Require Encrypted UsernameToken Profile Credentials Assertion

The Require Encrypted UsernameToken Profile Credentials assertion requires an encrypted Username Token element to be present and that it be encrypted with the same key that was used to sign the timestamp or other parts of the message. This provides message level security without requiring a client certificate. The client creates a new symmetric key and encrypts it for the server. The encrypted symmetric key prevents the UsernameToken from being intercepted and attached to another message.
gateway90
The
Require Encrypted UsernameToken Profile Credentials
assertion requires an encrypted Username Token element to be present and that it be encrypted with the same key that was used to sign the timestamp or other parts of the message. This provides message level security without requiring a client certificate. The client creates a new symmetric key and encrypts it for the server. The encrypted symmetric key prevents the UsernameToken from being intercepted and attached to another message.
This assertion only ensures that client credentials are encrypted using the same key that was used elsewhere in the message. To enforce the signing or encryption of other parts of a message, you need to include one or more of the following assertions in the policy:  Require SSL or TLS Transport, Sign Element, or Encrypt Element. If response security is configured, the response security will attempt to use (by reference) the session key used by the client in the request.
The Require Encrypted UsernameToken Profile Credentials assertion requires message security features contained in WS-Security version 1.1 or later.
To learn about selecting the target message for this assertion, see Selecting a Target Message.
To learn more about changing the WSS Recipient for this assertion, see Changing the WSS Assertion Recipient.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Adding an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. Right-click the
    <target>:
    Require Encrypted UsernameToken Profile Credentials
    in the policy window and select
    Require Encrypted UsernameToken Profile Credentials Properties
    or double-click the assertion in the policy window. The assertion properties are displayed. 
  3. By default, all encryption methods are permitted. To choose specific methods to permit in the target message, select the
    Specify permitted encryption methods
    check box and select the appropriate check boxes next to:
    AES 128 CBC
    AES 192 CBC
    AES 256 CBC
    Triple DES
    AES 128 GCM
    AES 256 GCM
    If your security provider does not support the "AES-GCM" encryption options, encryption/decryption attempts may fail at runtime if these options are selected.
  4. Click [
    OK
    ].