Secure message parts using the administrative console
If we are working with policy sets, then we can secure message parts using the administrative console. To secure message parts with WS-Security using policy sets, define the elements for the message parts to be protected in the WS-Security policy within a policy set.
Before we can start this task, we must have a policy set defined for the application or service artifact. Also, if none of the default policy sets contain the necessary policy definitions, then create a custom policy set with the necessary definitions.
This task assumes that we are using policy sets and we want to secure message parts within that context.
Tasks
- Open the administrative console.
- Select the policy set containing the message parts to secure.
- To secure message parts using application policy sets click Services > Policy sets > Application policy sets.
- To secure message parts using system policy sets click Services > Policy sets > System policy sets.
- Select the policy set to use.
- If the WS-Security policy is not listed, then click Add and select that policy from the list.
- Click the WS-Security link.
- Click Main policy or Bootstrap policy. The bootstrap policy is available when Secure Conversation is used. To use the bootstrap policy, then select the SecureConversation policy set in step three.
- Make sure that Message level protection is selected, then click Request message part protection or Response message part protection. When the Message level protection checkbox is unchecked, the link to Response message part protection is not available, because the configuration information associated with message level security is removed when Message level protection is deselected.
- Click Add for either Encrypted parts or Signed parts depending on the level of security that we want.
- Specify a part name and add the elements to be signed or encrypted, or both. The elements can be the message body, XPath expression, or a QName which is for SOAP header elements only. Click OK. Recommendation for when to use QName or XPath: If we are encrypting or signing SOAP headers, we can use QName to select which SOAP headers to be signed or encrypted.
The elements must be a direct child of the SOAP headers.
If we wanted to sign and encrypt other elements in the SOAP message, then we can use XPath expression.
Use this XPath example to select, MyElement in a namespace, http://xyz.acme.com with MyHeader, http://acme.com./*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()= 'http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://acme.com' and local-name()= 'MyHeader']/*[namespace-uri()='http://xyz.acme.com' and local-name()='MyElement']- Repeat steps 8 and 9 to sign or encrypt each message part.
- To save the changes to the master configuration, click Save.
When we finish this task, we have configured the policy set containing the quality of service definitions required for signing and encrypting message parts.
Example
If we have the policy set, myPolicy and we want to specify request message bodies that must be signed, we can perform the following:
- Locate the policy set in the Services > Policy sets > Application policy sets collection and click the policy set name.
- Click the WS-Security link. If the link does not exist, click Add and then select WS-Security from the list.
- Click Main policy > Request message part protection
- Click Add under the Integrity protection and Signed parts section.
- Specify the name, messageBody.
- Select Protect message body, click Add Specified Elements, and click OK.
- Click Save to save the changes to the master configuration.
What to do next
We can proceed to signing and encrypting message parts using policy sets.
Related:
Web services policy set bindings Encrypted SOAP headers Signing and encrypting message parts using policy sets Create application specific bindings for policy set attachment Modifying default bindings at the server or cell level for policy sets Reassigning bindings to policy sets attachments Configure the WS-Security policy Service client policy set and bindings collection Service provider policy sets and bindings collection Policy set bindings settings Policy set bindings settings for WS-Security WS-Security authentication and protection Caller settings Message expiration settings Actor roles settings Keys and certificates Web Services Addressing policy set binding