Set the WS-Security policy
When working with policy sets in the admin console, we can customize policies to ensure message security. The WS-Security policy can be configured to apply a message security (WS-Security) profile to requests. Message security policies are applied to requests and enforced on responses to support interoperability.
Configure some settings for default policies for custom policy sets. The provided default policy sets cannot be edited. You must create a copy of the default policy set or create a completely new policy set in order to specify the policies for it.
Message security policies are applied to requests and enforced on responses to support interoperability.
Depending on the assigned security role when security is enabled, we might not have access to text entry fields or buttons to create or edit configuration data. Review the administrative roles documentation to learn more about the valid roles for the appserver.
- Use the WS-Security policy panel to begin configuring the WS-Security policy. To access the WS-Security policy panel, from the admin console, click Services > Policy sets > Application policy sets > policy_set_name > WS-Security policy.
- Choose which type of message security to configure.
- Click the Main policy link to specify how message security policies are applied to requests and enforced on responses to support interoperability.
- Click the Bootstrap policy link to configure how secure conversations are established. A bootstrap policy might already be configured. If no bootstrap policy is currently configured, first ensure that we have enabled message security with symmetric signature and encryption policies and secure conversation tokens for both integrity and confidentiality protection.
- Use the Main policy settings panel or the Bootstrap policy settings panel to specify how message security policies are applied to requests and enforced on responses. Assertions for WS-Security versions are already generated based on assertions in the policy set. If the policy set includes a WS-S 1.1 assertion, then WS-S 1.1 itself is asserted. Configure the settings on this panel to configure main or bootstrap policy settings:
- Select whether Message level protection is required. Select this check box if any of the message parts should be digitally signed or encrypted or if a timestamp should be inserted in the message. It this box is unchecked, the Signature confirmation, Key symmetry, and Timestamp and Security header layout options are disabled.
- Whether signature confirmation is required. Click this check box to require signature confirmation.
- Set the settings in the Key Symmetry section.
The following fields can be configured in the Key symmetry section:
- Use symmetric tokens
- Click this radio button to use symmetric tokens. We can then configure symmetric tokens with the Symmetric signature and encryption policies link. Click this link to access the Symmetric Signature and Encryption Policies panel where we can create the trust context in which to use symmetric tokens. Using the same token for signing and validating messages and encrypting and decrypting messages provides better performance than can be achieved with asymmetric tokens. Symmetric tokens should be used within a trust context.
- Use asymmetric tokens
- Click this link to access the Asymmetric Signature and Encryption Policies panel where we can create the trust context (message integrity and confidentiality) in which to use asymmetric tokens. We can do this by specifying which token type to use for the initiator and recipient signature as well as the initiator and recipient encryption.
- Include timestamp in header
- Click this check box to include a timestamp in the header. We can then specify if the timestamp is positioned first or last in the header by using the Security header layout radio button options:
- Strict: Declarations must precede use
- Layout (Lax): Order of contents can vary
- Lax but timestamp required first in header
- Lax but timestamp required last in header
- Click the Algorithms link under the Policy Details section to access the Algorithms panel to set from available algorithms. The available algorithms include cryptographic algorithms and their key lengths, as well as canonicalization algorithms for reconciling XML differences. Click this link to view the cryptographic and cannonicalization algorithms that are supported.
- Set the request settings.
Click either of the following links to configure request settings:
- Request message part protection
- Links to configuration for request message part protection. Click this link to define which message parts are to be protected and how that protection is provided.
- Request token policies
- Links to configuration for request token policies. Click this link to define policies that specify which types of security tokens are supported and the properties of those token types.
- Set the response settings.
Click either of the following links to configure response settings:
- Response message part protection
- Links to configuration for response message part protection. Click this link to define which message parts are to be protected and how that protection is provided.
- Response token policies
- Links to configuration for response token policies. Click this link to define policies that specify which types of security tokens are supported and the properties of those token types.
Results
Once we have customized the WS-Security policy, the associated policy set uses this policy to protect messages.
WS-Security policy settings
Set the request or response token policies
Transform algorithms settings
Signed part reference default bindings settings
Main policy and bootstrap policy settings
Related tasks
Web services policies
Manage policy sets
Add policies to policy sets
Delete policies from policy sets
Enable policies for policy sets
Disable policies from policy sets
Add and remove policies using wsadmin
Create policy set attachments using wsadmin
Remove policy set attachments using wsadmin
Manage policy set attachments using wsadmin
Modify policies
Related
Request or Response token policies collection
Asymmetric signature and encryption policies settings
Symmetric signature and encryption policies settings
Algorithms settings
Message part protection settings
Application policy sets collection
Application policy set settings
WS-Security policy settings
Administrative roles