IBM BPM, V8.0.1, All platforms > Create processes in IBM Process Designer > Modeling processes > Integrating with web services, Java and databases > Create outbound integrations > Integrating with web services

Set up message-level encryption

Message-level encryption provides confidentiality by applying encryption to all or parts of a SOAP message. The encryption spans the entire communication chain between the consumer and the provider. To take advantage of this type of encryption in integration services for BPDs, you must enable the corresponding configuration settings.

Ensure that the 100Custom.xml file exists. See The 99Local.xml and 100Custom.xml configuration files.

The default 100Custom.xml configuration file includes a <server> section that you can use to set up message-level encryption for integration services.

<server>
	<webservice-security merge="mergeChildren">
		<keystore-file merge="replace">teamworks.jks</keystore-file>
		<keystore-password-encrypted> password</keystore-password-encrypted>
		<private-key>
			<alias> soaprequester</alias>
			<keyname> soaprequester</keyname>
			<password-encrypted> password</password-encrypted>
		</private-key>

		<private-key>
			<alias> soapprovider</alias>
			<keyname> soapprovider</keyname>
		</private-key>
		<keystore-type>JKS</keystore-type>
		<certificate> path to client certificate</certificate>
</webservice-security>
</server>

Elements in the <server> section of the default 100Custom.xml file
Element name Description Example
<keystore-file> Provide a name for the key store file related to the service requester. profile_root/etc/ws-security/dsig-sender.jks
<keystore-password-encrypted> Provide a key store password for the service requester.  
<private_key> Holds an element that contains information about the private key for the client. This element has two child elements.  
<alias> Alias for the private key specified during creating of the key store.  
<keyname> Holds the key name for the alias. If this element is not present, specify the alias name as the key name. KeyName : CN=”Bob”, OU=IBM, O=US,.. or KeyName : Bob
<password-encrypted> Provide the encrypted key password for accessing the client private key.  
<keystore-type> Provide the key store type. This element can have one of the following values:

JKS

Use this value if the keystore uses Java Keystore format.

JCEKS

Use this value if the Java Cryptography Extension is configured in the application server.

PKCS12KS (PKCS12)

Use this value if the keystore file uses the PKCS#12 file format.
If a type is not provided, the default is JKS.
keystore-type=”JKS”
<certificate> Provide the client certificate path including the certificate file name. {Install-Location}\client.cert


Procedure

  1. Stop the dmgr, process server, and Process Center server if they are running.
  2. Open the 100Custom.xml file in a text editor.
  3. Uncomment the <server> section, and specify the encryption settings.

  4. Specify the encryption settings.

  5. Start the process server or the Process Center server.


Results

The encryption-related settings are now available for use in Process Designer for Web Service integration step types.


What to do next

Specify the encryption settings on the Security tab for the Web Service integration step type.

Encrypt request

Select this option to encrypt outbound SOAP messages. If that you cannot modify the parts of the message that are encrypted. The Web Service integration step type always encrypts the SOAP body, the WS-Security username token (if present), and the WS-Security signature (if present). With this option, you also need to provide a value for the Server certificate alias in order to configure the encryption key.

Expect encrypted response

Select this option to specify that you expect the web service provider to use WS-Security message-level encryption in the response. If that you cannot modify the parts of the message that are encrypted. The Web Service integration step type always assumes that the SOAP body and the WS-Security signature (if present) are encrypted. With this option, you also need to provide a value for the Client certificate alias in order to configure the decryption key.

Create outbound integrations to web services