+

Search Tips   |   Advanced Search

Signing and encrypting message parts using policy sets


With Web services, we can sign message parts, encrypt message parts, or both, based on the quality of service defined for a policy set. We can accomplish these actions by defining the binding information in a custom attachment binding.

Before beginning this task, attach a policy set to a service artifact such as an application, service or endpoint and create a custom attachment binding. Read about creating custom attachment bindings for policy sets. The policy set that is attached to the service artifact must include a WS-Security policy that specifies message parts to be signed or encrypted. Read about securing message parts using the admin console.

To sign message parts, encrypt message parts, or both, based on the quality of service defined for a policy set...

 

  1. Open the admin console.

  2. To sign and encrypt message parts for a service provider, click Applications > Enterprise applications > myapp > Service provider policy sets and bindings. To sign and encrypt message parts for a service client, click Applications > Enterprise applications > myapp > Service client.policy sets and bindings.

  3. Click the binding name link of the service artifact with a custom attachment binding.

  4. If the binding does not contain WS-Security policy set bindings, then click Add and select WS-Security from the list.

  5. Click WS-Security policy set bindings.

  6. Click Authentication and protection. The resulting panel contains the following four tables:

    • Protection tokens: Tokens defined for the symmetric or asymmetric signature and encryption policies in the policy set.
    • Authentication tokens: Tokens defined for the request and response token policies.

    • Request message signature and encryption protection: Message parts defined in the Request message part protection for the policy set.

    • Response message signature and encryption protection: Message parts defined in the response message part protection in the policy set.

    Initially, each table displays information that is generated based on the policy set which is attached to the service artifact. The possible configuration objects based on the policy set are displayed. The Status column indicates whether the object is currently configured in the custom attachment binding.

  7. If the protection tokens have a status of Not configured, then create the protection tokens by clicking the default name, verifying the default values. Click OK.

  8. [Optional] If we use the X.509 protection tokens, then configure the keystores and keys to be used to sign, verify, encrypt or decrypt message parts. We might need to also configure keystores and keys when using custom protection tokens, depending on the requirements of the custom tokens. When using a security context token for protection (secure conversation), you do not need to configure keystores or keys. to configure the keystores and keys, then perform the following actions:

    1. Click the token name link.

    2. Click the Callback handler link under Additional bindings. If the Callback handler link is not click-able, click Apply, then click the Callback handler link.

    3. Either use a predefined keystore or custom keystore. To use a predefined keystore, select the keystore from the list. To use a custom keystore, select Custom from the list and click the Custom key store configuration link to specify the configuration.

    4. Click OK.

  9. Click the name of the request or response message part reference to be signed or encrypted. The Protection column displays whether the message part is signed or encrypted based on the policy set.

  10. Specify a name for the message part.

  11. For encrypted parts, select the type of encryption from Usage of key information references. For asymmetric encryption, or X.509, select Key encryption. For symmetric encryption, or secure conversation, select Data encryption.

  12. [Optional] For encrypted parts, select the Include time stamp or Include nonce options to include a time stamp or nonce in the encrypted message part. We can include one or both of these options in the encrypted message part.

  13. For signed parts, specify one or more Message part references. Select a reference from the Available column and click Add.

  14. [Optional] For signed parts, we can also choose to add a time stamp or nonce to the signed message part. Select a Message part reference from the Assigned column and click Edit. Select the Include time stamp or the Include nonce options to include a time stamp or nonce in the signed message part. We can select one or both of these options in the signed message part.

  15. If there are no available key information entries, then create one using the following actions:

    1. Click New.

    2. Specify a name.

    3. Select a protection token from the Token generator or Consumer name list.

    4. Click OK.

  16. Select a key information entry from the Available list and click Add.

  17. [Optional] Specify custom properties if needed.

    1. To use Message Transmission Optimization Mechanism (MTOM) for the cipher text of the encrypted data, add the custom property, com.ibm.wsspi.wssecurity.enc.MTOM.Optimize, with value true to outbound encrypted parts for client requests or server responses.

    2. To use encryption headers as described in the WS-Security 1.0 spec instead of the encrypted header support described in WS-Security 1.1, add the custom property, com.ibm.wsspi.wssecurity.encryptedHeader.generate.WSS1.0, with value true to outbound encrypted parts for client requests or server responses.

      For WS-Security Version 1.1 behavior that is equivalent to WAS versions prior to version 7.0, specify the com.ibm.wsspi.wssecurity.encryptedHeader.generate.WSS1.1.pre.V7 property with a value of true on the <encryptionInfo> element in the binding. When this property is specified, the <EncryptedHeader> element includes a wsu:Id parameter and the <EncryptedData> element omits the Id parameter. This property should only be used if compliance with Basic Security Profile 1.1 is not required.

  18. Click OK.

  19. Click Save, to save the changes to the master configuration.

 

Results

When you finish this task, the message parts are signed and encrypted, or both, based on the configuration used when communicating with the service artifact.

 

Example

we have an application, app1, with an attached policy set, RAMP default and a custom attachment binding, myBinding, and you want to sign and encrypt the message parts.

  1. Click the app1 application in the Applications > Enterprise Applications collection.

  2. Click the Service provider policy sets and bindings link or the Service client.policy sets and bindings link.

  3. Click the myBinding link.

  4. [Optional] If WS-Security is not listed, then select Add > WS-Security.

  5. Click the WS-Security link.

  6. Click the Authentication and protection link.

  7. In the Protection tokens table, click each of the four links and OK on the resulting panel. Each entry is now shown as Configured in the Status column.

  8. In the Request message signature and encryption protection table, click request:app_encparts. Specify the name, requestEncParts.

  9. Click New from Key information. Specify the name, requestEncKeyInfo.

  10. Select SymmetricBindingRecipientEncryptionToken, and click OK.

  11. Select requestEncKeyinfo in the Available list, and click Add. Click OK.

  12. In the Request message signature and encryption protection table, click request:app_signparts.

  13. Specify the name, requestSignParts.

  14. Click New from Key information. Specify a name of requestSignKeyInfo.

  15. Select SymmetricBindingInitiatorSignatureToken, and click OK.

  16. Select requestSignKeyinfo in the Available list, and click Add. Click OK.

  17. Repeat steps 8 to 16 for the links in the Response message signature and encryption protection table.

  18. Click Save, to save the changes to the master configuration.

 

Next steps

Start the application.


Signed or Encrypted message part settings

 

Related tasks


Attach a policy set to a service artifact
Create application specific bindings for policy set attachment
Set the WS-Security policy
Secure message parts
Set policy set bindings