1. Developing SOA Applications with Oracle SOA Suite
  2. Completing Your Application
  3. Enabling Security with Policies and Message Encryption
  4. Encrypting and Decrypting Specific Fields of Messages
  5. How to Encrypt and Decrypt Specific Fields of Messages

How to Encrypt and Decrypt Specific Fields of Messages

Note:

  • You must decrypt PIIs when an encrypted message leaves the composite. If you attach a PII policy to a service binding component and do not attach a PII policy to a reference binding component, PIIs in the outbound message are not decrypted. This is not a recommended practice, and you receive a runtime error.

  • PIIs encrypted in one SOA composite application cannot be decrypted in another SOA composite application.

To encrypt and decrypt specific fields of messages:

  1. Right-click a service binding component, and select Protect Sensitive Data > Encrypt Request Data.

    The PII Configuration dialog is displayed, as shown in Figure 47-12.

    You must now perform the initial encryption on the incoming message.

    Figure 47-12 PII Configuration Dialog for Encryption

    Description of Figure 47-12 follows
    Description of "Figure 47-12 PII Configuration Dialog for Encryption"
  2. Click the Edit icon to identify the elements in the schema to encrypt.

    The Input tab of the Select fields to encrypt dialog is displayed.

  3. Click the Add icon to create an XPath expression that identifies the fields of the request message to encrypt (for example, a user's name, credit card number, or social security number).
  4. Click the CSF tab.
  5. Select the credential store framework (CSF) key to use. The credential store is used for the secure storage of credential keys.

    After encryption is complete, the message proceeds through the service components of the SOA composite application.

    When the message reaches a reference binding component and is ready to exit the SOA composite application, you must decrypt the encrypted message.

  6. Right-click the reference binding component, and select Decrypt Sensitive Data. Figure 47-13 provides details.

    Figure 47-13 PII Configuration Dialog for Decryption

    Description of Figure 47-13 follows
    Description of "Figure 47-13 PII Configuration Dialog for Decryption"
  7. Click the Edit icon.

    The Input tab of the Select fields to decrypt dialog is displayed. For asynchronous processes, there are two steps: one for the input message and one for the output message.

  8. Click the Add icon to invoke the Expression Builder dialog for creating an XPath expression that identifies the fields to decrypt (for example, a credit card number or driver's license field).
  9. Click OK when complete.

    After configuring composites with oracle/pii_security_policy, you must add keys and user credentials to the credential store.

  10. Use the createCred WLST command to create entries in the oracle.wsm.security credential map for any csf-key user credentials.
    connect("weblogic","password","t3://myAdminServer.example.com:7001")

wls:/DefaultDomain/serverConfig> createCred(map="oracle.wsm.security",
key="pii-csf-key", user="weblogic", password="password", desc="Key for
pii_security_policy")

    If you do not perform this task, the following error occurs:

    oracle.wsm.security.SecurityException: WSM-00016 : The
username/password credentials or certificates pii-csf-key are missing.