Configuring encryption to protect message confidentiality using the WSS APIs
You can configure encryption information for the client-side request generator (sender) bindings. Encryption information is used to specify how the generators (senders) encrypt outgoing SOAP messages. To configure encryption, specify which message parts to encrypt and specify which algorithm methods and security tokens are to be used for encryption.
Before you begin
Confidentiality refers to encryption while integrity refers to digital signing. Confidentiality reduces the risk of someone understanding the message flowing across the Internet. With confidentiality specifications, the message is encrypted before it is sent and decrypted when it is received at the correct target. Prior to configuring encryption, familiarize yourself with XML encryption.
About this task
- Which parts of the message are to be encrypted.
- Which encryption algorithms to specify.
To configure encryption and encrypted parts on the client side, use the WSSEncryption and WSSEncryptPart APIs, or configure policy sets using the administrative console.
WebSphere® Application Server provides default values for bindings. However, an administrator must modify the defaults for a production environment.
WebSphere Application Server uses encryption information for the default generator to encrypt parts of the SOAP message. The WSSEncryption API configures the following required parts as encrypted parts.
Encryption parts | Description |
---|---|
Keywords | Keywords are used to add the encrypted parts to the SOAP message. |
XPath expression | An XPath expression is used to add the encrypted parts to the SOAP message. |
WSSEncryptPart object | This object adds the encrypted parts to the SOAP message. |
WSSSignature object | This object adds the signature component as an encrypted part. |
Header | This part adds the header in the SOAP header, specified by QName, as an encryption part. |
Security token object | This object adds the security token as an encryption part. |
Web Services Security API (WSS API) supports symmetric encryption, by using a shared key, only when Web Services Secure Conversation (WS-SecureConversation) is used.
The WSS APIs allow the use of either keywords or an XPath expression to specify the parts of the message that are to be encrypted. WebSphere Application Server supports the use of the following keywords:
Keyword | References |
---|---|
BODY_CONTENT | The keyword for the contents of the SOAP message body as an encryption target. |
SIGNATURE | The keyword for the signature component as an encryption target. |
If configuring using the WSS APIs, the WSSEncryption and WSSEncryptPart APIs complete these high-level steps:
Procedure
Results
Example
WSSFactory factory = WSSFactory.getInstance();
WSSGenerationContext gencont = factory.newWSSGenerationContext();
X509GenerateCallbackHandler callbackhandler = generateCallbackHandler();
SecurityToken token = factory.newSecurityToken(X509Token.class, callbackHandler);
WSSEncryption enc = factory.newWSSEncryption(token);
gencont.add(enc);
What to do next
You must configure similar decryption information for the client-side response consumer (receiver) bindings, if you have not already configured the information.
Next, review the WSSEncryption API process.