ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/webserv/wsseccfencsvres.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Configure the Web services server for response encryption</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h5><a name="wsseccfencsvres"></a>Configure the Web services server for response encryption</h5>

<p>This task provides the steps needed to configure the server for response encryption. Use these steps to modify the extensions to indicate which parts of the response you want to encrypt. Also, use these steps to configure the bindings to indicate how the parts of the response are to be encrypted.</p>

<p>Perform the following steps in the WebSphere Development Studio Client for iSeries to configure the parts of the Simple Object Access Protocol (SOAP) request that you want to encrypt:</p>

<ol>
<li><p>Open the webservices.xml deployment descriptor for your Web services application in the Web Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>

<li><p>Click the <strong>Security Extensions</strong> tab.</p></li>

<li><p>Expand <strong>Request Sender Configuration --&gt; Confidentiality</strong>. <em>Confidentiality</em> refers to encryption while integrity refers to digital signing. Confidentiality reduces the risk of someone being able to understand the message flowing across the Internet. With confidentiality specifications, the message is encrypted before it is sent and decrypted when it is received at the correct target. For more information on encrypting , see <a href="wsseccfxmlenc.htm">XML encryption</a>.</p></li>

<li><p>Select the parts of the response that you want to encrypt by clicking <strong>Add</strong>
and selecting one of the following message parts:</p>
    <ul>
    <li><p><strong>Bodycontent</strong>
    <br>This is the user data portion of the message.</p></li>

    <li><p><strong>Usernametoken</strong>
    <br>This is an option that you can select. However, a user name token does not appear in the response. You do not need to select this option for the response. If you select this option, make sure that you also select it for the client response receiver. If you do not select it, make sure that you do not select it for the client response receiver either.</p></li>
    </ul></li>

<li><p>Save the file.</p></li>
</ol>

<p>Next, perform the following steps in the Web Services Editor to configure the information that is needed to encrypt the response parts (bindings):</p>
<ol>
<li><p>Click the <strong>Binding Configurations</strong> tab.</p></li>

<li><p>Expand <strong>Response Sender Binding Configuration Details --&gt; Encryption Information</strong>.</p></li>

<li><p>Click <strong>Edit</strong> to view the encryption information. The following table describes the purpose of this information. Some of these definitions are based on the <a href="http://www.w3.org/TR/xmldsig-core" target="_">XML-Signature Syntax and Processing specification</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center"> (http://www.w3.org/TR/xmldsig-core).</p>

<table border="1" cellpadding="3" cellspacing="0">
<tr valign="top">
<th>Name</th>
<th>Purpose</th>
</tr>

<tr valign="top">
<td><strong>Encryption name</strong></td>
<td>The encryption name refers to the name of the encryption information entry.</td>
</tr>

<tr valign="top">
<td><strong>Data encryption method algorithm</strong></td>
<td>The data encryption method algorithms are designed for encrypting and decrypting data in fixed size, multiple octet blocks. The algorithm selected for the server response sender configuration must match the algorithm selected in the client response receiver configuration.</td>
</tr>

<tr valign="top">
<td><strong>Key encryption method algorithm</strong></td>
<td>The key encryption method algorithms are public key encryption algorithms that are specified for encrypting and decrypting keys. The algorithm selected for the server response sender configuration must match the algorithm selected in the client response receiver configuration.</td>
</tr>

<tr valign="top">
<td><strong>Encryption key name</strong></td>
<td>The encryption key name represents a Subject from a certificate found by the encryption key locator, which is used by the key encryption method algorithm to encrypt the private key. The private key is used to encrypt the data.

<p><strong>Note:</strong> The key name chosen in the server response sender encryption information must be the public key of the key configured in the client response receiver encryption information. Encryption by the response sender must be done using the public key and decryption must be done by the response receiver using the associated private key (the personal certificate of the response receiver).</p></td>
</tr>

<tr valign="top">
<td><strong>Encryption key locator</strong></td>
<td>The encryption key locator represents a reference to a key locator implementation. For more information on configuring key locators, see <a href="wsseccfkeyloc.htm">Configure key locators</a>.</td>
</tr>
</table><p></p></li>

<li><p>Save the file.</p></li>
</ol>

<p>The encryption key name chosen must refer to a public key of the response receiver. For the encryption key name, use the Subject of the public key certificate, typically a Distinguished Name (DN). The name chosen is used by the default key locator to find the key. If you write a custom key locator, the encryption key name may be anything used by the key locator to find the correct encryption key (a public key). The encryption key locator references the implementation class that finds the correct key store where the alias and certificate exist.</p>

</body>
</html>