Encryption information configuration settings: Message parts
Configure the encryption and decryption parameters. Use these parameters to encrypt and decrypt various parts of the message, including the body and the token.
To view the administrative console panel for the encryption information on the cell level:
- Click Security > JAX-WS and JAX-RPC security runtime.
- Under either JAX-RPC Default Generator Bindings or JAX-RPC Default Consumer Bindings, click Encryption information.
- Click New to create a new encryption configuration or click the name of an existing encryption configuration.
To view the administrative console panel for the encryption information on the server level:
- Click Servers > Server Types > WebSphere application servers > server.
- Under Security, click security runtime.
Mixed-version environment: In a mixed node cell with a server using WebSphere
Application Server version 6.1 or earlier, click Web services:
Default bindings for Web Services Security.mixv
- Under either JAX-RPC Default Generator Bindings or JAX-RPC Default Consumer Bindings, click Encryption information.
- Click New to create a new encryption configuration or click the name of an existing encryption configuration.
To view this administrative console page for the encryption information on the application level:
- Click Applications > Application Types > WebSphere enterprise applications > application_name.
- Under Modules, click Module update > module_name.
- Under Web Services Security Properties, we can access encryption
information for the following bindings:
- For the Request generator, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom. Under Required properties, click Encryption information.
- For the Request consumer, click Web services: Server security bindings. Under Request consumer (receiver) binding, click Edit custom. Under Required properties, click Encryption information.
- For the Response generator, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom. Under Required properties, click Encryption information.
- For the Response consumer, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom. Under Required properties, click Encryption information.
- Click either New to create a new encryption configuration or click the name of an existing encryption configuration.
Fix packs that include updates to the SDK might overwrite unrestricted policy files. Back up unrestricted policy files before applying a fix pack and reapply these files after the fix pack is applied.
Encryption information name
Name for the encryption information.
| Information | Value |
|---|---|
| Data type | String |
Data encryption algorithm
Algorithm Uniform Resource Identifier (URI) of the data encryption method.
The following algorithms are supported:
- http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- http://www.w3.org/2001/04/xmlenc#aes128-cbc
- http://www.w3.org/2001/04/xmlenc#aes256-cbc. To use this algorithm, we must download the unrestricted Java Cryptography Extension (JCE) policy file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html. See Encryption information configuration settings: Methods.
- http://www.w3.org/2001/04/xmlenc#aes192-cbc.
To use this algorithm, we must download the unrestricted JCE policy
file from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
See help topic Encryption information configuration settings: Methods.
Restriction: Do not use the 192-bit data encryption algorithm if we want your configured application to be in compliance with the Basic Security Profile (BSP).
By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit AES encryption algorithms, we must apply unlimited jurisdiction policy files. See Key encryption algorithm field description.
Key locator reference
Name of the key locator configuration that retrieves the key for XML digital signature and XML encryption.
The Key locator reference field is displayed for the request receiver and response receiver bindings.
We can configure these key locator reference options on the server level, the cell level, and the application level. The configurations listed in the field are a combination of the configurations on these three levels.
We can specify an encryption key configuration for the following bindings on the following levels:
| Binding name | Server level, cell level, or application level | Path |
|---|---|---|
| Default generator binding | Cell level |
|
| Default consumer bindings | Cell level |
|
| Default generator binding | Server level |
|
| Default consumer binding | Server level |
|
| Request sender | Application level |
|
| Request receiver | Application level |
|
| Response sender | Application level |
|
| Response receiver | Application level |
|
Key encryption algorithm
Algorithm Uniform Resource Identifier (URI) of the key encryption method.
The following algorithms are provided by the application server:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When running with SDK Version 1.4, the list of supported key transport algorithms does not include this one. This algorithm appears in the list of supported key transport algorithms when running with SDK Version 1.5 or later.
By default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm to compute a message digest as part of the encryption operation. Optionally, we can use the SHA256 or SHA512 message digest algorithm by specifying a key encryption algorithm property. The property name is: com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod. The property value is one of the following URIs of the digest method:
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string for the optional encoding octet string for the OAEPParams. We can provide an explicit encoding octet string by specifying a key encryption algorithm property. For the property name, we can specify com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams. The property value is the base 64-encoded value of the octet string.
Important: We can set these digest method and OAEPParams properties on the generator side only. On the consumer side, these properties are read from the incoming SOAP message.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5
- http://www.w3.org/2001/04/xmlenc#kw-tripledes
- http://www.w3.org/2001/04/xmlenc#kw-aes128
- http://www.w3.org/2001/04/xmlenc#kw-aes192
Restriction: Do not use the 192-bit data encryption algorithm if we want your configured application to be in compliance with the Basic Security Profile (BSP).
- http://www.w3.org/2001/04/xmlenc#kw-aes256
Application server platforms and IBM Developer Kit, Java Technology Edition, Version 1.4.2
By default, the Java Cryptography Extension (JCE) ships with restricted or limited strength ciphers. To use 192-bit and 256-bit AES encryption algorithms, we must apply unlimited jurisdiction policy files.
(Dist) Before downloading these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/java/jre/lib/security/ directory) prior to overwriting them in case we want to restore the original files later.
(ZOS) Before downloading these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/java/lib/security/ directory) prior to overwriting them in case we want to restore the original files later.
Fix packs that include updates to the SDK might overwrite unrestricted policy files and the cacerts file. Back up unrestricted policy files and the cacerts file before applying a fix pack and reapply these files after the fix pack is applied. These files are located in the {was_install_directory}\java\jre\lib\security directory.
Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, we must check the laws of our country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
To download the policy files, complete one of the following sets of steps:
- (AIX) (Linux) (Windows) For application server platforms
using IBM Developer Kit, Java Technology Edition, Version
1.4.2, including the AIX, Linux, and Windows platforms to obtain unlimited jurisdiction policy files:
- Go to the following website: IBM developer works: Security Information
- Click Java 1.4.2
- Click IBM SDK Policy files.
The Unrestricted JCE Policy files for SDK 1.4 website is displayed.
- Enter your user ID and password or register with IBM to download the policy files. The policy files are downloaded onto the machine.
- (Solaris) (HPUX) For application server platforms using the Sun-based Java SE Development
Kit 6 (JDK 6) Version 1.4.2, including the Solaris environments and the HP-UX platform to obtain unlimited
jurisdiction policy files:
- Go to the following website: Download , v 1.4.2 (Java EE)
- Click Archive area.
- Locate the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2 information and click Download. The policy file is downloaded onto the machine.
After following either of these sets of steps, two JAR files are placed in the JVM jre/lib/security/ directory.
Application server platform and IBM Developer Kit, Java Technology Edition, v5
By default, the Java Cryptography Extension (JCE) ships with restricted or limited strength ciphers. To use 192-bit and 256-bit AES encryption algorithms, we must apply unlimited jurisdiction policy files. Before downloading these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the (Dist) WAS_HOME/java/jre/lib/security/ (ZOS) WAS_HOME/java/lib/security/ directory) prior to overwriting them in case we want to restore the original files later.
Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, we must check the laws of our country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
To download the policy files, complete one of the following sets of steps:
- For application server platforms using IBM Developer Kit, Java Technology Edition, v5, we can obtain unlimited jurisdiction policy files
by completing the following steps:
- Go to the following website: IBM developer works: Security Information
- Click Java 5
- Click IBM SDK Policy files.
The Unrestricted JCE Policy files for SDK 5 website is displayed.
- Enter your user ID and password or register with IBM to download the policy files. The policy files are downloaded onto the machine.
After following these sets of steps, two JAR files are placed in the JVM jre/lib/security/ directory.
(iSeries) IBM Software Development Kit Version 1.4:
For IBM i and IBM Software Development Kit Version 1.4, the tuning of Web Services Security is not required. The unrestricted jurisdiction policy files for IBM SDK Version 1.4 are automatically configured when the prerequisite software is installed.
- For IBM i (formerly known as IBM i V5R3) and IBM SDK Version 1.4, install product 5722AC3, Crypto Access Provider 128-bit.
- For IBM i 5.4 and IBM SDK Version 1.4, install product 5722SS1 Option 3, Extended Base Directory Support.
(iSeries) IBM Software Development Kit Version 1.5:
For IBM i 5.4 and IBM i (formerly known as IBM i V5R3) and IBM Software Development Kit 1.5, the restricted JCE jurisdiction policy files are configured, by default. We can download the unrestricted JCE jurisdiction policy files from the following website: IBM developer works: Security Information, v5
Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, we must check the laws of our country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
To configure the unrestricted jurisdiction policy files for IBM i and the IBM Software Development Kit Version 1.5:
- Make backup copies of these files:
/QIBM/ProdData/Java400/jdk15/lib/security/local_policy.jar /QIBM/ProdData/Java400/jdk15/lib/security/US_export_policy.jar
- Download the unrestricted policy files from IBM developer
works: Security Information to the /QIBM/ProdData/Java400/jdk15/lib/security directory.
- Go to this website: http://www.ibm.com/developerworks/java/jdk/security/index.html
- Click J2SE 5.0.
- Scroll down and click IBM SDK Policy files. The Unrestricted JCE Policy files for the SDK website is displayed.
- Click Sign in and provide the IBM intranet ID and password.
- Select the appropriate unrestricted JCE policy files, and then click Continue.
- View the license agreement> I Agree.
- Click Download Now.
- Use the DSPAUT command to ensure *PUBLIC is granted*RX data authority
but also ensure that no object authority is provided to both the local_policy.jar and the US_export_policy.jar files in the /QIBM/ProdData/Java400/jdk15/lib/security directory.
For example:
DSPAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar') - Use the CHGAUT command to change authorization, if needed. For example:
CHGAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar') USER(*PUBLIC) DTAAUT(*RX) OBJAUT(*NONE)
Custom algorithms on the cell level
To specify custom algorithms on the cell level:
- Click Security > JAX-WS and JAX-RPC security runtime.
- Under Additional properties, click Algorithm mappings.
- Click New to specify a new algorithm mapping or click the name of an existing configuration to modify its settings.
- Under Additional properties, click Algorithm URI.
- Click New to create a new algorithm URI. Specify Key encryption in the Algorithm type field to have the configuration display in the Key encryption algorithm field on the Encryption information configuration settings panel.
Custom algorithms on the server level
To specify custom algorithms on the server level:
- Click Servers > Server Types > WebSphere application servers > server.
- Under Security, click security runtime.
Mixed-version environment: In a mixed node cell with a server using WebSphere
Application Server version 6.1 or earlier, click Web services:
Default bindings for Web Services Security.mixv
- Under Additional properties, click Algorithm mappings.
- Click New to specify a new algorithm mapping or click the name of an existing configuration to modify its settings.
- Under Additional properties, click Algorithm URI.
- Click New to create a new algorithm URI. Specify Key encryption in the Algorithm type field to have the configuration display in the Key encryption algorithm field on the Encryption information configuration settings panel.
Encryption key information
Name of the key information reference used for encryption. This reference is resolved to the actual key by the specified key locator and defined in the key information.
Specify either one or no encryption key configurations for the request generator and response generator bindings.
For the response consumer and the request consumer bindings, we can configure multiple encryption key references. To create a new encryption key reference, under Additional properties, click Key information references.
We can specify an encryption key configuration for the following bindings on the following levels:
| Binding name | Server level, cell level, or application level | Path |
|---|---|---|
| Default generator binding | Cell level |
|
| Default consumer binding | Cell level |
|
| Default generator binding | Server level |
|
| Default consumer binding | Server level |
|
| Request generator (sender) binding | Application level |
|
| Response generator (sender) binding | Application level |
|
Part Reference
Name of the <confidentiality> element for the generator binding or the <requiredConfidentiality> element for the consumer binding element in the deployment descriptor.
This field is available on the application level only.
Related: