Configure the Web services server for response encryption

This task provides the steps needed to configure the server for response encryption. Use these steps to modify the extensions to indicate which parts of the response you want to encrypt. Also, use these steps to configure the bindings to indicate how the parts of the response are to be encrypted.

Perform the following steps in the WebSphere Development Studio Client for iSeries to configure the parts of the Simple Object Access Protocol (SOAP) request that you want to encrypt:

  1. Open the webservices.xml deployment descriptor for your Web services application in the Web Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see Configure your Web services application.

  2. Click the Security Extensions tab.

  3. Expand Request Sender Configuration --> Confidentiality. Confidentiality refers to encryption while integrity refers to digital signing. Confidentiality reduces the risk of someone being able to understand the message flowing across the Internet. With confidentiality specifications, the message is encrypted before it is sent and decrypted when it is received at the correct target. For more information on encrypting , see XML encryption.

  4. Select the parts of the response that you want to encrypt by clicking Add and selecting one of the following message parts:

  5. Save the file.

Next, perform the following steps in the Web Services Editor to configure the information that is needed to encrypt the response parts (bindings):

  1. Click the Binding Configurations tab.

  2. Expand Response Sender Binding Configuration Details --> Encryption Information.

  3. Click Edit to view the encryption information. The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature Syntax and Processing specification Link outside Information Center (http://www.w3.org/TR/xmldsig-core).

    Name Purpose
    Encryption name The encryption name refers to the name of the encryption information entry.
    Data encryption method algorithm The data encryption method algorithms are designed for encrypting and decrypting data in fixed size, multiple octet blocks. The algorithm selected for the server response sender configuration must match the algorithm selected in the client response receiver configuration.
    Key encryption method algorithm The key encryption method algorithms are public key encryption algorithms that are specified for encrypting and decrypting keys. The algorithm selected for the server response sender configuration must match the algorithm selected in the client response receiver configuration.
    Encryption key name The encryption key name represents a Subject from a certificate found by the encryption key locator, which is used by the key encryption method algorithm to encrypt the private key. The private key is used to encrypt the data.

    Note: The key name chosen in the server response sender encryption information must be the public key of the key configured in the client response receiver encryption information. Encryption by the response sender must be done using the public key and decryption must be done by the response receiver using the associated private key (the personal certificate of the response receiver).
    Encryption key locator The encryption key locator represents a reference to a key locator implementation. For more information on configuring key locators, see Configure key locators.

  4. Save the file.

The encryption key name chosen must refer to a public key of the response receiver. For the encryption key name, use the Subject of the public key certificate, typically a Distinguished Name (DN). The name chosen is used by the default key locator to find the key. If you write a custom key locator, the encryption key name may be anything used by the key locator to find the correct encryption key (a public key). The encryption key locator references the implementation class that finds the correct key store where the alias and certificate exist.