Configure the WSS Consumer policy to enforce confidentiality, integrity, and timestamping, and credential mapping.
General
The
General section has the following fields.
Field
|
Description
|
Package
|
The name to be displayed as the label of the policy resource package.
|
Name
|
The name of the policy resource.
|
Description
|
A description of the policy resource.
|
Shared Resource for WSS Processing
The
Shared Resource for WSS Processing
section has the following fields.
Field
|
Description
|
WSS Verification
|
The
WSS Verification shared resource that the WSS Consumer policy references.
|
Service Provider Details
The Service Provider Details section comprises of the
Confidentiality tab, the
Integrity tab, the
Timestamp tab, and the
Credential Mapping tab.
Confidentiality
To maintain confidentiality, the policy can be configured for an outbound request to be encrypted and an inbound response to be decrypted at its endpoint. The
Confidentiality tab has the following fields:
Field
|
Description
|
Encrypt Request
|
Specify the following fields:
-
Trust Provider: Select a
Trust Provider shared resource.
- Key Alias: Specify a
Key Alias.
- Algorithm Suite: Specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths. The default selection is Basic128. You can select a different algorithm suite from the drop-down menu.
- Encrypt: Specify to
Encrypt Parts or to
Encrypt Elements of the message.
- Encrypt Parts: Select this option to encrypt the
Body,
Header, or both parts of the message.
- Encrypt Elements: Select this option to encrypt elements in the request message. When specifying the
Element, ensure you also specify the
Namespace of the element, and
Prefix of the element if it has one.
|
Decrypt Response
|
To Decrypt response, provide the
Subject Provider or the
Subject Provider (with Trust Credential) value in the
WSS Authentication policy resource, and select the
Enable Decryption check box on the
Basic Configuration section of the
WSS Authentication policy resource.
|
Integrity
To maintain integrity, the outbound request can be signed and the signature verified in the inbound response. The
Integrity tab has the following fields:
Field
|
Description
|
Sign Request
|
Specify the following fields:
-
Subject Provider: Select a
Subject Provider shared resource.
- Algorithm Suite: Specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths. Default type is
Basic128. You can select a different algorithm suite from the drop-down menu.
- Digest Algorithm for Signature: The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. Default type is
SHA-256. You can select a different type from the drop-down menu.
- Sign: Specify to
Sign Parts or to
Sign Elements.
- Sign Parts: Select this option to sign the
Body,
Header, or both parts of the message.
- Sign Elements: Select this option to sign elements in the request message. When specifying the
Element, ensure you also specify the
Namespace of the element, and
Prefix of the element if it has one.
|
Verify Signature on Response
|
Select the check box to enable the
Verify parts that are Signed field.
Select from the following options from the drop-down menu :
-
Entire message
-
Message header
-
Message body
|
Timestamp
Under the
Timestamp tab, configure the following fields to insert a timestamp in an outbound request and verify a timestamp in the inbound response.
Field
|
Description
|
Set Timestamp on Request
|
Specify time-to-live in seconds.
|
Verify Timestamp on Response
|
No additional configuration required.
|
Credential Mapping
Under the
Credential Mapping tab, select either
Username Token credential mapping or
SAML Token credential mapping to map credentials to the outbound request.
Field
|
Description
|
No Credentials
|
Select this option to ensure credential mapping is not enforced.
|
Username Token based Credential Mapping
|
Select
Fixed or
Conditional:
- If you select
Fixed, specify an
Identity Provider resource in the
Identity Provider field.
- If you select
Conditional, specify the types of users your application maps credentials for. You can choose to map credentials for authenticated users with roles, authenticated users, and anonymous users.
For configuration details, see
Basic Credential Mapping.
|
SAML Token based Credential Mapping
|
Configure the following fields:
- SAML Token Profile: Select a token type. Specify either
SAML 1.1 Token 1.1 or
SAML 2.0 Token 1.1.
- Sign SAML Assertion: If you select this option, the following fields are enabled:
- Subject Provider: Specify a
Subject Provider shared resource.
- Digest Algorithm for Signature: Select one of the following options from the drop-down menu:
- SHA1
- SHA256
- SHA384
- SHA512
- Algorithm Suite: Select one of the following options from the drop-down menu:
- Basic128
- TripleDes
- Basic256Rsa15
- Basic192Rsa15
- Basic128Rsa15
- TripleDesRsa15
- Basic256Sha256
- Basic192Sha256
- Basic128Sha256
- TripleDesSha256
- Basic256Sha256Rsa15
- Basic192Sha256Rsa15
- Basic128Sha256Rsa15
- TripleDesSha256Rsa15
- SAML Issuer Name: Type a SAML issuer name.
- SAML Assertion Validity: Select
SAML Assertion Validity (forever)
to ensure that the SAML assertion is valid indefinitely. Optionally, you can select
Specify Validity Period (sec) to specify the number of seconds the SAML assertion is valid.
|
Copyright © 2020. TIBCO Software Inc. All Rights Reserved.