Configuring the Application Server and Enabling Message Protection

Configuring the Application Server for Message Security

Message Security enables a server to perform end-to-end authentication of web service invocations and responses at the message layer. The Application Server implements message security using message security providers on the SOAP layer. The message security providers provide information such as the type of authentication that is required for the request and response messages. The types of authentication that are supported include the following:

Two message security providers are included with this release. The message security providers can be configured for authentication for the SOAP layer. The providers that can be configured include ClientProvider and ServerProvider.

Support for message layer security is integrated into the Application Server and its client containers in the form of (pluggable) authentication modules. By default, message layer security is disabled on the Application Server.

To enable and configure message layer security, follow these steps:

  1. If using a version of the Java SDK prior to version 1.5.0, and using encryption technology, configure a JCE provider.
  2. Configuring a JCE provider is discussed in "Configuring a JCE Provider".

  3. If using a username token, configure a user database, if necessary. When using a username/password token, an appropriate realm must be configured and an appropriate user database must be configured for the realm.
  4. Configuring a user database is discussed in "Editing a Realm".

  5. Manage keystore and truststore files, if necessary.
  6. Managing keystore and truststore files is discussed in "About Certificate Files".

  7. Enable message security for all applications for which a specific provider has not been bound by specifying a message security configuration.
  8. Specifying a message security configuration is discussed in "Enabling Providers for Message Security".

  9. Configure the message security providers enabled in the previous step.
  10. Configuring the message security providers is discussed in "Configuring a Message Security Provider".

  11. Configure the application client container for message security. This defines the client’s view of what is required of client applications.
  12. Configuring the application client container for message security is discussed in "Enabling Message Security for Client Applications".

See Also:

Enabling Application-Specific Message Protection

When the Application Server provider configuration is insufficient for your security needs, and you want to override the default protection, you can apply application-specific message security to a web service.

Application-specific security is implemented by adding the message security binding to the web service endpoint, whether it is an EJB or servlet web service endpoint. Modify Sun-specific deployment descriptor files to add the message binding information.

For more details, refer to the Securing Applications chapter of the Developers’ Guide. There is a link to this chapter in "Further Information".

Enabling Message Security for Specific Methods

The topic of enabling message security for specific methods is discussed in the Securing Applications chapter of the Developers’ Guide. There is a link to this chapter in "Further Information".

Configuring a JCE Provider

The Java Cryptography Extension (JCE) provider included with J2SE 1.4.x does not support RSA encryption. Because many WSS applications use RSA encryption, you must download and install a JCE provider that does support RSA encryption in order to run WSS applications that use encryption.

Note: RSA is public-key encryption technology developed by RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman, the inventors of the technology.

If you are running the Application Server on version 1.5 of the Java SDK, the JCE provider is already configured properly. If you are running the Application Server on version 1.4.x of the Java SDK, follow these steps to add a JCE provider statically as part of your JDK environment:

  1. Download and install a JCE provider JAR (Java ARchive) file. The following URL provides a list of JCE providers that support RSA encryption:
  1. Copy the JCE provider JAR file to <JAVA_HOME>/jre/lib/ext/.
  2. Stop the Application Server. If the Application Server is not stopped and then restarted later in this process, the JCE provider will not be recognized by the Application Server.
  3. Edit the <JAVA_HOME>/jre/lib/security/java.security properties file in any text editor. Add the JCE provider you’ve just downloaded to this file. The java.security file contains detailed instructions for adding this provider. Basically, you need to add a line of the following format in a location with similar properties:
  4. security.provider.<n>=<provider class name>
  1. Save and close the file.
  2. Restart the Application Server.

Legal Notices