Key information settings
Use this page to configure the key information for the selected policy set binding. Key information attributes define how cryptographic keys are generated or consumed.
We can configure the key information for the selected policy set binding when editing a default cell or server binding. We can also configure application specific bindings for tokens and message parts required by the policy set.
To view this administrative console page when editing a default cell binding...
Services | Policy sets | [General provider policy set bindings | General client policy set bindings] | binding_name | WS-Security policy | Main message security policy bindings section | Keys and certificates link | key_name
To view when configuring application specific bindings for tokens and message parts required by the policy set...
Applications | Application Types | enterprise applications | application containing web services | [Service provider policy sets and bindings link | Service client policy sets and bindings] | binding | Policies | WS-Security policy | Main message security policy bindings section | Keys and certificates | key_name
We must have previously attached a policy set and assigned a application specific binding.
This administrative console page applies only to JAX-WS applications.
Name
Unique name for the key information configuration.
The key information name field displays the unique name of the key that is being configured if you are editing a key. If we are creating one, enter a unique name.
Type
Lists the type of key reference.
This field appears only if you selected an encryption or signing key for the generator binding, such as gen_signkeyinfo, gen_signsctkeyinfo, gen_encsctkeyinfo, or gen_enckeyinfo.
We can select one of the following key types from this list:
- Key identifier
- The associated attribute in the binding file is KEYID.
- Security token reference
- The associated attribute in the binding file is STRREF.
- Embedded token
- The associated attribute in the binding file is EMB.
- X.509 issuer name and issuer serial
- The associated attribute in the binding file is X509ISSUER.
- Thumbprint
- The associated attribute in the binding file is THUMBPRINT.
The Thumbprint key information type requires a keystore with the public and private key pair instead of a shared key.
Information Value Data type: Selection list
Token generator or consumer name
Name of the token generator or consumer. Unique name for the token configuration.
The token generator or consumer name field displays the name of the pre-configured tokens that can be used in the key information configuration if you are editing a key or creating a new key.
We can select a token generator or consumer name from this list. The list of names changes, depending on whether the key information selected is for inbound (consumer) keys or outbound (generator) keys. For keys with outbound direction, the list of defined token generators is displayed. For keys with inbound direction, the list of defined token consumers is displayed.
Information Value Data type: String
Direction
Whether the direction of the key is inbound or outbound.
The direction of generator tokens are outbound whereas the direction for consumer tokens and decryption keys are inbound.
Information Value Data type: String Default values: Inbound (for consumer bindings) or Outbound (for generator bindings)
Requires derived keys
Whether the key information requires derived keys.
- Explicit derived keys
- Requires that derived keys be explicitly specified with a WS-SecureConversation <DerivedKeyToken> element.
- Implicit derived keys
- Requires that derived keys be implicitly specified with a WS-SecureConversation Nonce attribute on the WS-Security <SecurityTokenReference> element.
Override Defaults
Specify derived key values overrides the derived key information that the runtime generates by default.
Best practice: IBM recommends that we do not override the following optional attributes. Web Services Security automatically provides default values for each attribute. Overriding the default values might be required if the service is running cross-vendors. The vendors can use different attribute values for derived key generation.bprac
- Key length
- Derived key length. If an override value is not specified, the default value is provided based on the algorithm suite policy assertion. IBM recommends that you leave this field empty so the default value can be used. Valid values for the key length range between 16 and 32.
- Nonce length
- Nonce length. A nonce is generated for each request, and included for derived key generation. This value is optional, and if an override value is not specified, a default value is used to generate the nonce. A valid value for the nonce length is any integer between 16 and 128.
- Client label
- Client label. The label is used in the P_SHA-1 function to generate the derived key. If unspecified, the default value used is WS-SecureConversation.
- Service label
- Service label. The label is used in the P_SHA-1 function to generate the derived key. If unspecified, the default value used is WS-SecureConversation.
Custom properties
Specifies additional configuration settings that token types might require.
Custom properties are arbitrary name-value pairs of data.
This table lists custom properties. Use custom properties to set internal system configuration properties. We are not required to define a custom property when you define a custom token.
Select
Specifies custom properties that we can add, edit, or delete from policy set bindings.
Click New to add and define a new custom property.
For existing custom properties, select the check box for the name of the custom property, and click one of the following actions:
Action Description New Creates a new custom property entry. To add a custom property, enter the name and value. Edit Specifies that we can edit the selected custom property. Click this option to provide input fields and create the list of cell values to edit. At least one custom property must exist before the Edit option is displayed. Delete Removes the selected custom property.
Information Value Data type: Check box (unchecked)
Name
Name of the custom property that we can use with default policy set bindings.
Custom properties are arbitrary name-value pairs of data. Custom properties are not initially displayed in this column until at least one custom property has been added.
Information Value Data type: String
Value
Custom property value.
This column displays the value for the custom property (for example, true). The value can be a string or the value can be a true or false Boolean value.
Information Value Data type: String or Boolean
Related tasks
Define and manage policy set bindingsManage policy sets using the administrative console Keys and certificates Application policy sets collection Application policy set settings Search attached applications collection Policy set bindings settings Token generator collection Token generator configuration settings Token consumer collection Token consumer configuration settings