Configure policy set and bindings to encrypt a UsernameToken
This example shows how to configure the message-level WS-Security policy set and bindings to send a Username token in a JAX-WS request, and to encrypt the Username token using asymmetric encryption.
Make a copy of the Username WSSecurity default policy set and give it a unique name. This example illustrates how to modify a copy of the default policy set. For more information, read about copying default policy set and bindings settings.
By default, the Username WSSecurity policy set signs the WS-Addressing headers and body in the request and the response, and encrypts the body and signature in the request and the response. However, in this example, the goal is to encrypt only the Username token in the request from the client to the service, but not to encrypt any part of the response from the service to the client. In addition, no part of the request or the response will be signed. Therefore, the policy set must be modified to remove several message protection parts. We must also configure the client and server bindings.
First, configure the policy set by modifying the copy of the Username WSSecurity default policy set.
- From the console, click Services > Policy sets > Application policy sets > policy_set_name. In the Policy set settings panel, we can specify information about the policy set, such as the description.
- Remove the following message protection parts: request:app_signparts, response:app_signparts and response:app_encparts.
- Click Application policy sets > policy_set_name > WS-Security > Main policy > Response message part protection.
- Click on app_encparts in the Encrypted parts box, then click the Delete button.
- Click on app_signparts in the Signed parts box, then click the Delete button.
- Click Application policy sets > policy_set_name > WS-Security > Main policy > Request message part protection.
- Click on app_signparts in the Signed parts box, then click the Delete button.
- Update the protection part specified for request:app_encparts. By default, this message protection part encrypts the body and signature elements, and must be modified to encrypt the Username token.
- Click Application policy sets > policy_set_name > WS-Security > Main policy > Request message part protection > Encrypted part - app_encparts > Edit.
- Delete the existing elements in the Elements in part panel, then add two XPath expressions for encrypting the Username token.
Expression 1:
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='UsernameToken']
Expression 2:
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='UsernameToken']
What to do next
The second part of the process is to configure the client and server bindings.
When working with the client binding, be careful when choosing the protection token to edit. The names of the tokens are represented from the perspective of the protector. For instance, on a client, even though the word recipient is in its name, the AsymmetricBindingRecipientEncryptionToken0 is a generator. The best way to make sure that you are choosing the correct token is to look at the Usage column in the Protection tokens table.gotcha
- Configure the client binding, as follows:
- Attach the policy to a service resource and create a new binding for that resource that includes the WSSecurity policy.
- Click on WSSecurity in the new binding to display the main WSSecurity binding panel. For example, click Enterprise applications > WSSampleServiceSei > Service client policy sets and bindings > binding_name > WS-Security.
- Click Authentication and protection.
- Under Protection tokens, click AsymmetricBindingRecipientEncryptionToken0 (the Asymmetric encryption generator).
- Click Apply.
- Click Callback handler.
- Select Custom from the Keystore menu.
- Click Custom keystore configuration.
- Enter the keystore path. For example: ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks.
- Select JCEKS for the Type.
- Enter the password in the Password and Confirm password fields. For example, storepass.
- Enter a Key Name. For example, CN=Bob, O=IBM, C=US.
- Enter a Key Alias. For example, bob.
- Click OK.
- Click OK again.
- Click OK one more time to return to the Enterprise Applications > WSSampleServicesSei > Service client policy sets and bindings > binding_name > WS-Security > Authentication and protection panel.
- The status of AsymmetricBindingRecipientEncryptionToken0 should display as Configured.
- Modify the encrypted parts settings for the client binding, as follows:
- Click request:app_encparts under Request message signature and encryption protection.
- Enter a Name. For example, MyEncPart.
- Click New under Key information.
- Fill in a Name. For example, MyEncKeyInfo.
- Click OK.
- Select MyEncKeyInfo (or the name that specified for the encrypted part) from the Available box and click Add. MyEncKeyInfo appears in the Assigned box.
- Click OK to return to the Enterprise Applications > WSSampleServicesSei > Service client policy sets and bindings > binding_name > WS-Security > Authentication and protection panel.
- The status of request:app_encparts should display as Configured.
- Configure the Username token settings in the client binding, as follows:
- Click request:myUserNameToken under Authentication tokens.
- Click Apply.
- Click Callback handler.
- Specify the User name. For example, LDAPSunuser6.
- Specify the password, and confirm the password.
- Click OK.
- Under Custom properties, click New to add the properties for enabling nonce and timestamp.
- Enter the property name com.ibm.wsspi.wssecurity.token.username.addNonce to enable nonce, and the property value true.
- Enter the property name com.ibm.wsspi.wssecurity.token.username.addTimestamp to enable timestamp, and the property value true.
- Click OK again.
- The status of request:myUserNameToken should now display as Configured.
- Click Save to save the client bindings.
- Configure the server binding, as follows:
- Attach the policy to a service resource and create a new binding for that resource that includes the WSSecurity policy.
- Click on WSSecurity in the new binding to display the main WSSecurity binding panel. For example, click Enterprise Applications > WSSampleServiceSei > Service client policy sets and bindings > binding_name > WS-Security.
- Click Authentication and protection.
- Under Protection tokens, click AsymmetricBindingRecipientEncryptionToken0 (the Asymmetric encryption consumer)
- Click Apply.
- Click Callback handler.
- Select Custom from the Keystore menu.
- Click Custom keystore configuration.
- Enter the keystore path. For example: ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks.
- Select JCEKS for the Type.
- Enter the password in the Password and Confirm password fields. For example, storepass.
- Enter a Key Name. For example, CN=Bob, O=IBM, C=US.
- Enter a Key Alias. For example, bob.
- Enter the password for the keypass in the Password and Confirm password fields.
- Click OK.
- Click OK again.
- Click OK one more time to get return to the Enterprise Applications > WSSampleServicesSei > Service client policy sets and bindings > binding_name > WS-Security > Authentication and protection panel.
- The status of AsymmetricBindingRecipientEncryptionToken0 should display as Configured.
- Modify the encrypted parts settings for the server binding, as follows:
- Click request:app_encparts under Request message signature and encryption protection.
- Enter a Name. For example, MyEncPart.
- Click New under Key information.
- Fill in a Name. For example, MyEncKeyInfo.
- Click OK.
- Select MyEncKeyInfo (or the name that specified for the encrypted part) from the Available box and click Add. MyEncKeyInfo appears in the Assigned box.
- Click OK to return to the Enterprise Applications > WSSampleServicesSei > Service client policy sets and bindings > binding_name > WS-Security > Authentication and protection panel.
- The status of request:app_encparts should display as Configured.
- Configure the Username token settings in the server binding, as follows:
- Click request:myUserNameToken under Authentication tokens.
- Click Apply.
- Click Callback handler.
- Click OK.
- Under Custom properties, click New to add the properties for verifying nonce and timestamp.
- Enter the property name com.ibm.wsspi.wssecurity.token.username.verifyNonce to verify nonce, and the property value true.
- Enter the property name com.ibm.wsspi.wssecurity.token.username.verifyTimestamp to verify timestamp, and the property value true.
- Click OK again.
- The status of request:myUserNameToken should display as Configured.
- Click Save to save the server bindings.
Related
Copy of default policy set and bindings settings