The WSS Provider policy acts on the server side to ensure that the confidentiality, integrity, and timestamp of a request remains secure.
General
The
General section has the following fields.
Field
|
Description
|
Package
|
The name to be displayed as the label of the policy resource package.
|
Name
|
The name of the policy resource.
|
Description
|
A short description of the policy resource.
|
Shared Resource for WSS Processing
The
Shared Resource for WSS Processing
section has the following fields.
Field
|
Description
|
WSS Verification
|
The
WSS Verification shared resource that the WSS Provider policy references.
|
Service Provider Details
The Service Provider Details section comprises of the
Authentication tab,
Confidentiality tab, the
Integrity tab, and the
Timestamp tab.
Authentication
The
Authentication tab has the following fields that you can enable to enforce authentication on a request message.
Field
|
Description
|
No Verification
|
Select this option to ensure that credentials are not authenticated through user name token or SAML token.
|
Verify username token
|
Select this option to authenticate user credentials through user name token. If you select this option, ensure you have configured the
User Authentication tab on the
WSS Authentication Shared Resource.
|
Verify SAML token
|
Select this option to authenticate user credentials through SAML token.
Select one of the following confirmation methods:
-
Bearer
-
Holder of Key
- Sender Vouches
Select one of the following security token types:
-
SAML 1.1 Token 1.1
-
SAML 2.0 Token 1.1
Specify Issuer Name
|
Confidentiality
An inbound request can be decrypted and an outbound response can be encrypted to maintain confidentiality. The
Confidentiality tab has the following fields:
Field
|
Description
|
Decrypt Request
|
To Decrypt request, provide the
Subject Provider or the
Subject Provider (with Trust Credential) value in the
WSS Authentication policy resource, and select the
Enable Decryption check box on the
Basic Configuration section of the
WSS Authentication policy resource.
|
Encrypt Response
|
Specify the following fields:
-
Trust Provider: Select a
Trust Provider shared resource.
- Key Alias: Specify a Key Alias.
- Algorithm Suite: Specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths. The default selection is
Basic128. You can select one of the following algorithms suite from the drop-down menu:
- Basic128
- TripleDes
- Basic256Rsa15
- Basic192Rsa15
- Basic128Rsa15
- TripleDesRsa15
- Basic256Sha256
- Basic192Sha256
- Basic128Sha256
- TripleDesSha256
- Basic256Sha256Rsa15
- Basic192Sha256Rsa15
- Basic128Sha256Rsa15
- TripleDesSha256Rsa15
- Encryption Algorithm: Select one of the following encryption algorithms from the drop-down menu:
- AES_128
- AES_192
- AES_256
- AES_128_GCM
- AES_192_GCM
- AES_256_GCM
- TRIPLE_DES
- Encrypt: Specify to
Encrypt Parts or to
Encrypt Elements of the message.
- Encrypt Parts: Select this option to encrypt the
Body,
Header, or both parts of the message.
- Encrypt Elements: Select this option to encrypt elements in the response message. When specifying the
Element, ensure you also specify the
Namespace of the element, and
Prefix of the element if it has one.
|
Integrity
Maintain integrity by verifying the signature on an inbound request and signing an outbound response. The
Integrity tab has the following fields:
Field
|
Description
|
Verify Signature on Request
|
Select from the following options from the drop-down menu
Verify parts that are signed :
-
Entire message
-
Message header
-
Message body
|
Sign Response
|
Specify the following fields:
-
Subject Provider: Select a
Subject Provider shared resource.
- Algorithm Suite: Specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths. Default type is
Basic128. Select a one of the following algorithm suites from the drop-down menu:
- Basic128
- TripleDes
- Basic256Rsa15
- Basic192Rsa15
- Basic128Rsa15
- TripleDesRsa15
- Basic256Sha256
- Basic192Sha256
- Basic128Sha256
- TripleDesSha256
- Basic256Sha256Rsa15
- Basic192Sha256Rsa15
- Basic128Sha256Rsa15
- TripleDesSha256Rsa15
- Digest Algorithm for Signature: The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. Default type is
SHA-256. Select one of the following options from the drop-down menu.
- SHA1
- SHA256
- SHA384
- SHA512
- Sign: Specify to
Sign Parts or to
Sign Elements of the message.
- Sign Parts: Select this option to sign the
Body,
Header, or both parts of the message.
- Sign Elements: Select this option to sign elements in the response message. When specifying the
Element, ensure you also specify the
Namespace of the element, and
Prefix of the element if it has one.
|
Timestamp
To track the time of the request, a timestamp is inserted in the request. The
Timestamp tab has the following fields:
Field
|
Description
|
Verify Timestamp on Request
|
No additional configuration required.
|
Set Timestamp on Response
|
Specify the time-to-live in seconds.
|
Copyright © 2020. TIBCO Software Inc. All Rights Reserved.