+

Search Tips   |   Advanced Search

Encryption information configuration settings: Methods

Configure the encryption and decryption parameters for the signature method, digest method, and canonicalization method.

The specifications listed on this page for the signature method, digest method, and canonicalization method are located in the World Wide Web Consortium (W3C) document entitled, XML Encryption Syntax and Processing: W3C Recommendation 10 Dec 2002.

To view this administrative console page:

  1. Click Applications > Application Types > WebSphere enterprise applications > application_name and complete one of the following steps:

    • Click Manage modules > URI_file_name > Web Services: Client Security Bindings. Under Request sender binding, click Edit. Under Web Services Security Properties, click Encryption Information.

    • Under Modules, click Manage modules > URI_file_name > Web Services: Server Security Bindings. Under Response sender binding, click Edit. Under Web Services Security Properties, click Encryption Information.

  2. Select None or Dedicated encryption information. The application server can have either one or no encryption configurations for the request sender and the response sender bindings. If we are not using encryption, select None. To configure encryption for either of these two bindings, select Dedicated encryption information and specify the configuration settings using the fields described in this topic.

Fix packs that include updates to the SDK might overwrite unrestricted policy files. Back up unrestricted policy files before applying a fix pack and reapply these files after the fix pack is applied.


Encryption information name

Name for the encryption information.


Key locator reference

Name used to reference the key locator.

We can configure these key locator reference options on the cell level, the server level, and the application level. The configurations listed in the field are a combination of the configurations on these three levels.

To configure the key locators on the cell level, complete the following steps:

  1. Click Security > JAX-WS and JAX-RPC security runtime.

  2. Under Additional properties, click Key locators.

To configure the key locators on the server level:

  1. Click Servers > Server Types > WebSphere application servers > server.

  2. Under Security, click security runtime.

    Mixed-version environment: In a mixed node cell with a server using WebSphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.mixv

  3. Under Additional properties, click Key locators.

To configure the key locators on the application level, complete the following steps:

  1. Click Applications > Application Types > WebSphere enterprise applications > application_name.

  2. Under Modules, click Manage modules > URI_name.

  3. Under Web Services Security Properties, we can access the key locators for the following bindings:

    • For the Request sender, click Web services: Client security bindings. Under Request sender binding, click Edit. Under Additional properties, click Key locators.

    • For the Request receiver, click Web services: Server security bindings. Under Request receiver binding, click Edit. Under Additional properties, click Key locators.

    • For the Response sender, click Web services: Server security bindings. Under Response sender binding, click Edit. Under Additional properties, click Key locators.

    • For the Response receiver, click Web services: Client security bindings. Under Response receiver binding, click Edit. Under Additional properties, click Key locators.


Encryption key name

Name of the encryption key that is resolved to the actual key by the specified key locator.

Information Value
Data type String


Key encryption algorithm

Algorithm uniform resource identifier (URI) of the key encryption method.

The following algorithms are supported:

If an InvalidKeyException error occurs and we are using the 129xxx or 256xxx encryption algorithm, the unrestricted policy files might not exist in the configuration.


Java Cryptography Extension

By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit AES encryption algorithms, we must apply unlimited jurisdiction policy files.

(Dist) Note: Before downloading these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/java/jre/lib/security/ directory) prior to overwriting them in case we want to restore the original files later.

(ZOS) Note: Before downloading these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/java/lib/security/ directory) prior to overwriting them in case we want to restore the original files later.

Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, we must check the laws of our country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.


Application server platforms and IBM Developer Kit, Java Technology Edition, Version 1.4.2

To download the policy files, complete one of the following sets of steps:

After completing these steps, two Java archive (JAR) files are placed in the JVM jre/lib/security/ directory.


(iSeries) IBM i and IBM Software Development Kit 1.4

For the IBM i and IBM Software Development Kit Version 1.4, the tuning of Web Services Security is not required. The unrestricted jurisdiction policy files for the IBM SDK Version 1.4 are automatically configured when the prerequisite software is installed.

For the IBM i 5.4 operating system and IBM Software Development Kit Version 1.4, the unrestricted jurisdiction policy files for the IBM Java Developer Kit 1.4 are automatically configured by installing product 5722SS1 Option 3, Extended Base Directory Support.

For IBM i (formerly known as IBM i V5R3) and IBM Software Development Kit Version 1.4, the unrestricted jurisdiction policy files for the IBM Software Development Kit Version 1.4 are automatically configured by installing product 5722AC3, Crypto Access Provider 128-bit.


(iSeries) IBM i and IBM Software Development Kit 1.5

For IBM i 5.4 and IBM i (formerly known as IBM i V5R3) and IBM Software Development Kit 1.5, the restricted JCE jurisdiction policy files are configured, by default. We can download the unrestricted JCE jurisdiction policy files from the following website: Security information: IBM J2SE 5 SDKs

To configure the unrestricted jurisdiction policy files for IBM i and the IBM SDK Version 1.5:

  1. Make backup copies of these files:
    /QIBM/ProdData/Java400/jdk15/lib/security/local_policy.jar  
    /QIBM/ProdData/Java400/jdk15/lib/security/US_export_policy.jar
    
  2. Download the unrestricted policy files from IBM developer kit: Security information to the /QIBM/ProdData/Java400/jdk15/lib/security directory.

    1. Go to this website: IBM developer kit: Security information

    2. Click J2SE 5.0.

    3. Scroll down and click IBM SDK Policy files. The Unrestricted JCE Policy files for the SDK website is displayed.

    4. Click Sign in and provide the IBM intranet ID and password.

    5. Select the appropriate unrestricted JCE policy files, and then click Continue.

    6. View the license agreement> I Agree.

    7. Click Download Now.

  3. Use the DSPAUT command to ensure *PUBLIC is granted*RX data authority but also ensure that no object authority is provided to both the local_policy.jar and the US_export_policy.jar files in the /QIBM/ProdData/Java400/jdk15/lib/security directory. For example:
    DSPAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar') 
    

  4. Use the CHGAUT command to change authorization, if needed. For example:
    CHGAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar') 
    USER(*PUBLIC) DTAAUT(*RX) OBJAUT(*NONE)
    


Data encryption algorithm

Algorithm Uniform Resource Identifiers (URI) of the data encryption method.

The following algorithms are supported:

By default, the JCE ships with restricted or limited strength ciphers. To use 192-bit and 256- bit AES encryption algorithms, we must apply unlimited jurisdiction policy files. See Key encryption algorithm field description.


Related:

  • Basic Security Profile compliance tips
  • Configure encryption using JAX-RPC to protect message confidentiality at the application level
  • Encryption information collection
  • Key locator collection