Configuring Policies 11-3 ■ Add the required public and private keys to the keystores of the clients and services. This step requires you to configure the keystore, as described in Configuring Keystores for Message Protection on page 10-8. Message Protection Basics Message protection encompasses two concepts, message confidentiality and message integrity . Message confidentiality involves keeping the data secret, as well as the identities of the sending and receiving parties. Confidentiality is achieved by encrypting the content of messages and obfuscating the identities of the sending and receiving parties. The sender uses the recipients public key to encrypt the message. Only the recipients private key can successfully decrypt the message, ensuring that it cannot be read by third parties while in transit. The Web services base64-encoded public certificate is published in the WSDL for use by the Web service client, as described in Using Service Identity Certification Extension on page 10-37. Message integrity is achieved by having an authority digitally sign the message. Digital signatures are used to authenticate the sender of the SOAP message and to ensure the integrity of the SOAP message that is, to ensure that the SOAP message is not altered while in transit. When a digital signature is applied to a SOAP message, a unique hash is produced from the message, and this hash is then encrypted with the senders private key. When the message is received, the recipient decrypts the hash using the senders public key. This serves to authenticate the sender, because only the sender could have encrypted the hash with the private key. It also serves to ensure that the SOAP message has not been tampered with while in transit, because the recipient can compare the hash sent with the message with a hash produced on the recipients end. The message-protection assertion templates and predefined policies can be used to protect request and response messages by doing the following: ■ Signing messages ■ Encrypting messages ■ Signing and encrypting messages ■ Decrypting messages ■ Verifying signatures ■ Decrypting messages and verifying signatures The Fusion Middleware Control user interface for the predefined message protection policies makes it easy to specify which message parts are signed, encrypted, or both. You can require that the entire body be signed, encrypted, or both, or identity specific header and body elements. The following is an example of partial encryption. Note: Generally, the recipient does not need to have the sender’s public key in its keystore to validate the certificate. It is sufficient to have the root certificate in the keystore to verify the certificate chain. However, if the senders public key is not present in the message, as in the case of the Thumbprint and SerialIssuer mechanisms, the sender’s public key must be in the recipient’s keystore. 11-4 Oracle Fusion Middleware Security and Administrators Guide for Web Services Example for Partial Encryption In this example, a part of the SOAP message is encrypted using Fusion Middleware Control:

1. Create a simple Web service that approves a credit card number cardNr. A

sample payload is shown in Example 11–1 . Example 11–1 Example of a Payload soapenv:Body wsu:Id=Body-2grW1pYwjwsoskbLuMJZzg22 xmlns:wsu=http:docs.oasis-open.orgwss200401oasis-200401-wss-ws security-utility-1.0.xsd aaav:validateTheCard xmlns:aaav=http:aaavalidatecred aaav:cardNrstringaaav:cardNr aaav:firstNamestringaaav:firstName aaav:lastNamestringaaav:lastName aaav:validUntilDatestringaaav:validUntilDate aaav:validateTheCard soapenv:Body 2. In Fusion Middleware Control, select a message protection policy and click Edit. 3. In the Settings tab, select the Request tab. 4. In the Message Encrypt Setting section, deselect Include Entire Body Figure 11–1 . 5. Expand Body Elements and click Add. 6. Enter the Namespace and the Element Name. In this example, only the card number is encrypted as follows: Namespace = http:aaavalidatecred Element Name = aaav:cardNr For more information on other fields in the Edit Policy page, see Table C–91 . Example 11–2 shows what the policy would look like. Example 11–2 Sample Policy with Partial Encryption orasp:encrypted-elements orasp:element orasp:namespace=http:aaavalidatecred orasp:name=cardNrnaorasp:element orasp:encrypted-elements 7. Click Yes to add the Body Elements and Save to save the modified policy.