Configure the WS-Security policy
When working with policy sets in the administrative console, we can customize policies to ensure message security. The WS-Security policy can be configured to apply a message security (WS-Security) profile to requests. Message security policies are applied to requests and enforced on responses to support interoperability.
We can configure some settings for default policies for custom policy sets. The provided default policy sets cannot be edited. We must create a copy of the default policy set or create a completely new policy set in order to specify the policies for it.
Message security policies are applied to requests and enforced on responses to support interoperability.
Depending on the assigned security role when security is enabled, we might not have access to text entry fields or buttons to create or edit configuration data. Review the administrative roles documentation to learn more about the valid roles for the application server.
Tasks
- Use the WS-Security policy panel to begin configuring the WS-Security policy. To access the WS-Security policy panel, from the administrative console, click Services > Policy sets > Application policy sets > policy_set_name > WS-Security policy.
- Choose which type of message security to configure.
- Click the Main policy link to specify how message security policies are applied to requests and enforced on responses to support interoperability.
- Click the Bootstrap policy link to configure how secure conversations are established. A bootstrap policy might already be configured. If no bootstrap policy is currently configured, first ensure that we have enabled message security with symmetric signature and encryption policies and secure conversation tokens for both integrity and confidentiality protection.
- Use the Main policy settings panel or the Bootstrap policy settings panel to specify how message security policies are applied to requests and enforced on responses. Assertions for WS-Security versions are already generated based on assertions in the policy set. If the policy set includes a WS-S 1.1 assertion, then WS-S 1.1 itself is asserted. Configure the settings on this panel to configure main or bootstrap policy settings:
- Select whether Message level protection is required. Select this check box if any of the message parts should be digitally signed or encrypted or if a timestamp should be inserted in the message. It this box is unchecked, the Signature confirmation, Key symmetry, and Timestamp and Security header layout options are disabled.
- Specify whether signature confirmation is required. Click this check box to require signature confirmation.
- Configure the settings in the Key Symmetry section. The following fields can be configured in the Key symmetry section:
- Use symmetric tokens
- Click this radio button to use symmetric tokens. We can then configure symmetric tokens with the Symmetric signature and encryption policies link. Click this link to access the Symmetric Signature and Encryption Policies panel where we can create the trust context in which to use symmetric tokens. Using the same token for signing and validating messages and encrypting and decrypting messages provides better performance than can be achieved with asymmetric tokens. Symmetric tokens should be used within a trust context.
- Use asymmetric tokens
- Click this link to access the Asymmetric Signature and Encryption Policies panel where we can create the trust context (message integrity and confidentiality) in which to use asymmetric tokens. We can do this by specifying which token type to use for the initiator and recipient signature as well as the initiator and recipient encryption.
- Include timestamp in header
- Click this check box to include a timestamp in the header. We can then specify if the timestamp is positioned first or last in the header using the Security header layout radio button options:
- Strict: Declarations must precede use
- Layout (Lax): Order of contents can vary
- Lax but timestamp required first in header
- Lax but timestamp required last in header
- Optional: Click the Algorithms link under the Policy Details section to access the Algorithms panel to view and select from available algorithms. The available algorithms include cryptographic algorithms and their key lengths, as well as canonicalization algorithms for reconciling XML differences. Click this link to view the cryptographic and canonicalization algorithms supported.
- Optional: Configure the request settings. Click either of the following links to configure request settings:
- Request message part protection
- Links to configuration for request message part protection. Click this link to define which message parts are to be protected and how that protection is provided.
- Request token policies
- Links to configuration for request token policies. Click this link to define policies that specify which types of security tokens are supported and the properties of those token types.
- Optional: Configure the response settings. Click either of the following links to configure response settings:
- Response message part protection
- Links to configuration for response message part protection. Click this link to define which message parts are to be protected and how that protection is provided.
- Response token policies
- Links to configuration for response token policies. Click this link to define policies that specify which types of security tokens are supported and the properties of those token types.
Once we have customized the WS-Security policy, the associated policy set uses this policy to protect messages.
Subtopics
- WS-Security policy settings
Configure the WS-Security policy and apply a message security WS-Security profile to requests. WS-Security policies are applied to requests and enforced on responses to support inter-operability.- Configure the request or response token policies
We can configure the request and response token policies that are part of the WS-Security policy using the administrative console. Message requests token policies are applied to requests and enforced on responses to support both quality and interoperability.- Transform algorithms settings
Use this administrative console page to select the uniform resource locator (URL) for the transform algorithms needed to protect the message part.- Signed part reference default bindings settings
Use this administrative console page to configure the signed part reference general bindings and the uniform resource locator (URL) for the transform algorithms needed to protect the message part.- Main policy and bootstrap policy settings
Specify how message security policies are applied to requests and enforced on responses, as defined by the main policy settings and the bootstrap policy settings. Assertions for Web Services Security (WS-Security) versions are already generated based on assertions in the policy set. If the policy set includes a Web Services Security Version 1.1 assertion, then Web Services Security Version 1.1, itself, is asserted.- Asymmetric signature and encryption policies settings
Create the trust context, message integrity and confidentiality, to use asymmetric tokens. Create the trust context by specifying which token type to use for the initiator and recipient signature as well as the initiator and recipient encryption.- Symmetric signature and encryption policies settings
Create the trust context to use symmetric tokens. Using the same token for signing and validating messages and encrypting and decrypting messages increases performance. Use symmetric tokens within a trust context.- Algorithms settings
View the supported cryptographic and canonicalization algorithms. Algorithms are used to reconcile XML differences.- Message part protection settings
Use this page to define the message parts that we want protected and how that protection is provided.- Signed part settings
Use this page to define the elements of a signed part. Signed parts are used to protect message integrity and, in this case, the signed parts are being defined as part of the policy set process.- Encrypted message part settings
Use this page to define the elements of an encrypted part of a message. Encrypted parts are used to protect message confidentiality, and in this case, the encrypted parts are being defined as part of the policy set process. A message part is a named set of one or more message elements.
Web services policies Manage policy sets Add policies to policy sets Deleting policies from policy sets Enable policies for policy sets Disable policies from policy sets Add and remove policies Create policy set attachments Removing policy set attachments Manage policy set attachments Request or Response token policies collection Asymmetric signature and encryption policies settings Symmetric signature and encryption policies settings Algorithms settings Message part protection settings Application policy sets collection Application policy set settings WS-Security policy settings Administrative roles