Specifies the algorithm uniform resource identifier (URI) of the
key encryption method.
The following algorithms are supported:
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
When
running with IBM® Software
Development Kit (SDK) Version 1.4, the list of supported key transport algorithms
does not include this one. This algorithm appears in the list of supported
key transport algorithms when running with JDK 1.5 or later.
By default,
the RSA-OAEP algorithm uses the SHA1 message digest algorithm to compute a
message digest as part of the encryption operation. Optionally, you can use
the SHA256 or SHA512 message digest algorithm by specifying a key encryption
algorithm property. The property name is: com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod.
The property value is one of the following URIs of the digest method:
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string for the
optional encoding octet string for the OAEPParams. You can provide an explicit
encoding octet string by specifying a key encryption algorithm property. For
the property name, you can specify
com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams.
The property value is the base 64-encoded value of the octet string.
Important: You can set these digest method and OAEPParams properties
on the generator side only. On the consumer side, these properties are read
from the incoming SOAP message.
- http://www.w3.org/2001/04/xmlenc#rsa-1_5.
- http://www.w3.org/2001/04/xmlenc#kw-tripledes.
- http://www.w3.org/2001/04/xmlenc#kw-aes128.
- http://www.w3.org/2001/04/xmlenc#kw-aes192. To use
the 192-bit key encryption algorithm, you must download the unrestricted Java™ Cryptography
Extension (JCE) policy file.
Restriction: Do
not use the 192-bit key encryption algorithm if you want your configured application
to be in compliance with the Basic Security Profile (BSP).
- http://www.w3.org/2001/04/xmlenc#kw-aes256. To use
the 256-bit key encryption algorithm, you must download the unrestricted JCE
policy file.
Note: If an InvalidKeyException error occurs and you are using the 129xxx
or 256xxx encryption algorithm, the unrestricted policy files might not exist
in your configuration.
Java Cryptography Extension
By default, the Java Cryptography
Extension (JCE) is shipped with restricted or limited strength ciphers. To
use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms,
you must apply unlimited jurisdiction policy files.
Note: Before downloading
these policy files, back up the existing policy files (local_policy.jar and US_export_policy.jar in the WAS_HOME/jre/lib/security/ directory)
prior to overwriting them in case you want to restore the original files later.
Application server platforms and IBM Developer
Kit, Java Technology
Edition Version 1.4.2
To download the policy files, complete one of the following sets of steps:
After following either of these sets of steps, two Java archive
(JAR) files are placed in the Java virtual machine (JVM)
jre/lib/security/ directory.
i5/OS operating system and IBM Software Development
Kit 1.4
For the i5/OS operating system and IBM Software Development Kit Version 1.4,
the tuning of Web services security is not required. The unrestricted jurisdiction
policy files for the IBM Software Development Kit Version 1.4 are automatically
configured when the prerequisite software is installed.
For the i5/OS operating
system V5R3 and IBM Software
Development Kit Version 1.4, the unrestricted jurisdiction policy files for
the IBM Software
Development Kit Version 1.4 are automatically configured by installing product
5722AC3, Crypto Access Provider 128-bit.
For the i5/OS operating system V5R4 and IBM Software Development
Kit Version 1.4, the unrestricted jurisdiction policy files for the IBM Java Developer
Kit 1.4 are automatically configured by installing product 5722SS1 Option
3, Extended Base Directory Support.
i5/OS operating system and IBM Software Development
Kit 1.5
For i5/OS (both V5R3 and V5R4) and IBM Software Development Kit 1.5, the restricted
JCE jurisdiction policy files are configured, by default. You can download
the unrestricted JCE jurisdiction policy files from the following Web site: Security information: IBM J2SE 5 SDKs
To configure
the unrestricted jurisdiction policy files for the i5/OS operating system and the IBM Software Development
Kit Version 1.5:
- Make backup copies of these files:
/QIBM/ProdData/Java400/jdk15/lib/security/local_policy.jar
/QIBM/ProdData/Java400/jdk15/lib/security/US_export_policy.jar
- Download the unrestricted policy files from IBM developer
kit: Security information to the /QIBM/ProdData/Java400/jdk15/lib/security directory.
- Go to this Web site: IBM developer
kit: Security information
- Click J2SE 5.0.
- Scroll down and click IBM SDK Policy files. The Unrestricted JCE
Policy files for the SDK Web site is displayed.
- Click Sign in and provide your IBM intranet ID and password.
- Select the appropriate unrestricted JCE policy files, and then click Continue.
- View the license agreement, and then click I Agree.
- Click Download Now.
- Use the DSPAUT command to ensure *PUBLIC is granted*RX data authority
but also ensure that no object authority is provided to both the local_policy.jar and
the US_export_policy.jar files in the /QIBM/ProdData/Java400/jdk15/lib/security directory.
For example:
DSPAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar')
- Use the CHGAUT command to change authorization, if needed. For example:
CHGAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar')
USER(*PUBLIC) DTAAUT(*RX) OBJAUT(*NONE)