Using the WS-Security Message Policy

Learn about the WS-Security Message Policy and policy configuration options.

About Policies Managing Policies About Operational Policies

For information about using policies in the context of the developer portal, see Business Policies.

Table of Contents

  1. About the WS-Security Message policy
  2. Creating a WS-Security Message policy
  3. Configuring a WS-Security Message policy
  4. Modify WS-Security Message Policy Signature Options
  5. Modify WS-Security Message Policy Encryption Options
  6. Modify WS-Security Message Policy Required Content Options
  7. View WS-Security Message Policy Details

About the WS-Security Message policy

The WS-Security Message Policy is used to configure message-level Confidentiality Assertions (EncryptParts and EncryptElements).

For more information about the function aspects of this policy, refer to the Protection Assertions > Confidentiality Assertions section of the applicable version of the WS-Security specification:

back to top

Creating a WS-Security Message policy

The first step in creating a policy is to define the basic policy information. Then, you can configure the policy details.

To add an operational policy
  1. Go to Workbench > Browse > Organization, and select Policies > Operational Policies. The Policies Summary is displayed.
  2. Click Add Policy.
  3. Choose the policy type and click Next.
  4. Specify a name (required) and description (optional) and click Finish. At the Completion Summary, Click Close. The Add Policy Wizard creates a draft policy instance that you can then configure on the Policy Details page.

For more information, see Add Policy.

back to top

Configuring a WS-Security Message policy

To configure a WS-Security Message policy
  1. Go to Workbench > Browse > Organization and select the Policies > Operational Policies folder. The Policies Summary is displayed.
  2. Find the policy on the list and double-click to go to the Details page for the policy.
  3. In the second panel, click Modify to access the Modify WS-Security Message Policy wizard.
  4. In the Modify WS-Security Message Policy Options page, choose the version of the WS-Security Message specification that the policy will use (1.1 or 1.2), as shown below, and then click Next.

    WS-Security Message Policy Options page

  5. In the Modify WS-Security Message Policy Signature Options page, specify signature settings and then click Next. For details about the options available, see Modify WS-Security Message Policy Signature Options below.
  6. In the Modify WS-Security Message Policy Encryption Options page, specify signature settings and then click Next. For details about the options available, see Modify WS-Security Message Policy Encryption Options below.
  7. In the Modify WS-Security Message Policy Required Content Options page, specify required elements and namespace prefixes. For details about the options available, see Modify WS-Security Message Policy Required Content Options below.
  8. Click Finish and then click Close.

back to top

Modify WS-Security Message Policy Signature Options

WS-Security Message Policy, Signature Options page

The Modify WS-Security Message Policy Signature Options page allows you to identify parts and/or elements of the message that should be signed.

Sign Parts
Indicates that there are specific parts of the message, outside of the security headers, that should be signed. Checked by default. For details, refer to the SignedParts Assertion section of the WS-Security specification (link is v1.2).
Include Body
Indicates whether the body of the message should be signed. Default: checked. You can also add or delete line items (Namespace and Local Part). The namespace must be a valid URI.
Sign Elements
Check the box if you want to define specific elements in the message that should be signed, and then specify one or more elements in the form of an XPath expression. If you need to modify an element, delete it and add another. For details, refer to the SignedElements Assertion section of the WS-Security specification (link is v1.2).
Namespace Prefixes
Check the box if you want to define specific namespace prefixes. Content from these namespaces will be signed. Click Add, and add a valid prefix, and then the full URL of the namespace. You can add or delete multiple namespace prefixes.

back to top

Modify WS-Security Message Policy Encryption Options

WS-Security Message Policy, Encryption Options page

The Modify WS-Security Message Policy Encryption Options page includes the options listed below.

Encrypt Parts
Indicates that there are specific parts that should be encrypted. Checked by default. For details, refer to the EncryptedParts Assertion section of the WS-Security specification (link is v1.2).
Include Body
Indicates whether the body of the message should be encrypted. Default: checked. You can also add or delete line items (Namespace and Local Part).
Encrypt Elements
A table that lists elements in the message that should be encrypted. Each value on the list is an XPath expression identifying message elements. Check the box if elements should be encrypted. You can add or delete one or more XPath expressions. For details, refer to the EncryptedElements Assertion section of the WS-Security specification (link is v1.2).
Namespace Prefixes
A list of elements in the message that should be encrypted. Each value on the list is an XPath expression identifying message elements. You can add or delete multiple namespace prefixes. Each line item includes two values, Prefix and Namespace.

back to top

Modify WS-Security Message Policy Required Content Options

WS-Security Message Policy, Required Content Options page

The Modify WS-Security Message Policy wizard, Modify WS-Security Message Policy Required Content Options page, includes the options listed below.

Required Parts (WS-Security Policy 1.2 only)
Check the box if you prefer to define one or more RequiredParts assertions, an alternative to the RequiredElements assertion based on QNames rather than XPath, to define header elements that are required to be present in the message. Click Add, and then define Namespace and Local Part. For more information, refer to the RequiredParts Assertion section of the WS-Security 1.2 specification.
Required Elements
Add information about elements in the message that are required. Each value on the list is an XPath expression identifying required content. You can add or delete one or more XPath expressions. For details, refer to the RequiredElements Assertion section of the WS-Security specification version 1.0 (section 4.3.1, page 23).
Namespace Prefixes
A list of elements in the message that should include the required content. Each value on the list is an XPath expression. You can add or delete multiple namespace prefixes. Each line item includes two values, Prefix and Namespace.

back to top

View WS-Security Message Policy Details

To view the WS-Security Service policy details
  1. Go to Workbench > Browse > Organization, and select Policies > Operational Policies. The Policies Summary is displayed.
  2. Find the policy on the list and double-click to go to the Details page for the policy.

Back to top