Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Secure requests to the trust service using system policy sets > Trust service
System policy sets
A policy set is a named collection of Quality of Service (QoS) policies. We can use either the admin console or the wsadmin commands to manage system policy sets. Policy sets can be created, deleted, copied, imported or exported.
A policy set can be shared by multiple resources, such as applications, services, inbound or outbound service endpoints, and operations. Default policy sets are installed using profile augmentation. A policy set can also be imported. A policy set does not have its own bindings. We must attach a policy set to a resource, and then assign a binding to the attachment.
When attempting to connect to a web service from a thin client, verify that the resources that you are specifying are valid before running the updatePolicySetAttachment command. No configuration changes are made if the requested resource does not match a resource in the attachment file for the application.
A client application can dynamically select a policy suite (reference by name from an application-level policy suites list). Options shown in the admin console list are based on the type of template that is selected to create the policy set. For example, the SecureConversation policy type is made up of policies for both WSSecurity and WSAddressing.
There are two types of policy sets:
- Application policy sets
- System/trust policy sets
WAS provides predefined system policy sets. For example, WAS provides the following system policy sets by default for the security trust service:
- TrustServiceSecurityDefault
This trust policy set specifies the asymmetric algorithm as well as the public and private keys to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using RSA. Message confidentiality is provided by encrypting the body and signature using RSA. This policy set follows the WS-Security specifications for the issue and renew trust operation requests.
- TrustServiceSymmetricDefault
This policy set specifies the symmetric algorithm as well as the derived keys to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using HMAC-SHA1. Message confidentiality is provided by encrypting the body and signature using AES. This policy set follows the WS-Security and Secure Conversation specifications for validate and cancel trust operation requests.
- SystemWSSecurityDefault
This policy set specifies the asymmetric algorithm and both the public and private keys to provide message security. Message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using RSA encryption. Message confidentiality is provided by encrypting the body and signature using RSA encryption
We cannot edit default system policy sets. However, you can create your own custom system policy set, which can be edited later. Copy or export a default or existing custom system policy set to create the new custom policy set. System policy sets can also be imported from a predefined location, or from the default repository. Add one or more policies to each policy set. For example, add any of the following existing policies:
- Custom properties
- HTTP transport
- JMS transport
- SSL Transport
- WS-Addressing
- WS-Security
The HTTP transport policy can be used for HTTPS, basic authorization, compression, and binary encoding transport methods.
Trust service