Most of the steps for setting up the Application Server for using message security can be accomplished using the Admin Console, the asadmin command-line tool, or by manually editing system files. In general, editing system files is discouraged due to the possibility of making unintended changes that prevent the Application Server from running properly, therefore, where possible, steps for configuring the Application Server using the Admin Console are shown first, with the asadmin tool command shown after. Steps for manually editing system files are shown only when there is no Admin Console or asadmin equivalent.
Support for message layer security is integrated into the Application Server and its client containers in the form of (pluggable) authentication modules. By default, message layer security is disabled on the Application Server. The following sections provide the details for enabling, creating, editing, and deleting message security configurations and providers.
In most cases, it will be necessary to restart the Application Server after performing the administrative operations listed above. This is especially the case if you want the effects of the administrative change to be applied to applications that were already deployed on the Application Server at the time the operation was performed.
To enable message security for web services endpoints deployed in the Application Server, you must specify a provider to be used by default on the server side. If you enable a default provider for message security, you also need to enable providers to be used by clients of the web services deployed in the Application Server. Information for enabling the providers used by clients is discussed in Enabling Message Security for Application Clients.
To enable message security for web service invocations originating from deployed endpoints, you must specify a default client provider. If you enabled a default client provider for the Application Server, you must ensure that any services invoked from endpoints deployed in the Application Server are compatibly configured for message layer security.
Use the command-line utility:
To specify the default server provider:
asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. default_provider=ServerProvider
To specify the default client provider:
asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. default_client_provider=ClientProvider
Typically, a provider would be re-configured to modify its message protection policies, although the provider type, implementation class, and provider-specific configuration properties may also be modified.
Use the command-line utility to set the response policy, replace the word request in the following commands with response.
Add a request policy to the client and set the authentication source:
asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. provider-config.ClientProvider.request-policy.auth_source= sender | content
Add a request policy to the server and set the authentication source:
asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. provider-config.ServerProvider.request-policy.auth_source= sender | content
Add a request policy to the client and set the authentication recipient:
asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. provider-config.ClientProvider.request-policy.auth_recipient= before-content | after-content
Add a request policy to the server and set the authentication recipient:
asadmin set --user admin-user --port admin-port server-config.security-service.message-security-config.SOAP. provider-config.ServerProvider.request-policy.auth_recipient= before-content | after-content
To configure an existing provider using the Admin Console, select Configuration node > the instance to Configure> Security node > Message Security node > SOAP node > Providers tab.
For more detailed instructions on creating a message security provider, see the Admin Console online help.
The message protection policies of client providers must be configured such that they are equivalent to the message protection policies of the server-side providers they will be interacting with. This is already the case for the providers configured (but not enabled) when the Application Server is installed.
To enable message security for client applications, modify the Application Server specific configuration for the application client container.
The request and response policies define the authentication policy requirements associated with request and response processing performed by the authentication provider. Policies are expressed in message sender order such that a requirement that encryption occur after content would mean that the message receiver would expect to decrypt the message before validating the signature.
To achieve message security, the request and response policies must be enabled on both the server and client. When configuring the policies on the client and server, make sure that the client policy matches the server policy for request/response protection at application-level message binding.
To set the request policy for the application client configuration, modify the Application Server specific configuration for the application client container as described in Enabling Message Security for Application Clients. In the application client configuration file, add the request-policy and response-policy elements as shown to set the request policy.
The other code is provided for reference. The other code may differ slightly in your installation. Do not change it.
<client-container> <target-server name="your-host" address="your-host" port="your-port"/> <log-service file="" level="WARNING"/> <message-security-config auth-layer="SOAP" default-client-provider="ClientProvider"> <provider-config class-name="com.sun.enterprise.security.jauth.ClientAuthModule" provider-id="ClientProvider" provider-type="client"> <request-policy auth-source="sender | content" auth-recipient="after-content | before-content"/> <response-policy auth-source="sender | content" auth-recipient="after-content | before-content"/> <property name="security.config" value="as-install/lib/appclient/wss-client-config.xml"/> </provider-config> </message-security-config> </client-container>
Valid values for auth-source include sender and content. Valid values for auth-recipient include before-content and after-content. A table describing the results of various combinations of these values can be found in Actions of Request and Response Policy Configurations.
To not specify a request or response policy, leave the element blank, for example:
The Java 2 Standard Edition discussion of security can be viewed from http://java.sun.com/j2se/1.4.2/docs/guide/security/index.html.
The Java EE 5.0 Tutorial chapter titled Security can be viewed from http://java.sun.com/javaee/5/docs/tutorial/doc/index.html.
The Administration Guide chapter titled .
The Developer’s Guide chapter titled Securing Applications.
The Oasis Web Services Security: SOAP Message Security (WS-Security) specification, can be viewed from http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf.
The OASIS Web Services Security Username Token Profile 1.0, can be found at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf.
The OASIS Web Services Security X.509 Certificate Token Profile 1.0, can be found at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf.
The XML-Signature Syntax and Processing document can be viewed at http://www.w3.org/TR/xmldsig-core/.
The XML Encryption Syntax and Processing document can be viewed at http://www.w3.org/TR/xmlenc-core/.