WSS Consumer

General

The General section has the following fields.

Field	Description
Package	The name to be displayed as the label of the policy resource package.
Name	The name of the policy resource.
Description	A description of the policy resource.

Shared Resource for WSS Processing

The Shared Resource for WSS Processing section has the following fields.

Field	Description
WSS Authentication	The WSS Authentication shared resource that the WSS Consumer policy references.

Service Provider Details

The Service Provider Details section comprises of the Confidentiality tab, the Integrity tab, the Timestamp tab, and the Credential Mapping tab.

Confidentiality

To maintain confidentiality, the policy can be configured for an outbound request to be encrypted and an inbound response to be decrypted at its endpoint. The Confidentiality tab has the following fields:

Field	Description
Encrypt Request	Specify the following fields: Trust Provider: Select a Trust Provider shared resource. Key Alias: Specify a Key Alias. Algorithm Suite: Specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths. The default selection is Basic128. You can select a different algorithm suite from the drop-down menu. Encrypt: Specify to Encrypt Parts or to Encrypt Elements of the message. Encrypt Parts: Select this option to encrypt the Body, Header, or both parts of the message. Encrypt Elements: Select this option to encrypt elements in the request message. When specifying the Element, ensure you also specify the Namespace of the element, and Prefix of the element if it has one.
Decrypt Response	To Decrypt response, provide the Subject Provider or the Subject Provider (with Trust Credential) value in the WSS Authentication policy resource, and select the Enable Decryption check box on the Basic Configuration section of the WSS Authentication policy resource.

Field

Description

Encrypt Request

Specify the following fields:

Trust Provider: Select a Trust Provider shared resource.
Key Alias: Specify a Key Alias.
Algorithm Suite: Specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths. The default selection is Basic128. You can select a different algorithm suite from the drop-down menu.
Encrypt: Specify to Encrypt Parts or to Encrypt Elements of the message.
1. Encrypt Parts: Select this option to encrypt the Body, Header, or both parts of the message.
2. Encrypt Elements: Select this option to encrypt elements in the request message. When specifying the Element, ensure you also specify the Namespace of the element, and Prefix of the element if it has one.

Decrypt Response

To Decrypt response, provide the Subject Provider or the Subject Provider (with Trust Credential) value in the WSS Authentication policy resource, and select the Enable Decryption check box on the Basic Configuration section of the WSS Authentication policy resource.

Integrity

To maintain integrity, the outbound request can be signed and the signature verified in the inbound response. The Integrity tab has the following fields:

Field	Description
Sign Request	Specify the following fields: Subject Provider: Select a Subject Provider shared resource. Algorithm Suite: Specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths. Default type is Basic128. You can select a different algorithm suite from the drop-down menu. Digest Algorithm for Signature: The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. Default type is SHA-256. You can select a different type from the drop-down menu. Sign: Specify to Sign Parts or to Sign Elements. Sign Parts: Select this option to sign the Body, Header, or both parts of the message. Sign Elements: Select this option to sign elements in the request message. When specifying the Element, ensure you also specify the Namespace of the element, and Prefix of the element if it has one.
Verify Signature on Response	Select the check box to enable the Verify parts that are Signed field. Select from the following options from the drop-down menu : Entire message Message header Message body

Field

Description

Sign Request

Specify the following fields:

Subject Provider: Select a Subject Provider shared resource.
Algorithm Suite: Specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths. Default type is Basic128. You can select a different algorithm suite from the drop-down menu.
Digest Algorithm for Signature: The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. Default type is SHA-256. You can select a different type from the drop-down menu.
Sign: Specify to Sign Parts or to Sign Elements.
1. Sign Parts: Select this option to sign the Body, Header, or both parts of the message.
2. Sign Elements: Select this option to sign elements in the request message. When specifying the Element, ensure you also specify the Namespace of the element, and Prefix of the element if it has one.

Verify Signature on Response

Select the check box to enable the Verify parts that are Signed field.

Select from the following options from the drop-down menu :

Entire message
Message header
Message body

Timestamp

Under the Timestamp tab, configure the following fields to insert a timestamp in an outbound request and verify a timestamp in the inbound response.

Field	Description
Set Timestamp on Request	Specify time-to-live in seconds.
Verify Timestamp on Response	No additional configuration required.

Credential Mapping

Under the Credential Mapping tab, select either Username Token credential mapping or SAML Token credential mapping to map credentials to the outbound request.

Field	Description
No Credentials	Select this option to ensure credential mapping is not enforced.
Username Token based Credential Mapping	Select Fixed or Conditional: If you select Fixed, specify an Identity Provider resource in the Identity Provider field. If you select Conditional, specify the types of users your application maps credentials for. You can choose to map credentials for authenticated users with roles, authenticated users, and anonymous users. For configuration details, see Basic Credential Mapping .
SAML Token based Credential Mapping	Configure the following fields: SAML Token Profile: Select a token type. Specify either SAML 1.1 Token 1.1 or SAML 2.0 Token 1.1 . Sign SAML Assertion: If you select this option, the following fields are enabled: Subject Provider: Specify a Subject Provider shared resource. Digest Algorithm for Signature: Select one of the following options from the drop-down menu: SHA1 SHA256 SHA384 SHA512 Algorithm Suite: Select one of the following options from the drop-down menu: Basic128 TripleDes Basic256Rsa15 Basic192Rsa15 Basic128Rsa15 TripleDesRsa15 Basic256Sha256 Basic192Sha256 Basic128Sha256 TripleDesSha256 Basic256Sha256Rsa15 Basic192Sha256Rsa15 Basic128Sha256Rsa15 TripleDesSha256Rsa15 SAML Issuer Name: Type a SAML issuer name. SAML Assertion Validity: Select SAML Assertion Validity (forever) to ensure that the SAML assertion is valid indefinitely. Optionally, you can select Specify Validity Period (sec) to specify the number of seconds the SAML assertion is valid .

Contents

Index

Search Results