WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web servicesSecure web services using policy sets
Policy sets are assertions about how services are defined. They are used to simplify the quality of service configuration for web services.
Policy sets combine configuration settings, including those for transport and message level configuration, such as WS-Addressing, WS-ReliableMessaging, and WS-Security. There are two main types of policy sets; application policy sets and system policy sets. Application policy sets are used for business-related assertions. These assertions are related to the business operations that are defined in the WSDL file. System policy sets, on the other hand, are used for non-business-related system messages. These messages are not related to the business operations that are defined in the WSDL, but instead refer to messages that are defined in other specifications which apply qualities of service (QoS). Such QoS are the request security token (RST) messages that are defined in WS-Trust, or create sequence messages that are defined in WS-Reliable Messaging metadata exchange messages of the WS-MetadataExchange.
We can use policy sets only with Java™ API for XML-Based Web Services (JAX-WS) or SCA applications. We cannot use policy sets with (JAX-RPC) applications.
Policies are defined based on a quality of service. Policy definition is typically based on WS-Policy standard language, for example, the WS-Security policy is based on the current WS-SecurityPolicy from the Organization for the OASIS standards.
Policy sets do not include environment or platform-specific information, such as keys for signing, keystore information, or persistent store information. This type of information is defined in the binding. A policy set attachment defines how a policy set is attached to service resources and bindings. The attachment definition is outside the policy set definition and is defined as meta-data associated with application data.
To secure JAX-WS web services with message-level security using policy sets, follow these steps:
- Select, create, or copy and modify a policy set to specify the message-level protection required. The policy specifies what protection will be applied, for example, what message parts to sign or encrypt and the token types and algorithms to use.
- Select one of the web services policy sets.
- Create, copy, modify, import, export or delete a policy set. For more information, read about managing policy sets using the dmgr console
- Attach the policy set to the application.
- Create or select the policy set bindings to be used. The bindings are then attached to the application along with the policy set. The bindings used can either be general bindings that can be shared among applications or application specific bindings. For more information, read about defining and managing policy set bindings.
- If WS-SecureConversation is being used, specify the trust service system policy sets and bindings on the application server.
Subtopics
- **** MISSING FILE ****
- Configure a policy set and bindings for Asymmetric XML Digital Signature and/or XML Encryption
This procedure describes how to configure the message-level WS-Security policy set and bindings to sign and encrypt a SOAP message using asymmetric XML Digital Signature and Encryption. As part of this procedure specify whether you will sign and/or encrypt both the request and response messages.- Configure a policy set and bindings for XML Digital Signature with client and provider application specific bindings
We can create a custom policy set and application specific bindings for using XML Digital Signature to sign the body of the request and response SOAP messages.
Related concepts:
JAX-WS
Web services policy sets
Related
Secure requests to the trust service using system policy sets
Manage policy sets
Attaching a policy set to a service artifact
Define and managing policy set bindings