+

Search Tips   |   Advanced Search

Secure message parts using the admin console


If working with policy sets, then we can secure message parts using the admin console. To secure message parts with WS-Security using policy sets, define the elements for the message parts to be protected in the WS-Security policy within a policy set.

Before we can start this task, have a policy set defined for the application or service artifact.

If none of the default policy sets contain the necessary policy definitions, then create a custom policy set with the necessary definitions.

This task assumes that we are using policy sets and you want to secure message parts within that context.

 

  1. Open the admin console.

  2. Select the policy set containing the message parts that you want to secure.

    • To secure message parts using application policy sets click Services > Policy sets > Application policy sets.

    • To secure message parts using system policy sets clickServices > Policy sets > System policy sets.

  3. Select the policy set to use.

  4. If the WS-Security policy is not listed, then click Add and select that policy from the list.

  5. Click the WS-Security link.

  6. Click Main policy or Bootstrap policy.

    The bootstrap policy is available when Secure Conversation is used. To use the bootstrap policy, then select the SecureConversation policy set in step three.

  7. Make sure that Message level protection is selected, then click Request message part protection or Response message part protection. When the Message level protection checkbox is unchecked, the link to Response message part protection is not available, because the configuration information associated with message level security is removed when Message level protection is deselected.

  8. Click Add for either Encrypted parts or Signed parts depending on the level of security that you want.

  9. Specify a part name and add the elements to be signed or encrypted, or both. The elements can be the message body, XPath expression, or a QName which is for SOAP header elements only. Click OK.

    Recommendation for when to use QName or XPath: If encrypting or signing SOAP headers, we can use QName to select which SOAP headers to be signed or encrypted.

    The elements must be a direct child of the SOAP headers.

    If we wanted to sign and encrypt other elements in the SOAP message, then we can use XPath expression.

    Use this XPath example to select, MyElement in a namespace, http://abc.acme.com with MyHeader, http://acme.com. 

    /*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()=
'http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://acme.com' and local-name()=
'MyHeader']/*[namespace-uri()='http://abc.acme.com' and local-name()='MyElement']

  10. Repeat steps 8 and 9 to sign or encrypt each message part.

  11. To save the changes to the master configuration, click Save.

 

Results

When you finish this task, we have configured the policy set that contains the quality of service definitions required for signing and encrypting message parts.

 

Example

If we have the policy set, myPolicy and you want to specify request message bodies that must be signed, we can perform the following:

  1. Locate the policy set in the Services > Policy sets > Application policy sets collection and click the policy set name.

  2. Click the WS-Security link. If the link does not exist, click Add and then select WS-Security from the list.

  3. Click Main policy > Request message part protection

  4. Click Add under the Integrity protection and Signed parts section.

  5. Specify the name, messageBody.

  6. Select Protect message body, click Add Specified Elements, and click OK.

  7. Click Save to save the changes to the master configuration.

 

Next steps

We can proceed to signing and encrypting message parts using policy sets.

 

Related concepts


Web services policy set bindings
Encrypted SOAP headers

 

Related tasks


Signing and encrypting message parts using policy sets
Create application specific bindings for policy set attachment
Modify default bindings at the server or cell level for policy sets
Reassigning bindings to policy sets
Set the WS-Security policy
Manage policy sets

 

Related


Service client.policy set and bindings collection
Service provider policy sets and bindings collection
Policy set bindings settings
Policy set bindings settings for WS-Security
WS-Security authentication and protection
Caller settings
Message expiration settings
Actor roles settings
Keys and certificates

 

Related information


Web Services Addressing policy set binding