Configure decryption methods to protect message confidentiality using the WSS APIs

WAS v8.5 > Develop applications > Develop web services - Security (WS-Security) > Develop applications that use Web Services Security > Develop message-level security for JAX-WS web services > Secure web services applications using the WSS APIs at the message level > Secure messages at the response consumer using WSS APIs
Configure decryption methods to protect message confidentiality using the WSS APIs

We can configure decryption method information for the response consumer (client side) section of the binding file. Decryption information is used to specify how the consumers (receivers) decrypt incoming SOAP messages. To configure decryption, specify which message parts to decrypt and specify which algorithm methods and security tokens are to be used for decryption.

Confidentiality refers to encryption while integrity refers to digital signing. Confidentiality reduces the risk of someone understanding the message flowing across the Internet. With confidentiality specifications, the message is encrypted before it is sent and decrypted when it is received at the correct target. Prior to configuring decryption, familiarize yourself with XML encryption. For decryption, specify the following:

Which parts of the message are to be decrypted.
Which decryption algorithms to specify.

To configure decryption and decrypted parts on the client side, use the WSSDecryption and WSSDecryptPart APIs, or configure policy sets using the dmgr console.
WebSphere Application Server provides default values for bindings. However, an administrator must modify the defaults for a production environment.
WAS uses decryption information for the default consumer to decrypt parts of the SOAP message. The WSSDecryption API configures the following required parts as decrypted parts.
Required decrypted parts. Use the decryption information to specify how incoming messages are decrypted.

Decryption parts Description
Keywords Keywords are used to add the decrypted parts to the SOAP message.
XPath expression XPath expressions are used to add the decrypted parts to the SOAP message.
WSSDencryptPart object This object adds the decrypted parts to the SOAP message.
WSSVerification object This object adds the signature verification component as a decrypted part.
Header This part adds the header in the SOAP header, specified by QName, as a decrypted part.
Security token object This object adds the security token as a decrypted part.

Web Services Security API (WSS API) supports symmetric encryption, using a shared key, only when Web Services Secure Conversation (WS-SecureConversation) is used.
The WSS APIs allow the use of either keywords or an XPath expression to specify the parts of the SOAP message that are to be decrypted. WAS supports the use of the following keywords:
Supported decryption keywords. Use the keywords to decrypt incoming messages.

Keyword References
BODY_CONTENT The keyword for the body contents of the SOAP message body as a decryption target.
SIGNATURE The keyword for the signature element as a decryption target.
USERNAME_TOKEN, The keyword for the Username token element as a decryption target.

If configuring using the WSS APIs, the WSSDecryption and WSSDecryptPart APIs complete these high-level steps:

Use the WSSDecryption API to configure encryption. The WSSDecryption API performs these tasks by default:

Generates the callback handler.
Generates the consumer security token object.

Adds the security token reference type.

Adds the WSSEncryptPart object.

Adds the parts to be encrypted. Adds the default parts for decryption using keywords and XPath expressions.

Adds the verification component.

Adds the header in the SOAP message, specified by QName.
Sets the default data encryption method.
Whether the key is to be decrypted using a Boolean value. Calls this method when the shared key is encrypted.
Sets the default key encryption method.

Use the WSSEncryptPart API to configure encrypted parts or add a transform method. The WSSEncryptPart API performs these tasks by default:

Sets the encrypted parts specified using keywords or an XPath expression.
Sets the encrypted parts specified by an XPath expression.
Sets the signature component object, WSSSignature.
Sets the header in the SOAP message, specified by QName.
Sets the generator security token.

Adds the transform method, if needed.

Change from the default values for algorithm or message parts, as needed. For example: you could change one or more of the following items:

Add USERNAME_TOKEN as a target of decryption.

Change the data encryption algorithm from the default value of AES 128.

Change the key encryption algorithm from the default value of KW_RSA_OAEP.
Specify to not encrypt the encryption key (false).

Change the security token type from the default value of X.509 token.
Only use BODY_CONTENT as an encryption part and not use SIGNATURE also.

Results
The decryption information is configured for the consumer binding.

Example

The following is an example of the WSSDecryption API:
WSSFactory factory = WSSFactory.getInstance();
WSSConsumingContext concont = factory.newWSSConsumingContext();
    X509ConsumeCallbackHandler callbackhandler = generateCallbackHandler();
// see X509ConsumeCallbackHandler
    WSSDecryption dec = factory.newWSSDecryption(X509Token.class, 
        callbackhandler);
    
 concont.add(dec);
You must configure similar encryption information for the client-side request generator (sender) bindings, if we have not already configured the information.
Next, review the WSSDecryption API process.

Subtopics

Decrypting SOAP messages using the WSSDecryption API
We can secure the SOAP messages, without using policy sets for configuration, using the Web Services Security APIs (WSS API). To configure the client for decryption on the response (client) consumer side, use the WSSDecryption API to decrypt the SOAP messages. The WSSDecryption API specifies which request SOAP message parts to decrypt when configuring the client.
Choose decryption methods for the consumer binding
To configure the client for response decryption for the consumer binding, specify which data and transform algorithm methods to use when the client decrypts the SOAP messages.
Add decrypted parts using the WSSDecryptPart API
We can secure the SOAP messages, without using policy sets for configuration, using the Web Services Security APIs (WSS API). To configure decrypted parts for the response consumer (client side) bindings, use the WSSDecryptPart API to define and add to the listing of elements in the decrypted part. WSSDecryptPart is an interface that is part of the com.ibm.websphere.wssecurity.wssapi.decryption package.
Decryption methods
The decryption algorithms specify the data and key encryption algorithms used to decrypt the SOAP message. The WSS API for decryption (WSSDecryption) specifies the algorithm uniform resource identifier (URI) of the data and key encryption methods. The WSSDecryption interface is part of the com.ibm.websphere.wssecurity.wssapi.decryption package.

Related concepts:

XML encryption

Related

Signing and encrypting message parts using policy sets
Configure encryption to protect message confidentiality using the WSS APIs

+
Search Tips | Advanced Search

Decryption parts	Description
Keywords	Keywords are used to add the decrypted parts to the SOAP message.
XPath expression	XPath expressions are used to add the decrypted parts to the SOAP message.
WSSDencryptPart object	This object adds the decrypted parts to the SOAP message.
WSSVerification object	This object adds the signature verification component as a decrypted part.
Header	This part adds the header in the SOAP header, specified by QName, as a decrypted part.
Security token object	This object adds the security token as a decrypted part.

Keyword	References
BODY_CONTENT	The keyword for the body contents of the SOAP message body as a decryption target.
SIGNATURE	The keyword for the signature element as a decryption target.
USERNAME_TOKEN,	The keyword for the Username token element as a decryption target.