When working with policy sets in the administrative console,
you can customize policies to ensure message security. The WS-Security
policy can be configured to apply a message security (WS-Security)
profile to requests. Message security policies are applied to requests
and enforced on responses to support interoperability.
Before you begin
You can configure some settings for default policies for custom
policy sets. The provided default policy sets cannot be edited. You
must create a copy of the default policy set or create a completely
new policy set in order to specify the policies for it.
About this task
Message security policies are applied to requests and
enforced on responses to support interoperability.
Depending on your assigned security role when security is enabled, you
might not have access to text entry fields or buttons to create or edit configuration data. Review
the administrative roles documentation to learn more about the valid roles for the application
server.
Procedure
- Use the WS-Security policy panel to begin configuring the
WS-Security policy.
To access the WS-Security policy panel,
from the administrative console, click Services > Policy sets >
Application policy sets > policy_set_name > WS-Security
policy.
- Choose which type of message security to configure.
- Click the Main policy link to specify how message security policies
are applied to requests and enforced on responses to support interoperability.
- Click the Bootstrap policy link to configure how secure conversations
are established. A bootstrap policy might already be configured. If
no bootstrap policy is currently configured, first ensure that you
have enabled message security with symmetric signature and encryption
policies and secure conversation tokens for both integrity and confidentiality
protection.
- Use the Main policy settings panel or the Bootstrap policy
settings panel to specify how message security policies are applied
to requests and enforced on responses.
Assertions for
WS-Security versions are already generated based on assertions in
the policy set. If the policy set includes a WS-S 1.1 assertion, then
WS-S 1.1 itself is asserted. Configure the settings on this panel
to configure main or bootstrap policy settings:
- Select whether Message level protection is required.
Select this check box if any of the message parts should be
digitally signed or encrypted or if a timestamp should be inserted
in the message. It this box is unchecked, the Signature confirmation,
Key symmetry, and Timestamp and Security header layout options are
disabled.
- Specify whether signature confirmation is required.
Click this check box to require signature confirmation.
- Configure the settings in the Key Symmetry section.
The following fields can be configured in the Key symmetry section:
- Use symmetric tokens
- Click this radio button to use symmetric tokens. You can then
configure symmetric tokens with the Symmetric signature and encryption
policies link. Click this link to access the Symmetric Signature
and Encryption Policies panel where you can create the trust context
in which to use symmetric tokens. Using the same token for signing
and validating messages and encrypting and decrypting messages provides
better performance than can be achieved with asymmetric tokens. Symmetric
tokens should be used within a trust context.
- Use asymmetric tokens
- Click this link to access the Asymmetric Signature and Encryption
Policies panel where you can create the trust context (message integrity
and confidentiality) in which to use asymmetric tokens. You can do
this by specifying which token type to use for the initiator and recipient
signature as well as the initiator and recipient encryption.
- Include timestamp in header
- Click this check box to include a timestamp in the header. You
can then specify if the timestamp is positioned first or last in the
header by using the Security header layout radio button options:
- Strict: Declarations must precede use
- Layout (Lax): Order of contents can vary
- Lax but timestamp required first in header
- Lax but timestamp required last in header
- Optional: Click the Algorithms link
under the Policy Details section if you want to access the
Algorithms panel to view and select from available algorithms.
The available algorithms include cryptographic algorithms and
their key lengths, as well as canonicalization algorithms for reconciling
XML differences. Click this link to view the cryptographic and canonicalization
algorithms that are supported.
- Optional: Configure the request settings.
Click either of the following links to configure request settings:
- Request message part protection
- Links to configuration for request message part protection. Click
this link to define which message parts are to be protected and how
that protection is provided.
- Request token policies
- Links to configuration for request token policies. Click this
link to define policies that specify which types of security tokens
are supported and the properties of those token types.
- Optional: Configure the response settings.
Click either of the following links to configure response settings:
- Response message part protection
- Links to configuration for response message part protection. Click
this link to define which message parts are to be protected and how
that protection is provided.
- Response token policies
- Links to configuration for response token policies. Click this
link to define policies that specify which types of security tokens
are supported and the properties of those token types.
Results
Once you have customized the WS-Security policy, the associated
policy set uses this policy to protect messages.