+

Search Tips   |   Advanced Search

Encryption information settings: Methods


To configure the encryption and decryption parameters for the signature method, digest method, and canonicalization method.

The specifications that are listed on this page for the signature method, digest method, and canonicalization method are located in the World Wide Web Consortium (W3C) document entitled, XML Encryption Syntax and Processing: W3C Recommendation 10 Dec 2002. following steps:

  1. Click Applications > Application Types > WebSphere enterprise appsapplication_name and complete one of the following steps:

    • Click Manage modules > URI_file_name > Web Services: Client Security Bindings. Under Request sender binding, click Edit. Under Web Service Security Properties, click Encryption Information.

    • Under Modules, click Manage modules > URI_file_name > Web Services: Server Security Bindings. Under Response sender binding, click Edit. Under Web Service Security Properties, click Encryption Information.

  2. Select None or Dedicated encryption information. The appserver can have either one or no encryption configurations for the request sender and the response sender bindings. If not using encryption, select None. To configure encryption for either of these two bindings, select Dedicated encryption information and specify the settings using the fields that are described in this topic.

Encryption information name

Name of the key locator configuration that retrieves the key for XML digital signature and XML encryption.

Key locator reference

Name used to reference the key locator.

Configure these key locator reference options on the cell level, the server level, and the application level. The configurations that are listed in the field are a combination of the configurations on these three levels.

To configure the key locators on the cell level...

  1. Click Security > JAX-WS and JAX-RPC security runtime.

  2. Under Additional properties, click Key locators.

To configure the key locators on the server level, complete the

  1. Click Servers > Server Types > WebSphere appservers > server_name.

  2. Under Security, click JAX-WS and JAX-RPC security runtime.

    In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security

  3. Under Additional properties, click Key locators.

To configure the key locators on the application level...

  1. Click Applications > Application Types > WebSphere enterprise appsapplication_name.

  2. Under Modules, click Manage modules > URI_name.

  3. Under Web Service Security Properties, we can access the key locators for the following bindings:

Encryption key name

Name of the encryption key that is resolved to the actual key by the specified key locator.

Data type String

Key encryption algorithm

Algorithm uniform resource identifier (URI) of the key encryption method.

The following algorithms are supported:

  • http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.

    When running with IBM SDK V1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with JDK 1.5 or later. By default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm to compute a message digest as part of the encryption operation. Optionally, we can use the SHA256 or SHA512 message digest algorithm by specifying a key encryption algorithm property. The property name is: com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod. The property value is one of the following URIs of the digest method:

    • http://www.w3.org/2001/04/xmlenc#sha256

    • http://www.w3.org/2001/04/xmlenc#sha512

    By default, the RSA-OAEP algorithm uses a null string for the optional encoding octet string for the OAEPParams. We can provide an explicit encoding octet string by specifying a key encryption algorithm property. For the property name, we can specify com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams. The property value is the base 64-encoded value of the octet string.

    We can set these digest method and OAEPParams properties on the generator side only. On the consumer side, these properties are read from the incoming SOAP message.

  • http://www.w3.org/2001/04/xmlenc#rsa-1_5.
  • http://www.w3.org/2001/04/xmlenc#kw-tripledes.
  • http://www.w3.org/2001/04/xmlenc#kw-aes128.
  • http://www.w3.org/2001/04/xmlenc#kw-aes192. To use the 192-bit key encryption algorithm, download the unrestricted JCE policy file. Restriction: Do not use the 192-bit key encryption algorithm if we want the configured application to be in compliance with the Basic Security Profile (BSP).
  • http://www.w3.org/2001/04/xmlenc#kw-aes256. To use the 256-bit key encryption algorithm, download the unrestricted JCE policy file.

If an InvalidKeyException error occurs and we are using the 129xxx or 256xxx encryption algorithm, the unrestricted policy files might not exist in the configuration.

 

Java Cryptography Extension

By default, the JCE is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, apply unlimited jurisdiction policy files.

Before downloading these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/jre/lib/security/ directory) prior to overwriting them in case you want to restore the original files later.

Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, check the laws of the country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.

 

Application server platforms and IBM Developer Kit, Java Technology Edition V1.4.2

To download the policy files, complete one of the following sets of steps:

  • [AIX] [Linux]

    (Windows) For appserver platforms using IBM Developer Kit, Java Technology Edition V 1.4.2, including the AIX, Linux, and Windows platforms, complete the following steps to obtain unlimited jurisdiction policy files:

    1. Go to the following Web site: IBM developer kit: Security information

    2. Click Java 1.4.2

    3. Click IBM SDK Policy files.

      The Unrestricted JCE Policy files for SDK 1.4 Web site is displayed.

    4. Enter the user ID and password or register with IBM to download the policy files. The policy files are downloaded onto the machine.

  • [HP-UX] For appserver platforms using the Sun-based Java SE Development Kit 6 (JDK 6) V1.4.2, including the Solaris environments and the HP-UX platform, complete the following steps to obtain unlimited jurisdiction policy files:

    1. Go to the following Web site: http://java.sun.com/j2se/1.4.2/download.html

    2. Click Archive area.

    3. Locate the JCE Unlimited Strength Jurisdiction Policy Files 1.4.2 information and click Download. The jce_policy-1_4_1.zip file is downloaded onto the machine.

After completing these steps, two JAR files are placed in the JVM jre/lib/security/ directory.

Data encryption algorithm

Algorithm Uniform Resource Identifiers (URI) of the data encryption method.

The following algorithms are supported:

By default, the JCE ships with restricted or limited strength ciphers. To use 192-bit and 256- bit AES encryption algorithms, apply unlimited jurisdiction policy files.

See the Key encryption algorithm field description.




Related concepts


Basic Security Profile compliance tips

 

Related tasks


Set encryption using JAX-RPC to protect message confidentiality at the application level

 

Related


Encryption information collection
Key locator collection