Require Encrypted UsernameToken Profile Credentials Assertion
The Require Encrypted UsernameToken Profile Credentials assertion requires an encrypted Username Token element to be present and that it be encrypted with the same key that was used to sign the timestamp or other parts of the message. This provides message level security without requiring a client certificate. The client creates a new symmetric key and encrypts it for the server. The encrypted symmetric key prevents the UsernameToken from being intercepted and attached to another message.
gateway90
The
Require Encrypted UsernameToken Profile Credentials
assertion requires an encrypted Username Token element to be present and that it be encrypted with the same key that was used to sign the timestamp or other parts of the message. This provides message level security without requiring a client certificate. The client creates a new symmetric key and encrypts it for the server. The encrypted symmetric key prevents the UsernameToken from being intercepted and attached to another message.This assertion only ensures that client credentials are encrypted using the same key that was used elsewhere in the message. To enforce the signing or encryption of other parts of a message, you need to include one or more of the following assertions in the policy: Require SSL or TLS Transport, Sign Element, or Encrypt Element. If response security is configured, the response security will attempt to use (by reference) the session key used by the client in the request.
The Require Encrypted UsernameToken Profile Credentials assertion requires message security features contained in WS-Security version 1.1 or later.
To learn about selecting the target message for this assertion, see Selecting a Target Message.
To learn more about changing the WSS Recipient for this assertion, see Changing the WSS Assertion Recipient.
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Adding an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- Right-click thein the policy window and select<target>:Require Encrypted UsernameToken Profile CredentialsRequire Encrypted UsernameToken Profile Credentials Propertiesor double-click the assertion in the policy window. The assertion properties are displayed.
- By default, all encryption methods are permitted. To choose specific methods to permit in the target message, select theSpecify permitted encryption methodscheck box and select the appropriate check boxes next to:AES 128 CBCAES 192 CBCAES 256 CBCTriple DESAES 128 GCMAES 256 GCMIf your security provider does not support the "AES-GCM" encryption options, encryption/decryption attempts may fail at runtime if these options are selected.
- Click [OK].