Configuring the WS-Security policy

When working with policy sets in the administrative console, you can customize policies to ensure message security. The WS-Security policy can be configured to apply a message security (WS-Security) profile to requests. Message security policies are applied to requests and enforced on responses to support interoperability.

Before you begin

You can configure some settings for default policies for custom policy sets. The provided default policy sets cannot be edited. You must create a copy of the default policy set or create a completely new policy set in order to specify the policies for it.

About this task

Message security policies are applied to requests and enforced on responses to support interoperability.

Depending on your assigned security role when security is enabled, you might not have access to text entry fields or buttons to create or edit configuration data. Review the administrative roles documentation to learn more about the valid roles for the application server.

Procedure

  1. Use the WS-Security policy panel to begin configuring the WS-Security policy.
    To access the WS-Security policy panel, from the administrative console, click Services > Policy sets > Application policy sets > policy_set_name > WS-Security policy.
  2. Choose which type of message security to configure.
    • Click the Main policy link to specify how message security policies are applied to requests and enforced on responses to support interoperability.
    • Click the Bootstrap policy link to configure how secure conversations are established. A bootstrap policy might already be configured. If no bootstrap policy is currently configured, first ensure that you have enabled message security with symmetric signature and encryption policies and secure conversation tokens for both integrity and confidentiality protection.
  3. Use the Main policy settings panel or the Bootstrap policy settings panel to specify how message security policies are applied to requests and enforced on responses.
    Assertions for WS-Security versions are already generated based on assertions in the policy set. If the policy set includes a WS-S 1.1 assertion, then WS-S 1.1 itself is asserted. Configure the settings on this panel to configure main or bootstrap policy settings:
    1. Select whether Message level protection is required.
      Select this check box if any of the message parts should be digitally signed or encrypted or if a timestamp should be inserted in the message. It this box is unchecked, the Signature confirmation, Key symmetry, and Timestamp and Security header layout options are disabled.
    2. Specify whether signature confirmation is required.
      Click this check box to require signature confirmation.
    3. Configure the settings in the Key Symmetry section.
      The following fields can be configured in the Key symmetry section:
      Use symmetric tokens
      Click this radio button to use symmetric tokens. You can then configure symmetric tokens with the Symmetric signature and encryption policies link. Click this link to access the Symmetric Signature and Encryption Policies panel where you can create the trust context in which to use symmetric tokens. Using the same token for signing and validating messages and encrypting and decrypting messages provides better performance than can be achieved with asymmetric tokens. Symmetric tokens should be used within a trust context.
      Use asymmetric tokens
      Click this link to access the Asymmetric Signature and Encryption Policies panel where you can create the trust context (message integrity and confidentiality) in which to use asymmetric tokens. You can do this by specifying which token type to use for the initiator and recipient signature as well as the initiator and recipient encryption.
      Include timestamp in header
      Click this check box to include a timestamp in the header. You can then specify if the timestamp is positioned first or last in the header by using the Security header layout radio button options:
      • Strict: Declarations must precede use
      • Layout (Lax): Order of contents can vary
      • Lax but timestamp required first in header
      • Lax but timestamp required last in header
    4. Optional: Click the Algorithms link under the Policy Details section if you want to access the Algorithms panel to view and select from available algorithms.
      The available algorithms include cryptographic algorithms and their key lengths, as well as canonicalization algorithms for reconciling XML differences. Click this link to view the cryptographic and canonicalization algorithms that are supported.
    5. Optional: Configure the request settings.
      Click either of the following links to configure request settings:
      Request message part protection
      Links to configuration for request message part protection. Click this link to define which message parts are to be protected and how that protection is provided.
      Request token policies
      Links to configuration for request token policies. Click this link to define policies that specify which types of security tokens are supported and the properties of those token types.
    6. Optional: Configure the response settings.
      Click either of the following links to configure response settings:
      Response message part protection
      Links to configuration for response message part protection. Click this link to define which message parts are to be protected and how that protection is provided.
      Response token policies
      Links to configuration for response token policies. Click this link to define policies that specify which types of security tokens are supported and the properties of those token types.

Results

Once you have customized the WS-Security policy, the associated policy set uses this policy to protect messages.