For web services, you can complete decryption by using an X.509 certificate token.
X.509 certificate token decryption for incoming SOAP message Confidentiality is supported in the following configurations:
Capability
Policy Enforcement Point (PEP) and direction.
Configured with a policy set and binding defining the message Confidentiality.
Trust Store or Policy Decision Point (PDP).
Decryption is not supported with external PDPs such as TFIM or LDAP.