+

Search Tips   |   Advanced Search

Configure encryption using JAX-RPC to protect message confidentiality at the application level

We can configure encryption information, used to specify how the generators (senders) encrypt outgoing messages, for the request generator (client side) and the response generator (server side) bindings at the application level.

Configure the key information referenced by the key information references in the encryption information panel.

This task provides the steps needed for configuring encryption information for the request generator (client side) and the response generator (server side) bindings at the application level. This encryption information specifies how the generators (senders) encrypt outgoing messages.

Configure the encryption information for the request generator or response generator section of the bindings file on the application level:


Tasks

  1. Locate the encryption information configuration panel in the administrative console.

    1. Click Applications > Application Types > WebSphere enterprise applications > application_name.

    2. Under Manage modules, click URI_name.

    3. Under Web Services Security Properties, we can access the key information for the request generator and response generator bindings.

    4. Under Required properties, click Encryption information.

    5. Click New to create an encryption information configuration. Click Delete to delete an existing configuration or click the name of an existing encryption information configuration to edit its settings. For a new configuration, enter a name in the Encryption information name field. For example, we might specify gen_encinfo.

  2. Select a data encryption algorithm from the Data encryption algorithm field. The selection specifies the algorithm used to encrypt parts of the message. WebSphere Application Server supports the following pre-configured algorithms:

    • http://www.w3.org/2001/04/xmlenc#tripledes-cbc
    • http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • http://www.w3.org/2001/04/xmlenc#aes256-cbc

      To use this algorithm, we must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

    • http://www.w3.org/2001/04/xmlenc#aes192-cbc

      To use this algorithm, we must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

      Restriction: Do not use the 192-bit key encryption algorithm if we want your configured application to be in compliance with the Basic Security Profile (BSP).

      Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, we must check the laws of our country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.

    The data encryption algorithm that we select for the generator side must match the data encryption method that we select for the consumer side.

  3. Select a key encryption algorithm from the Key encryption algorithm field. This selection specifies the algorithm used to encrypt keys. WAS supports the following pre-configured algorithms:

    • http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.

      When running with SDK Version 1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK Version 1.5.

      Restriction: This algorithm is not supported when the WAS is running in Federal Information Processing Standard (FIPS) mode.

      By default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm to compute a message digest as part of the encryption operation. Optionally, we can use the SHA256 or SHA512 message digest algorithm by specifying a key encryption algorithm property. For the property name, we can specify com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod. The property value is one of the following URIs of the digest method:

      • http://www.w3.org/2001/04/xmlenc#sha256
      • http://www.w3.org/2001/04/xmlenc#sha512

      By default, the RSA-OAEP algorithm uses a null string for the optional encoding octet string for the OAEPParams. We can provide an explicit encoding octet string by specifying a key encryption algorithm property. For the property name, we can specify com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams. The property value is the base 64-encoded value of the octet string.

      Important: We can set these digest method and OAEPParams properties on the generator side only. On the consumer side, these properties are read from the incoming SOAP message.

    • http://www.w3.org/2001/04/xmlenc#rsa-1_5
    • http://www.w3.org/2001/04/xmlenc#kw-tripledes
    • http://www.w3.org/2001/04/xmlenc#kw-aes128
    • http://www.w3.org/2001/04/xmlenc#kw-aes256

      To use this algorithm, we must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

    • http://www.w3.org/2001/04/xmlenc#kw-aes192

      To use this algorithm, we must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.

      Restriction: Do not use the 192-bit key encryption algorithm if we want your configured application to be in compliance with the Basic Security Profile (BSP).

    The key encryption algorithm that we select for the generator side must match the key encryption method that we select for the consumer side.

  4. Select an encryption key information reference from the Encryption key information menu. This selection is a reference to the encryption key used to encrypt parts of the message. To configure the key information, see Configure the key information using JAX-RPC for the generator binding on the application level.

  5. Select a part reference from the Part reference field. This field specifies the name of the part reference for the generator binding element in the deployment descriptor.
  6. Click OK and then click Save to save the configuration.

The encryption information is configured for the generator binding at the application level.


What to do next

Specify a similar encryption information configuration for the consumer.


Subtopics


Related:

  • Overview of standards and programming models for web services message-level security
  • Basic Security Profile compliance tips
  • Configure encryption to protect message confidentiality at the application level
  • Configure the key information using JAX-RPC for the generator binding on the application level
  • IBM developer kit: Security information

    Web Services Security: SOAP Message Security Version 1.0