on the application level only.
Related concepts
Basic Security Profile compliance tips
Related tasks
Configure encryption using JAX-RPC to protect message confidentiality at the application level
Related Reference
Encryption information collection
Key locator collection
Encryption information configuration settings: Methods
Reference topic