Example: Message-level WS-Security policy set

Example: Message-level WS-Security policy set

This example shows how to configure the message-level WS-Security policy set and bindings to send a Username token in a JAX-WS request, and to encrypt the Username token using asymmetric encryption.
Make a copy of the Username WSSecurity default policy set and give it a unique name. This example illustrates how to modify a copy of the default policy set.
By default, the Username WSSecurity policy set signs the WS-Addressing headers and body in the request and the response, and encrypts the body and signature in the request and the response. However, in this example, the goal is to encrypt only the Username token in the request from the client to the service, but not to encrypt any part of the response from the service to the client. In addition, no part of the request or the response will be signed. Therefore, the policy set must be modified to remove several message protection parts. You must also configure the client and server bindings.
First, configure the policy set by modifying the copy of the Username WSSecurity default policy set.

From the admin console, click...

Services | Policy sets | Application policy sets | policy_set_name

In the Policy set settings panel, we can specify information about the policy set, such as the description.
Remove the following message protection parts:

request:app_signparts
response:app_signparts
response:app_encparts

Go to...
Application policy sets | policy_set_name | WS-Security | Main policy | Response message part protection
Click on app_encparts in the Encrypted parts box, then click the Delete button.
Click on app_signparts in the Signed parts box, then click the Delete button.
Go to...
Application policy sets | policy_set_name | WS-Security | Main policy | Request message part protection
Click on app_signparts in the Signed parts box, then click the Delete button.

Update the protection part specified for request:app_encparts. By default, this message protection part encrypts the body and signature elements, and must be modified to encrypt the Username token.

Click Application policy sets > policy_set_name > WS-Security > Main policy > Request message part protection > Encrypted part - app_encparts > Edit.

Delete the existing elements in the Elements in part panel, then add two XPath expressions for encrypting the Username token.

Expression 1:

/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' 
        and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' 
        and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' 
        and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' 
        and local-name()='UsernameToken']

Expression 2:

/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' 
        and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' 
        and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' 
        and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' 
        and local-name()='UsernameToken']

Next steps

The second part of the process is to configure the client and server bindings.

Set the client binding, as follows:
1. Attach the policy to a service resource and create a new binding for that resource that includes the WSSecurity policy.
2. Click on WSSecurity in the new binding to display the main WSSecurity binding panel. For example, click Enterprise applications > WSSampleServiceSei > Service provider policy sets and bindings > binding_name > WS-Security.
3. Click Authentication and protection.
4. Click AsymmetricBindingRecipientEncryptionToken0 under Protection tokens.
5. Click Apply.
6. Click Callback handler.
7. Select Custom from the Keystore menu.
8. Click Custom keystore configuration.
9. Enter the keystore path. For example: ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks.
10. Select JCEKS for the Type.
11. Enter the password in the and Confirm password fields. For example, storepass.
12. Enter a Key Name. For example, CN=Bob, O=IBM, C=US.
13. Enter a Key Alias. For example, bob.
14. Enter the password for the keypass in the and Confirm password fields.
15. Click OK.
16. Click OK again.
17. Click OK one more time to return to the Enterprise Applications > WSSampleServicesSei > Service provider policy sets and bindings > binding_name > WS-Security > Authentication and protection panel.
18. The status of AsymmetricBindingRecipientEncryptionToken0 should display as Configured.
Modify the encrypted parts settings for the client binding, as follows:
1. Click request:app_encparts under Request message signature and encryption protection.
2. Enter a Name. For example, MyEncPart.
3. Click New under Key information.
4. Fill in a Name. For example, MyEncKeyInfo.
5. Click OK.
6. Select MyEncKeyInfo (or the name that you specified for the encrypted part) from the Available box and click Add. MyEncKeyInfo appears in the Assigned box.
7. Click OK to return to the Enterprise Applications > WSSampleServicesSei > Service provider policy sets and bindings > binding_name > WS-Security > Authentication and protection panel.
8. The status of request:app_encparts should display as Configured.
Set the Username token settings in the client binding, as follows:
1. Click request:myUserNameToken under Authentication tokens.
2. Click Apply.
3. Click Callback handler.
4. Specify the User name. For example, LDAPSunuser6.
5. Specify the password, and confirm the password.
6. Click OK.
7. Under Custom properties, click New to add the properties for enabling nonce and timestamp.
8. Enter the property name com.ibm.wsspi.wssecurity.token.username.addNonce to enable nonce, and the property value true.
9. Enter the property name com.ibm.wsspi.wssecurity.token.username.addTimestamp to enable timestamp, and the property value true.
10. Click OK again.
11. The status of request:myUserNameToken should now display as Configured.
12. Click Save to save the client bindings.
Set the server binding, as follows:
1. Attach the policy to a service resource and create a new binding for that resource that includes the WSSecurity policy.
2. Click on WSSecurity in the new binding to display the main WSSecurity binding panel. For example, click Enterprise Applications > WSSampleServiceSei > Service provider policy sets and bindings > binding_name > WS-Security.
3. Click Authentication and protection.
4. Click AsymmetricBindingRecipientEncryptionToken0 under Protection tokens.
5. Click Apply.
6. Click Callback handler.
7. Select Custom from the Keystore menu.
8. Click Custom keystore configuration.
9. Enter the keystore path. For example: ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks.
10. Select JCEKS for the Type.
11. Enter the password in the and Confirm password fields. For example, storepass.
12. Enter a Key Name. For example, CN=Bob, O=IBM, C=US.
13. Enter a Key Alias. For example, bob.
14. Enter the password for the keypass in the and Confirm password fields.
15. Click OK.
16. Click OK again.
17. Click OK one more time to get return to the Enterprise Applications > WSSampleServicesSei > Service provider policy sets and bindings > binding_name > WS-Security > Authentication and protection panel.
18. The status of AsymmetricBindingRecipientEncryptionToken0 should display as Configured.
Modify the encrypted parts settings for the server binding, as follows:
1. Click request:app_encparts under Request message signature and encryption protection.
2. Enter a Name. For example, MyEncPart.
3. Click New under Key information.
4. Fill in a Name. For example, MyEncKeyInfo.
5. Click OK.
6. Select MyEncKeyInfo (or the name that you specified for the encrypted part) from the Available box and click Add. MyEncKeyInfo appears in the Assigned box.
7. Click OK to return to the Enterprise Applications > WSSampleServicesSei > Service provider policy sets and bindings > binding_name > WS-Security > Authentication and protection panel.
8. The status of request:app_encparts should display as Configured.
Set the Username token settings in the server binding, as follows:
1. Click request:myUserNameToken under Authentication tokens.
2. Click Apply.
3. Click Callback handler.
4. Click OK.
5. Under Custom properties, click New to add the properties for verifying nonce and timestamp.
6. Enter the property name com.ibm.wsspi.wssecurity.token.username.verifyNonce to verify nonce, and the property value true.
7. Enter the property name com.ibm.wsspi.wssecurity.token.username.verifyTimestamp to verify timestamp, and the property value true.
8. Click OK again.
9. The status of request:myUserNameToken should display as Configured.
10. Click Save to save the server bindings.

Related tasks

Secure Web services using policy sets

Copy of default policy set and bindings settings