Configure encryption to protect message confidentiality using the WSS APIs
We can configure encryption information for the client-side request generator (sender) bindings. Encryption information is used to specify how the generators (senders) encrypt outgoing SOAP messages. To configure encryption, specify which message parts to encrypt and specify which algorithm methods and security tokens are to be used for encryption.
Confidentiality refers to encryption while integrity refers to digital signing. Confidentiality reduces the risk of someone understanding the message flowing across the Internet. With confidentiality specifications, the message is encrypted before it is sent and decrypted when it is received at the correct target. Prior to configuring encryption, familiarize yourself with XML encryption.
For encryption, specify the following:
- Which parts of the message are to be encrypted.
- Which encryption algorithms to specify.
To configure encryption and encrypted parts on the client side, use the WSSEncryption and WSSEncryptPart APIs, or configure policy sets using the console.
WebSphere Application Server provides default values for bindings. However, an administrator must modify the defaults for a production environment.
WAS uses encryption information for the default generator to encrypt parts of the SOAP message. The WSSEncryption API configures the following required parts as encrypted parts.
encrypted parts. Use encrypted parts to increase the
Encryption parts Description Keywords Keywords are used to add the encrypted parts to the SOAP message. XPath expression An XPath expression is used to add the encrypted parts to the SOAP message. WSSEncryptPart object This object adds the encrypted parts to the SOAP message. WSSSignature object This object adds the signature component as an encrypted part. Header This part adds the header in the SOAP header, specified by QName, as an encryption part. Security token object This object adds the security token as an encryption part. Web Services Security API (WSS API) supports symmetric encryption, by using a shared key, only when Web Services Secure Conversation (WS-SecureConversation) is used.
The WSS APIs allow the use of either keywords or an XPath expression to specify the parts of the message that are to be encrypted. WebSphere Application Server supports the use of the following keywords:
Keyword References BODY_CONTENT The keyword for the contents of the SOAP message body as an encryption target. SIGNATURE The keyword for the signature component as an encryption target. If configuring using the WSS APIs, the WSSEncryption and WSSEncryptPart APIs complete these high-level steps:
- Use the WSSEncryption API to configure encryption. The WSSEncryption API performs these tasks by default:
- Generates the callback handler.
- Generates the generator security token object.
- Add the security token reference type.
- Add the signature component.
- Add the WSSEncryptPart object.
- Add the parts to be encrypted. Adds the default parts as targets of encryption by using keywords and XPath expressions.
- Add the header in the SOAP message, specified by QName.
- Sets the default data encryption method.
- Whether the key is to be encrypted using a Boolean value.
- Sets the default key encryption method.
- Selects a part reference.
- Sets the MTOM optimization Boolean value.
- Use the WSSEncryptPart API to configure encrypted parts or add a transform method. The WSSEncryptPart API performs these tasks by default:
- Sets the encrypted parts specified by using keywords or an XPath expression.
- Sets the encrypted parts specified by an XPath expression.
- Sets the signature component object, WSSSignature.
- Sets the header in the SOAP message, specified by QName.
- Sets the generator security token.
- Add the transform method, if needed.
- Change from the default values for algorithm or message parts, as needed. For example: you could change one or more of the following items:
- Change the data encryption algorithm from the default value of AES 128.
- Change the key encryption algorithm from the default value of KW_RSA_OAEP.
- Specify to not encrypt the key (false).
- Change the security token type from default of X.509 token.
- Change the security token reference type from the default value of SecurityToken.REF_STR.
- Only use BODY_CONTENT as an encryption part and not use SIGNATURE also.
- Turn MTOM optimization on (true).
Results
The encryption information is configured for the generator binding.
Example
The following is an example of the WSSEncryption API:
WSSFactory factory = WSSFactory.getInstance(); WSSGenerationContext gencont = factory.newWSSGenerationContext(); X509GenerateCallbackHandler callbackhandler = generateCallbackHandler(); SecurityToken token = factory.newSecurityToken(X509Token.class, callbackHandler); WSSEncryption enc = factory.newWSSEncryption(token); gencont.add(enc);
What to do next
We must configure similar decryption information for the client-side response consumer (receiver) bindings, if we have not already configured the information.
Next, review the WSSEncryption API process.
Subtopics
- Encrypting the SOAP message using the WSSEncryption API
We can secure the SOAP messages, without using policy sets for configuration, using the Web Services Security APIs (WSS API). To configure the client for request encryption on the generator side, use the WSSEncryption API to encrypt the SOAP message. The WSSEncryption API specifies which request SOAP message parts to encrypt when configuring the client.
- Choose encryption methods for generator bindings
To configure the client for request encryption for the generator binding, specify which encryption methods to use when the client encrypts the SOAP messages.
- Encryption methods
For request generator binding settings, the encryption methods include specifying the data and key encryption algorithms to use to encrypt the SOAP message. The WSS API for encryption (WSSEncryption) specifies the algorithm name and the matching algorithm uniform resource identifier (URI) for the data and key encryption methods. If the data and key encryption algorithms are specified, only elements that are encrypted with those algorithms are accepted.
- Add encrypted parts using the WSSEncryptPart API
We can secure the SOAP messages, without using policy sets for configuration, using the Web Services Security APIs (WSS API). To configure encrypted parts for the request generator (client side) bindings, use the WSSEncryptPart API to define and add to the listing of elements in the encrypted part. WSSEncryptPart is an interface that is part of the com.ibm.websphere.wssecurity.wssapi.encryption package.
Related concepts
XML encryption
Related tasks
Signing and encrypting message parts using policy sets Configure decryption methods to protect message confidentiality using the WSS APIs