Secure messages at the response consumer using WSS APIs

We can secure SOAP messages with signature verification, decryption, and consumer tokens to protect message integrity, confidentiality, and authenticity, respectively. The response consumer (client-side) configuration defines the Web Services Security requirements for the incoming SOAP response.

To secure web services with WebSphere Application Server, configure the generator and the consumer security constraints. Specify several different configurations. Although there is no specific sequence to specify these different configurations, some configurations reference other configurations. For example, decryption configurations reference encryption configurations.

The response consumer (client-side) configuration requirements involve verifying that the integrity parts are signed and that the signature is verified, verifying that the required confidential parts are encrypted and that the parts are decrypted; and validating the security tokens.

We can use the following methods to configure Web Services Security and to define policy types to secure the SOAP messages:

• Use the console to configure policy sets.

• Use the Web Services Security APIs (WSS API) to configure the SOAP message context (only for the client)

The following high-level steps use the WSS APIs:

• Verify signing to protect message integrity.

• Configure decryption to protect message confidentiality.

• Validate consumer tokens to protect message authenticity.

Results

After completing these procedures, we have secured messages at the response consumer level.

What to do next

Next, if not already configured, secure messages with signing information, encryption, and generator tokens at the response (client-side) generator level.

Subtopics

• Configure decryption methods to protect message confidentiality using the WSS APIs
  We can configure decryption method information for the response consumer (client side) section of the binding file. Decryption information is used to specify how the consumers (receivers) decrypt incoming SOAP messages. To configure decryption, specify which message parts to decrypt and specify which algorithm methods and security tokens are to be used for decryption.

• Verify consumer signing information to protect message integrity using WSS APIs
  We can verify the signing information to protect message integrity for the response (client side) consumer binding. Signing information includes the signature and the signed parts for the generator side as well as signature verification and verify parts for the consumer side. To keep the integrity of the message, digital signatures are typically applied.

• Validating the consumer token to protect message authenticity
  The token consumer information is used on the consumer side to incorporate and validate the security token. The Username token, X509 tokens, and LTPA tokens by default are used for message authenticity.

Related tasks

Secure messages at the request generator using WSS APIs