Configuring decryption methods to protect message confidentiality using the WSS APIs
You can configure decryption method information for the response consumer (client side) section of the binding file. Decryption information is used to specify how the consumers (receivers) decrypt incoming SOAP messages. To configure decryption, specify which message parts to decrypt and specify which algorithm methods and security tokens are to be used for decryption.
Before you begin
Confidentiality refers to encryption while integrity refers to digital signing. Confidentiality reduces the risk of someone understanding the message flowing across the Internet. With confidentiality specifications, the message is encrypted before it is sent and decrypted when it is received at the correct target. Prior to configuring decryption, familiarize yourself with XML encryption.
About this task
For decryption, you must specify the following:
- Which parts of the message are to be decrypted.
- Which decryption algorithms to specify.
To configure decryption and decrypted parts on the client side, use the WSSDecryption and WSSDecryptPart APIs, or configure policy sets using the administrative console.
WebSphere® Application Server provides default values for bindings. However, an administrator must modify the defaults for a production environment.
WebSphere Application Server uses decryption information for the default consumer to decrypt parts of the SOAP message. The WSSDecryption API configures the following required parts as decrypted parts.
Decryption parts | Description |
---|---|
Keywords | Keywords are used to add the decrypted parts to the SOAP message. |
XPath expression | XPath expressions are used to add the decrypted parts to the SOAP message. |
WSSDencryptPart object | This object adds the decrypted parts to the SOAP message. |
WSSVerification object | This object adds the signature verification component as a decrypted part. |
Header | This part adds the header in the SOAP header, specified by QName, as a decrypted part. |
Security token object | This object adds the security token as a decrypted part. |
Web Services Security API (WSS API) supports symmetric encryption, by using a shared key, only when Web Services Secure Conversation (WS-SecureConversation) is used.
The WSS APIs allow the use of either keywords or an XPath expression to specify the parts of the SOAP message that are to be decrypted. WebSphere Application Server supports the use of the following keywords:
Keyword | References |
---|---|
BODY_CONTENT | The keyword for the body contents of the SOAP message body as a decryption target. |
SIGNATURE | The keyword for the signature element as a decryption target. |
USERNAME_TOKEN, | The keyword for the Username token element as a decryption target. |
If configuring using the WSS APIs, the WSSDecryption and WSSDecryptPart APIs complete these high-level steps:
Procedure
Results
Example
WSSFactory factory = WSSFactory.getInstance();
WSSConsumingContext concont = factory.newWSSConsumingContext();
X509ConsumeCallbackHandler callbackhandler = generateCallbackHandler();
// see X509ConsumeCallbackHandler
WSSDecryption dec = factory.newWSSDecryption(X509Token.class,
callbackhandler);
concont.add(dec);
What to do next
You must configure similar encryption information for the client-side request generator (sender) bindings, if you have not already configured the information.
Next, review the WSSDecryption API process.