WAS v8.5 > Secure applications > Secure web services > Define and managing secure policy set bindingsSecure message parts
If you are working with policy sets, then we can secure message parts using the dmgr console. To secure message parts with WS-Security using policy sets, you must define the elements for the message parts to be protected in the WS-Security policy within a policy set.
Before we can start this task, you must have a policy set defined for the application or service artifact. Also, if none of the default policy sets contain the necessary policy definitions, then create a custom policy set with the necessary definitions.
This task assumes that you are using policy sets and to secure message parts within that context.
- Open the dmgr console.
- Select the policy set containing the message parts to secure.
- To secure message parts using application policy sets click Services > Policy sets > Application policy sets.
- To secure message parts using system policy sets clickServices > Policy sets > System policy sets.
- Select the policy set to use.
- If the WS-Security policy is not listed, then click Add and select that policy from the list.
- Click the WS-Security link.
- Click Main policy or Bootstrap policy. The bootstrap policy is available when Secure Conversation is used. To use the bootstrap policy, then select the SecureConversation policy set in step three.
- Make sure that Message level protection is selected, then click Request message part protection or Response message part protection. When the Message level protection checkbox is unchecked, the link to Response message part protection is not available, because the configuration information associated with message level security is removed when Message level protection is deselected.
- Click Add for either Encrypted parts or Signed parts depending on the level of security you want.
- Specify a part name and add the elements to be signed or encrypted, or both. The elements can be the message body, XPath expression, or a QName which is for SOAP header elements only. Click OK. Recommendation for when to use QName or XPath: If you are encrypting or signing SOAP headers, we can use QName to select which SOAP headers to be signed or encrypted.
The elements must be a direct child of the SOAP headers.
If you wanted to sign and encrypt other elements in the SOAP message, then we can use XPath expression. Use this XPath example to select, MyElement in a namespace, http://xyz.acme.com with MyHeader, http://acme.com.
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()= 'http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://acme.com' and local-name()= 'MyHeader']/*[namespace-uri()='http://xyz.acme.com' and local-name()='MyElement']- Repeat steps 8 and 9 to sign or encrypt each message part.
- To save your changes to the master configuration, click Save.
Results
When you finish this task, we have configured the policy set containing the quality of service definitions required for signing and encrypting message parts.
Example
If we have the policy set, myPolicy and to specify request message bodies that must be signed, we can perform the following:
- Locate the policy set in the Services > Policy sets > Application policy sets collection and click the policy set name.
- Click the WS-Security link. If the link does not exist, click Add and then select WS-Security from the list.
- Click Main policy > Request message part protection
- Click Add under the Integrity protection and Signed parts section.
- Specify the name, messageBody.
- Select Protect message body, click Add Specified Elements, and click OK.
- Click Save to save your changes to the master configuration.
We can proceed to signing and encrypting message parts using policy sets.
Related concepts:
Web services policy set bindings
Encrypted SOAP headers
Related
Signing and encrypting message parts using policy sets
Create application specific bindings for policy set attachment
Modify default bindings at the server level for policy sets
Reassigning bindings to policy sets attachments
Configure the WS-Security policy
Reference:
Service client policy set and bindings page
Service provider policy sets and bindings page
Policy set bindings settings
Policy set bindings settings for WS-Security
WS-Security authentication and protection
Caller settings
Message expiration settings
Actor roles settings
Keys and certificates
Related information:
Web Services Addressing policy set binding