Configure the Web services server for request decryption

This task addresses configuring the server for request decryption. It describes modifying the extensions to indicate what parts of the request to decrypt. You need to know what parts the client encrypts when sending the request because the two configurations must match. It also describes configuring the bindings to indicate how to decrypt these parts.

For conceptual information on encrypting and decrypting Simple Object Access Protocol (SOAP) message, see XML encryption.

Perform the following steps in the WebSphere Development Studio Client for iSeries to configure the parts of the SOAP message that must be decrypted:

  1. Open the webservices.xml deployment descriptor for your Web services application in the Web Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see Configure your Web services application.

  2. Click the Security Extensions tab.

  3. Expand the Request Receiver Service Configuration Details --> Required Confidentiality settings.

  4. Select the parts of the message to decrypt that the client encrypts in the request sender. You can do this by clicking Add and selecting either bodycontent (the user data of the message) or usernametoken (the basic authentication information).

  5. Save the file.

Next, perform the following steps in the Web Services Editor to configure the information that is needed to decrypt the required parts:

  1. Click the Binding Configurations tab.

  2. Expand the Request Receiver Binding Configuration Details --> Encryption Information settings.

  3. Click Edit to view the encryption information. The following table describes the purpose for each of these selections. Some of these definitions are based on the XML-Signature Syntax and Processing specification Link outside Information Center (http://www.w3.org/TR/xmldsig-core).

    Name Purpose
    Encryption name Encryption name is the name of this encryption information entry. This is an alias for the entry.
    Data encryption method algorithm Data encryption method algorithms are designed for encrypting and decrypting data in fixed size, multiple octet blocks. This algorithm must be the same as the algorithm selected in the client request sender configuration.
    Key encryption method algorithm Key encryption method algorithms are public key encryption algorithms specified for encrypting and decrypting keys. This algorithm must be the same as the algorithm selected in the client request sender configuration.
    Encryption key name Encryption key name represents a Subject (from a certificate) found by the encryption key locator. the Subject is used by the key encryption method algorithm to decrypt the secret key, and the secret key is used to decrypt the data.

    Note: The key chosen here should be a private key in the keystore configured by the key locator. The key should have the same Subject used by the client to encrypt the data. Encryption must be done using the public key and decryption by the private key (personal certificate). To ensure that the client encrypts the data with the correct public or private key, you must extract the public key from the server's keystore and add it to the keystore specified in the client request sender encryption configuration information.

    For example, the personal certificate of a server is CN=Bob, O=IBM, C=US. Therefore the server contains the public and private key pair. The client sending the request should encrypt the data using the public key for CN=Bob, O=IBM, C=US. The server decrypts the data using the private key for CN=Bob, O=IBM, C=US.
    Encryption key locator This represents a reference to a key locator implementation. For more information on configuring key locators, see Configure key locators.

  4. Save the file.

It is very important to note that for decryption, the encryption key name chosen must refer to a personal certificate that can be located by the key locator of the server referenced in the encryption information. Enter the Subject of the personal certificate here, which is typically a Distinguished Name (DN). The Subject uses the default key locator to find the key. If a custom key locator is written, the encryption key name can be anything used by the key locator to find the correct encryption key. The encryption key locator references the implementation class that finds the correct key store where this alias and certificate exist.