WAS v8.5 > Administer applications and their environment > Administer web services (generally applicable) > Manage web services policy sets > Manage policies in a policy set > Modify policies

Configure the WS-Security policy

When working with policy sets in the dmgr console, we can customize policies to ensure message security. The WS-Security policy can be configured to apply a message security (WS-Security) profile to requests. Message security policies are applied to requests and enforced on responses to support interoperability.

We can configure some settings for default policies for custom policy sets. The provided default policy sets cannot be edited. You must create a copy of the default policy set or create a completely new policy set in order to specify the policies for it. Message security policies are applied to requests and enforced on responses to support interoperability.

Depending on your assigned security role when security is enabled, you might not have access to text entry fields or buttons to create or edit configuration data. Review the administrative roles documentation to learn more about the valid roles for the application server.

  1. Use the WS-Security policy panel to begin configuring the WS-Security policy. To access the WS-Security policy panel, from the dmgr console, click Services > Policy sets > Application policy sets > policy_set_name > WS-Security policy.
  2. Choose which type of message security to configure.

    • Click the Main policy link to specify how message security policies are applied to requests and enforced on responses to support interoperability.

    • Click the Bootstrap policy link to configure how secure conversations are established. A bootstrap policy might already be configured. If no bootstrap policy is currently configured, first ensure that we have enabled message security with symmetric signature and encryption policies and secure conversation tokens for both integrity and confidentiality protection.

  3. Use the Main policy settings panel or the Bootstrap policy settings panel to specify how message security policies are applied to requests and enforced on responses. Assertions for WS-Security versions are already generated based on assertions in the policy set. If the policy set includes a WS-S 1.1 assertion, then WS-S 1.1 itself is asserted. Configure the settings on this panel to configure main or bootstrap policy settings:

    1. Select whether Message level protection is required. Select this check box if any of the message parts should be digitally signed or encrypted or if a timestamp should be inserted in the message. It this box is unchecked, the Signature confirmation, Key symmetry, and Timestamp and Security header layout options are disabled.

    2. Specify whether signature confirmation is required. Click this check box to require signature confirmation.

    3. Configure the settings in the Key Symmetry section. The following fields can be configured in the Key symmetry section:

      Use symmetric tokens

      Click this radio button to use symmetric tokens. We can then configure symmetric tokens with the Symmetric signature and encryption policies link. Click this link to access the Symmetric Signature and Encryption Policies panel where we can create the trust context in which to use symmetric tokens. Using the same token for signing and validating messages and encrypting and decrypting messages provides better performance than can be achieved with asymmetric tokens. Symmetric tokens should be used within a trust context.

      Use asymmetric tokens

      Click this link to access the Asymmetric Signature and Encryption Policies panel where we can create the trust context (message integrity and confidentiality) in which to use asymmetric tokens. We can do this by specifying which token type to use for the initiator and recipient signature as well as the initiator and recipient encryption.

      Include timestamp in header

      Click this check box to include a timestamp in the header. We can then specify if the timestamp is positioned first or last in the header using the Security header layout radio button options:

      • Strict: Declarations must precede use
      • Layout (Lax): Order of contents can vary
      • Lax but timestamp required first in header
      • Lax but timestamp required last in header

    4. Optional: Click the Algorithms link under the Policy Details section to access the Algorithms panel to view and select from available algorithms. The available algorithms include cryptographic algorithms and their key lengths, as well as canonicalization algorithms for reconciling XML differences. Click this link to view the cryptographic and cannonicalization algorithms that are supported.

    5. Optional: Configure the request settings. Click either of the following links to configure request settings:

      Request message part protection

      Links to configuration for request message part protection. Click this link to define which message parts are to be protected and how that protection is provided.

      Request token policies

      Links to configuration for request token policies. Click this link to define policies that specify which types of security tokens are supported and the properties of those token types.

    6. Optional: Configure the response settings. Click either of the following links to configure response settings:

      Response message part protection

      Links to configuration for response message part protection. Click this link to define which message parts are to be protected and how that protection is provided.

      Response token policies

      Links to configuration for response token policies. Click this link to define policies that specify which types of security tokens are supported and the properties of those token types.


Results

Once we have customized the WS-Security policy, the associated policy set uses this policy to protect messages.


Subtopics


Related


Web services policies
Manage policy sets
Add policies to policy sets
Delete policies from policy sets
Enable policies for policy sets
Disable policies from policy sets
Add and remove policies using wsadmin.sh
Create policy set attachments using wsadmin
Remove policy set attachments using wsadmin
Manage policy set attachments using wsadmin


Reference:

Request or Response token policies page
Asymmetric signature and encryption policies settings
Symmetric signature and encryption policies settings
Algorithms settings
Message part protection settings
Application policy sets page
Application policy set settings
WS-Security policy settings
Administrative roles


+

Search Tips   |   Advanced Search