Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-RPC web services > Configure message-level security for JAX-RPC at the application level


Configure encryption to protect message confidentiality at the application level

We can configure the encryption information for the request consumer (server side) and response consumer (client side) bindings at the application level. Configure the key information that is referenced in the encryption information panel. See Configure the key information for the consumer binding on the application level. This task provides the steps that are needed for configuring the encryption information for the request consumer (server side) and response consumer (client side) bindings at the application level. The encryption information on the consumer side is used for decrypting the encrypted message parts in the incoming SOAP message.

Complete the following steps to configure the encryption information for the request consumer or response consumer section of the bindings file on the application level:


Procedure

  1. Locate the Encryption information configuration panel in the admin console.

    1. Click Applications > Application Types > WebSphere enterprise applications > application_name .

    2. Under Manage modules, click URI_name.

    3. Under Web Services Security Properties you can access the encryption information for the request consumer and response consumer bindings.

      • For the request consumer (receiver) binding, click Web services: Server security bindings. Under Request consumer (receiver) binding, click Edit custom.

      • For the response consumer (receiver) binding, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom.

    4. Under Required properties, click Encryption information.

    5. Click New to create an encryption information configuration, click Delete to delete an existing configuration, or click the name of an existing encryption information configuration to edit its settings. If you are creating a new configuration, enter a name in the Encryption information name field. For example, you might specify cons_encinfo.

  2. Select a data encryption algorithm from the Data encryption algorithm field. The data encryption algorithm is used for encrypting or decrypting parts of a SOAP message such as the SOAP body or the username token. WAS supports the following pre-configured algorithms:

    • http://www.w3.org/2001/04/xmlenc#tripledes-cbc
    • http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • http://www.w3.org/2001/04/xmlenc#aes256-cbc

      To use this algorithm, download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

    • http://www.w3.org/2001/04/xmlenc#aes192-cbc

      To use this algorithm, download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

      Restriction: Do not use the 192-bit key encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).

      Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.

    The data encryption algorithm that you select for the consumer side must match the data encryption method that you select for the generator side.

  3. Select a key encryption algorithm from the Key encryption algorithm field. The key encryption algorithm is used for encrypting the key used for encrypting the message parts within the SOAP message. Select (none) if the data encryption key, which is the key used for encrypting the message parts, is not encrypted. WAS supports the following pre-configured algorithms:

    • http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.

      When running with SDK v1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK v1.5.

      Restriction: This algorithm is not supported when the WAS is running in FIPS mode.

    • http://www.w3.org/2001/04/xmlenc#rsa-1_5
    • http://www.w3.org/2001/04/xmlenc#kw-tripledes
    • http://www.w3.org/2001/04/xmlenc#kw-aes128
    • http://www.w3.org/2001/04/xmlenc#kw-aes256

      To use the http://www.w3.org/2001/04/xmlenc#aes256-cbc algorithm, download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

    • http://www.w3.org/2001/04/xmlenc#kw-aes192

      To use the http://www.w3.org/2001/04/xmlenc#kw-aes192 algorithm, download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

      Restriction: Do not use the 192-bit key encryption algorithm if you want your configured application to be in compliance with the Basic Security Profile (BSP).

    The key encryption algorithm that you select for the consumer side must match the key encryption method that you select for the generator side.

  4. Optional: Select a part reference in the Part reference field. The part reference specifies the name of the message part that is encrypted and is defined in the deployment descriptor. For example, you can encrypt the bodycontent message part in the deployment descriptor. The name of this Required Confidentiality part is conf_con. This message part is shown as an option in the Part reference field.

  5. Under Additional properties, click Key information references.

  6. Click New to create a key information configuration, click Delete to delete an existing configuration, or click the name of an existing key information configuration to edit its settings. If you are creating a new configuration, enter a name in the Name field. For example, you might specify con_ekeyinfo. This entry is the name of the <encryptionKeyInfo> element in the binding file.

  7. Select a key information reference from the Key information reference field. This reference is the value of the keyinfoRef attribute of the <encryptionKeyInfo> element and it is the name of the <keyInfo> element that is referenced by this key information reference. Each key information reference entry generates an <encryptionKeyInfo> element under the <encryptionInfo> element in the binding configuration file. For example, if you enter con_ekeyinfo in the Name field and dec_keyinfo in the Key information reference field, the following <encryptionKeyInfo> element is generated in the binding file:
    <encryptionKeyInfo xmi:id="EncryptionKeyInfo_1085092248843"
    keyinfoRef="dec_keyinfoā€¯ name="con_ekeyinfo"/> 

  8. Click OK and then click Save to save the configuration.


Results

You have configured the encryption information for the consumer binding at the application level


What to do next

We must specify a similar encryption information configuration for the generator.
Basic Security Profile compliance tips
Configure encryption using JAX-RPC to protect message confidentiality at the application level
Configure the key information for the consumer binding on the application level
Secure messages using JAX-RPC at the request and response consumers

+

Search Tips   |   Advanced Search