Sun Java System Application Server Enterprise Edition 8.2 Administration Guide

Configuring the Application Server for Message Security

Actions of Request and Response Policy Configurations

The following table shows message protection policy configurations and the resulting message security operations performed by the WS-Security SOAP message security providers for that configuration.

Table 10–1 Message protection policy to WS-Security SOAP message security operation mapping

Message Protection Policy 

Resulting WS-Security SOAP message protection operations 

auth-source="sender" 

The message contains a wsse:Security header that contains a wsse:UsernameToken (with password).

auth-source="content" 

The content of the SOAP message Body is signed. The message contains a wsse:Security header that contains the message Body signature represented as a ds:Signature.

auth-source="sender" 

auth-recipient="before-content" 

OR 

auth-recipient="after-content" 

The content of the SOAP message Body is encrypted and replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains a wsse:UsernameToken (with password) and an xenc:EncryptedKey. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

auth-source="content" 

auth-recipient="before-content" 

The content of the SOAP message Body is encrypted and replaced with the resulting xend:EncryptedData. The xenc:EncryptedData is signed. The message contains a wsse:Security header that contains an xenc:EncryptedKey and a ds:Signature. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

auth-source="content" 

auth-recipient="after-content" 

The content of the SOAP message Body is signed, then encrypted, and then replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains an xenc:EncryptedKey and a ds:Signature. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

auth-recipient="before-content" 

OR 

auth-recipient="after-content" 

The content of the SOAP message Body is encrypted and replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains an xenc:EncryptedKey. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

No policy specified. 

No security operations are performed by the modules. 

Configuring Other Security Facilities

The Application Server implements message security using message security providers integrated in its SOAP processing layer. The message security providers depend on other security facilities of Application Server.

  1. If using a version of the Java SDK prior to version 1.5.0, and using encryption technology, configure a JCE provider.

  2. Configuring a JCE provider is discussed in Configuring a JCE Provider.

  3. If using a username token, configure a user database, if necessary. When using a username/password token, an appropriate realm must be configured and an appropriate user database must be configured for the realm.

  4. Manage certificates and private keys, if necessary.

After You Finish

Once the facilities of the Application Server are configured for use by message security providers, then the providers installed with the Application Server may be enabled as described in Enabling Providers for Message Security.

Configuring a JCE Provider

The Java Cryptography Extension (JCE) provider included with J2SE 1.4.x does not support RSA encryption. Because the XML Encryption defined by WS-Security is typically based on RSA encryption, in order to use WS-Security to encrypt SOAP messages you must download and install a JCE provider that supports RSA encryption.


Note –

RSA is public-key encryption technology developed by RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman, the inventors of the technology.


If you are running the Application Server on version 1.5 of the Java SDK, the JCE provider is already configured properly. If you are running the Application Server on version 1.4.x of the Java SDK, you can add a JCE provider statically as part of your JDK environment, as follows.

  1. Download and install a JCE provider JAR (Java ARchive) file.

    The following URL provides a list of JCE providers that support RSA encryption: http://java.sun.com/products/jce/jce14_providers.html.

  2. Copy the JCE provider JAR file to java-home/jre/lib/ext/.

  3. Stop the Application Server.

    If the Application Server is not stopped and then restarted later in this process, the JCE provider will not be recognized by the Application Server.

  4. Edit the java-home/jre/lib/security/java.security properties file in any text editor. Add the JCE provider you’ve just downloaded to this file.

    The java.security file contains detailed instructions for adding this provider. Basically, you need to add a line of the following format in a location with similar properties:


    security.provider.n=provider-class-name
    

    In this example, n is the order of preference to be used by the Application Server when evaluating security providers. Set n to 2 for the JCE provider you’ve just added.

    For example, if you’ve downloaded The Legion of the Bouncy Castle JCE provider, you would add this line.


    security.provider.2=org.bouncycastle.jce.provider.
       BouncyCastleProvider

    Make sure that the Sun security provider remains at the highest preference, with a value of 1.


    security.provider.1=sun.security.provider.Sun

    Adjust the levels of the other security providers downward so that there is only one security provider at each level.

    The following is an example of a java.security file that provides the necessary JCE provider and keeps the existing providers in the correct locations.


    security.provider.1=sun.security.provider.Sun
    security.provider.2=org.bouncycastle.jce.provider.
       BouncyCastleProvider
    security.provider.3=com.sun.net.ssl.internal.ssl.Provider
    security.provider.4=com.sun.rsajca.Provider
    security.provider.5=com.sun.crypto.provider.SunJCE
    security.provider.6=sun.security.jgss.SunProvider
  5. Save and close the file.

  6. Restart the Application Server.