Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop web services - Security (WS-Security) > Configure Web Services Security during application assembly > Configure XML encryption for v5.x web services with an assembly tool


Configure the server for request decryption: choosing the decryption method

We can use an assembly tool and the administrative console to configure the Web Services Security extensions and Web Services Security bindings.

There is an important distinction between v5.x and v6 and later applications. The information in this article supports v5.x applications only that are used with WAS Version 6.0.x and later. The information does not apply to Version 6.0.x and later applications.

Prior to completing these steps, read either of the following topics to become familiar with the WS Extensions tab and the WS Bindings tab:

These two tabs are used to configure the Web Services Security extensions and Web Services Security bindings, respectively.

Complete this task to specify which decryption method is used by the server to decrypt the request message. We must know which decryption method the client uses because the server must use the same method.


Procedure

  1. Launch an assembly tool. See the related information on Assembly Tools.
  2. Switch to the Java EE perspective. Click Window > Open Perspective > J2EE.

  3. Click EJB Projects > application_name > ejbModule > META_INF.
  4. Right-click the webservices.xml file, select Open with > Web services editor.

  5. Click the Binding Configurations tab, which is located at the bottom of the web services editor within the assembly tool.
  6. Expand the Request receiver binding configuration details > Encryption information section.

  7. Click Edit to view the encryption information. The following table describes the purpose for each of these selections. Some definitions are taken from the XML-Encryption specification , which is located at the following web address: http://www.w3.org/TR/xmlenc-core

    Encryption name

    Represents the name of this encryption information entry; an alias for the entry.

    Data encryption method algorithm

    Encrypts and decrypts data in fixed size, multiple octet blocks. This algorithm must be the same as the algorithm selected in the client request sender configuration.

    Key encryption method algorithm

    Represents algorithms specified for encrypting and decrypting keys. This algorithm must be the same as the algorithm selected in the client request sender configuration.

    Encryption key name

    Represents a Subject from a personal certificate, which is typically a distinguished name (DN) that is found by the encryption key locator. The subject is used by the key encryption method algorithm to decrypt the secret key, and the secret key is used to decrypt the data.

    The key chosen must be a private key in the key store configured by the key locator. The key requires the same Subject used by the client to encrypt the data. Encryption must be done using the public key and decryption by using the private key (personal certificate).

    To ensure that the client encrypts the data with the correct public or private key, extract the public key from the server key store and add it to the key store specified in the encryption configuration information for the client request sender.

    For example, the personal certificate of a server is CN=Bob, O=IBM, C=US. Therefore the server contains the public and private key pair. The client sending the request should encrypt the data using the public key for CN=Bob, O=IBM, C=US. The server decrypts the data using the private key for CN=Bob, O=IBM, C=US.

    Encryption key locator

    Represents a reference to a key locator implementation class that finds the correct keystore where the alias and the certificate exist. For more information on configuring key locators, go to the following sections: Configure key locators using an assembly tool and Configure key locators .

  8. Optional: Select Show only FIPS Compliant Algorithms if you only want the FIPS compliant algorithms to be shown in the Data Encryption method algorithm and Key Encryption method algorithm dropdown lists. Use this option if you expect this application to be run on a WAS that has set the Use the United States FIPS algorithms option in the SSL certificate and key management panel of the administrative console for WAS.


Results

It is important to note that for decryption, the encryption key name chosen must refer to a personal certificate that can be located by the key locator of the server referenced in the encryption information. Enter the Subject of the personal certificate here, which is typically a Distinguished Name (DN). The Subject uses the default key locator to find the key. If a custom key locator is written, the encryption key name can be anything used by the key locator to find the correct encryption key. The encryption key locator references the implementation class that finds the correct key store where this alias and certificate exist. Refer to Configure key locators using an assembly tool and Configure key locators for more information.


What to do next

We must specify which parts of the request message to decrypt. See Configure the server for request decryption: decrypting the message parts if we have not previously specified this information.
XML encryption
Assembly tools
Request receiver
Configure the server for request decryption: decrypting the message parts
Configure key locators using an assembly tool
Configure key locators
Configure the server security bindings using an assembly tool
Configure the server security bindings
XML Encryption Syntax and Processing W3C Recommendation 10 December 2002

+

Search Tips   |   Advanced Search