TEC Workbook - IBM
TEC Workbook - IBM
TEC Workbook - IBM
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Lab 3 Securing XML Message Content using WS-Security<br />
Prerequisites: This lab requires the completion of labs 1 and 2.<br />
<strong>IBM</strong> Software<br />
In this lab, you’ll be adding a few new processing rules to your multi-protocol gateway’s processing policy<br />
to demonstrate various security features.<br />
Upon completing this lab, you’ll have a better understanding of:<br />
● Private keys and public certs.<br />
● How WebSphere DataPower handles digital keys and certificates.<br />
● Support for WS-Security digital signatures, encryption, and decryption.<br />
● Field-level encryption.<br />
● The built-in authentication and authorization framework.<br />
● Connecting to an LDAP server.<br />
● Configuring SSL.<br />
3.1 Public Key Infrastructure (PKI)<br />
In the digital world, public and private keys are often employed to perform cryptographic operations, such<br />
as encryption of message data. The use of key pairs (public/private) is known as asymmetric encryption.<br />
It is vital that the private key is protected, while its public counterpart, the public key (often carried in a<br />
certificate), can be freely distributed. Certificates are typically validated by a Certificate Authority (CA). In<br />
the event that an authority needs to revoke a previously distributed certificate, it adds the revoked<br />
certificate to a globally published certificate revocation list (CRL).<br />
On DataPower, public certificates and private keys are wrapped in crypto objects so that there is one<br />
level of indirection when using them. For example, when you upload a public certificate, it will be<br />
wrapped in a Crypto Certificate object. When a service object needs to use that public certificate, it will<br />
reference it using the crypto certificate instead of the actual certificate file. The following image shows a<br />
signing action that references a crypto key and crypto cert when digitally signing a message.<br />
Crypto Key<br />
Private Key<br />
Crypto Certificate<br />
Public Certificate<br />
This single level of indirection allows the underlying key or certificate to be replaced without the need to<br />
reconfigure any services that are using it.<br />
Lab 3 - Securing XML Message Content using WS-Security Page 53