WAS v8.5 > Develop applications > Develop web services - Security (WS-Security) > Develop applications that use Web Services Security > Develop message-level security for JAX-WS web services > Secure web services applications using the WSS APIs at the message level > Secure messages at the request generator using WSS APIs > Secure messages at the request generator using WSS APIs > Configure encryption to protect message confidentiality using the WSS APIs

Encrypting the SOAP message using the WSSEncryption API

We can secure the SOAP messages, without using policy sets for configuration, using the Web Services Security APIs (WSS API). To configure the client for request encryption on the generator side, use the WSSEncryption API to encrypt the SOAP message. The WSSEncryption API specifies which request SOAP message parts to encrypt when configuring the client.

We can use the WSS API or use policy sets on the dmgr console to enable encryption and add generator security tokens in the SOAP message. To secure SOAP messages, use the WSS APIs to complete the following encryption tasks, as needed:

The encryption information on the generator side is used for encrypting an outgoing SOAP message for the request generator (client side) bindings. The client generator configuration must match the configuration for the provider consumer.

Confidentiality settings require that confidentiality constraints be applied to generated messages. These constraints include specifying which message parts within the generated message must be encrypted, and which message parts to attach encrypted Nonce and timestamp elements to.

The following encryption parts can be configured:

Encryption parts. Use the encryption parts to enable encryption in messages.

Encryption parts Description
part Adds the WSSEncryptPart object as a target of the encryption part.
keyword Adds the encryption parts using keywords. WebSphere Application Server supports the following keywords:

  • BODY_CONTENT
  • SIGNATURE

xpath Adds the encryption part using an XPath expression.
signature Adds the WSSignature component as a target of the encrypted part.
header Adds the SOAP header, specified by QName, as a target of the encrypted part.
securityToken Adds the SecurityToken object as a target of the encrypted part.

For encryption, certain default behaviors occur. The simplest way to use the WSSEncryption API is to use the default behavior (see the example code).

WSSEncryption provides defaults for the key encryption algorithm, the data encryption algorithm, the security token reference method, and the encryption parts such as the SOAP body content and the signature. The encryption default behaviors include:

Encryption decisions. Use encryption default behavior to secure the message body content and signature.

Encryption decisions Default behavior
Which SOAP message parts to encrypt using keywords

Sets the encryption parts that we can add using keywords. The default encryption parts are the BODY_CONTENT and SIGNATURE. WAS supports using these keywords:

  • WSSEncryption.BODY_CONTENT
  • WSSEncryption.SIGNATURE

Which data encryption method to choose (algorithm)

Sets the data encryption method. Both data and key encryption methods can be specified. The default data encryption algorithm method is AES 128. WAS supports these data encryption methods:

  • WSSEncryption.AES128: http://www.w3.org/2001/04/xmlenc#aes128-cbc
  • WSSEncryption.AES192: http://www.w3.org/2001/04/xmlenc#aes192-cbc
  • WSSEncryption.AES256: http://www.w3.org/2001/04/xmlenc#aes256-cbc
  • WSSEncryption.TRIPLE_DES: http://www.w3.org.2001/04/xmlenc#tripledes-cbc

Whether to encrypt the key (isEncrypt)

Whether to encrypt the key. The values are true or false. Default is to encrypt the key (true).

Which key encryption method to choose (algorithm)

Sets the key encryption method. Both data and key encryption methods can be specified. The default key encryption algorithm method is key wrap RSA OAEP. WAS supports these key encryption methods:

  • WSSEncryption.KW_AES128: http://www.w3.org/2001/04/xmlenc#kw-aes128
  • WSSEncryption.KW_AES192: http://www.w3.org/2001/04/xmlenc#kw-aes192
  • WSSEncryption.KW_AES256: http://www.w3.org/2001/04/xmlenc#kw-aes256
  • WSSEncryption.KW_RSA_OAEP: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
  • WSSEncryption.KW_RSA15: http://www.w3.org/2001/04/xmlenc#rsa-1_5
  • WSSEncryption.KW_TRIPLE_DES: http://www.w3.org/2001/04/xmlenc#kw-tripledes

Which security token to specify (securityToken)

Sets the SecurityToken. The default security token type is the X509Token. WAS provides the following pre-configured consumer token types:

Which token reference to use (refType) Sets the type of the security token reference. The default token reference is SecurityToken.REF_KEYID. WAS supports the following token reference types:

  • SecurityToken.REF_KEYID
  • SecurityToken.REF_STR
  • SecurityToken.REF_EMBEDDED
  • SecurityToken.REF_THUMBPRINT

Whether to use MTOM (mtomOptimize) Sets Message Transmission Optimization Mechanism optimization for the encrypted part.

  1. To encrypt the SOAP message using the WSSEncryption API, first ensure the application server is installed.
  2. The WSS API process for encryption performs these process steps:

    1. Uses WSSFactory.getInstance() to get the WSS API implementation instance

    2. Creates the WSSGenerationContext instance from the WSSFactory instance.

    3. Creates the SecurityToken from WSSFactory used for encryption.

    4. Creates WSSEncryption from the WSSFactory instance using the SecurityToken. The default behavior of WSSEncryption is to encrypt the body content and the signature.

    5. Adds a new part to be encrypted in WSSEncryption if the existing part is not appropriate. After addEncryptPart(), addEncryptHeader(), or addEncryptPartByXPath() is called, the default part is cleared.
    6. Calls the encryptKey(false) if the key is not to be encrypted.

    7. Sets the data encryption method if the default method is not appropriate.

    8. Sets the key encryption method if the default method is not appropriate.

    9. Sets the token reference if the default token reference is not appropriate.

    10. Adds WSSEncryption to WSSConsumingContext.
    11. Calls WSSGenerationContext.process() with the SOAPMessageContext.


Results

If there is an error condition during encryption, a WSSException is provided. If successful, the API calls the WSSGenerationContext.process(), the WS-Security header is generated, and the SOAP message is now secured using Web Services Security.


Example

The following example provides sample code using methods that are defined in WSSEncryption:

// Get the message context    Object msgcontext = getMessageContext();

// Generate the WSSFactory instance (step: a)
WSSFactory factory = WSSFactory.getInstance();  

// Generate the WSSGenerationContext instance (step: b)
WSSGenerationContext gencont = factory.newWSSGenerationContext();

// Generate the callback handler X509GenerateCallbackHandler callbackHandler = new 
         X509GenerateCallbackHandler(
     "",
     "enc-sender.jceks",
     "jceks", 
     "storepass".toCharArray(), 
     "bob", 
     null, 
     "CN=Bob, O=IBM, C=US", 
     null);

// Generate the security token used for encryption (step: c)
SecurityToken token = factory.newSecurityToken(X509Token.class , callbackHandler);

// Generate WSSEncryption instance (step: d)
WSSEncryption enc = factory.newWSSEncryption(token);

// Set the part to be encrypted (step: e)
// DEFAULT: WSSEncryption.BODY_CONTENT and WSSEncryption.SIGNATURE

// Set the part specified by the keyword (step: e)
   enc.addEncryptPart(WSSEncryption.BODY_CONTENT);

// Set the part in the SOAP Header specified by QName (step: e)
   enc.addEncryptHeader(new QName("http://www.w3.org/2005/08/addressing",
                                  "MessageID"));

// Set the part specified by WSSSignature (step: e)
   SecurityToken sigToken = getSecurityToken();
      WSSSignature sig = factory.newWSSSignature(sigToken);
   enc.addEncryptPart(sig);

// Set the part specified by SecurityToken (step: e)
   UNTGenerateCallbackHandler untCallbackHandler = 
          new UNTGenerateCallbackHandler("Chris", "sirhC");  
      SecurityToken unt = factory.newSecurityToken(UsernameToken.class, 
                                                   untCallbackHandler);
   enc.addEncryptPart(unt, false);

// sSt the part specified by XPath expression (step: e)
   StringBuffer sb = new StringBuffer();
      sb.append("/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' 
         and local-name()='Envelope']");
      sb.append("/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' 
         and local-name()='Body']");
      sb.append("/*[namespace-uri()='http://xmlsoap.org/Ping' 
         and local-name()='Ping']");
      sb.append("/*[namespace-uri()='http://xmlsoap.org/Ping' 
         and local-name()='Text']");
   enc.addEncryptPartByXPath(sb.toString());

// Set whether the key is encrypted (step: f)
// DEFAULT: true
   enc.encryptKey(true);

// Set the data encryption method (step: g)
// DEFAULT: WSSEncryption.AES128
   enc.setEncryptionMethod(WSSEncryption.TRIPLE_DES);

// Set the key encryption method (step: h)
// DEFAULT: WSSEncryption.KW_RSA_OAEP
   enc.setEncryptionMethod(WSSEncryption.KW_RSA15);

// Set the token reference (step: i)
// DEFAULT: SecurityToken.REF_KEYID 
  enc.setTokenReference(SecurityToken.REF_STR);

// Add the WSSEncryption to the WSSGenerationContext (step: j)
  gencont.add(enc);

// Process the WS-Security header (step: k)
gencont.process(msgcontext);

The X509GenerationCallbackHandler does not need the key password because the public key is used for encryption. We do not need a password to obtain the public key from the Java keystore.

If we have not previously specified which encryption methods to choose, use the WSS API or configure the policy sets using the dmgr console to choose the data and key encryption algorithm methods.


Related concepts:

Encrypted SOAP headers


Related


Choose encryption methods for generator bindings
Secure message parts
Decrypting SOAP messages using the WSSDecryption API
Configure signing information using the WSSSignature API


Reference:

Encryption methods


+

Search Tips   |   Advanced Search