Setting up message-level encryption
Message-level encryption provides confidentiality by applying encryption to all or parts of a SOAP message. The encryption spans the entire communication chain between the consumer and the provider. To take advantage of this type of encryption in integration services for BPDs, you must enable the corresponding configuration settings.
Before you begin
There are two ways of setting up message-level encryption.
You can use policy sets and bindings, which simplify the encryption
with reusable configurations. To use policy sets and bindings, see
the following topics:
Alternately, you can configure a specific encryption using the 100Custom.xml file as shown in this topic. First, check that the 100Custom.xml file exists. See The 99Local.xml and 100Custom.xml configuration files.
About this task
The default 100Custom.xml configuration
file includes a <server> section that you can
use to set up message-level encryption for integration services.
<server>
<webservice-security merge="mergeChildren">
<keystore-file merge="replace">teamworks.jks</keystore-file>
<keystore-password-encrypted>password</keystore-password-encrypted>
<private-key>
<alias>soaprequester</alias>
<keyname>soaprequester</keyname>
<password-encrypted>password</password-encrypted>
</private-key>
<private-key>
<alias>soapprovider</alias>
<keyname>soapprovider</keyname>
</private-key>
<keystore-type>JKS</keystore-type>
<certificate>path to client certificate</certificate>
</webservice-security>
</server>
Element name | Description | Example |
---|---|---|
<keystore-file> | Provide a name for the key store file related to the service requester. | profile_root/etc/ws-security/dsig-sender.jks |
<keystore-password-encrypted> | Provide a key store password for the service requester. | |
<private_key> | Holds an element that contains information about the private key for the client. This element has two child elements. | |
<alias> | Alias for the private key specified during creating of the key store. | |
<keyname> | Holds the key name for the alias. If this element is not present, specify the alias name as the key name. | KeyName : CN="Bob", OU=IBM, O=US,.. or KeyName : Bob |
<password-encrypted> | Provide the encrypted key password for accessing the client private key. | |
<keystore-type> | Provide the key store type. This element can
have one of the following values:
|
keystore-type="JKS" |
<certificate> | Provide the client certificate path including the certificate file name. | {Install-Location}\client.cert |
Procedure
- Stop the deployment manager, process server, and Process Center server if they are running.
- Open the 100Custom.xml file in a text editor.
- Uncomment the <server> section, and specify the encryption settings.
- Specify the encryption settings.
- Start the process server or the Process Center server.
Results
What to do next
- Encrypt request
- Select this option to encrypt outbound SOAP messages. Note that you cannot modify the parts of the message that are encrypted. The Web Service integration step type always encrypts the SOAP body, the WS-Security username token (if present), and the WS-Security signature (if present). With this option, you also need to provide a value for the Server certificate alias in order to configure the encryption key.
- Expect encrypted response
- Select this option to specify that you expect the web service provider to use WS-Security message-level encryption in the response. Note that you cannot modify the parts of the message that are encrypted. The Web Service integration step type always assumes that the SOAP body and the WS-Security signature (if present) are encrypted. With this option, you also need to provide a value for the Client certificate alias in order to configure the decryption key.