InfoCenter Home >
4: Developing applications >
4.8: Web services - an overview >
4.8.4: Securing SOAP services >
4.8.4.1: Running the security samples

4.8.4.1: Running the security samples

The process for running the SOAP signed samples is identical to the process for running the non-signed samples. The soapsamples.ear must be installed, and the server must be started before these samples are invoked.

See article SOAP samples for information on installing the SOAP samples.

SOAP Signature

The client samples are included in the soapsamples.ear file. Do the following to locate and execute the samples:

  1. Change your directory (cd) to
    product_installation_root/installedApps/soapsamples.ear/ClientCode
    

    A set of batch files or script files (on UNIX platforms) have been included to facilitate running the client samples. These batch or script files are located in the nt_bat subdirectory on Windows NT, or in the unix_scripts subdirectory on UNIX platforms. These scripts set the classpath and supply parameters.

  2. Invoke the samples using the following scripts:
    DSigAddressSample localhost "c:\WebSphere\AppServer\installedApps\soapsamples.ear"
    "John B. Good"
    DSigMessageSample localhost "c:\WebSphere\AppServer\installedApps\soapsamples.ear"
    ..\data\msg1.xml
      If you run the script with no arguments, as for example DSigAddressSample, you will be provided with help on how to use the sample, and you will receive a description of the command line arguments that the script requires.
  3. View the output.

    For each sample, at the server, you should see that the signature of the request is validated. At the client, you should see that the signature of the response is validated.

    The validation results for both the client and server are logged to the following files that are created in the product_installation_root/InstalledApps/soapsamples.ear/soapsec.war/logs directory

    • SOAPVHH-all-cl.log
    • SOAPVHH-fail-cl.log
    • SOAPVHH-all-sv.log
    • SOAPVHH-fail-sv.log

Soap signature with SSL connection

Ensuring that a connection is over SSL is not specific to Web services. You must configure the Web server to ensure that the client to Web server connection is over SSL. You must also configure WebSphere Application Server to ensure that the Web server to WebSphere Application Server connection is over SSL.

Article Configuring SSL in WebSphere Application Server discusses how to configure SSL in WebSphere. See your Web server documentation for information on configuring the SSL server.

For testing purposes, sample client and server keystore databases are shipped with the SOAP samples. You must use the IBM Key Management Tool to extract the certificates located in files:

  • test
  • keystore
  • databases

Import the certificates into your key databases. See article, Tools for managing certificates and keys for more information on the IBM Key Management tool.

The test keystores are described in article Keystore files.

Export the client certificates from the test keystore file

Perform the following steps to export the client cerificates:

  1. Invoke the Key Management Tool (IKeyman)
  2. From the file menu, select open
  3. Change directory (CD) to
    product_installation_root/InstalledApps/soapsamples.ear/soapsec.war/key/
  4. Select the SOAPClient keystore file.
    (The keystore password is "client".)
  5. Change the key database content type to "Signer Certificates".
  6. Highlight the soapca certificate.
  7. Click the Export button.
  8. Change the exported file name to "soapca.arm".
  9. Highlight the "intca1" certificate
  10. Click the Export button.
  11. Change the exported file name to "intca1.arm".

Import the certificates into the web server key database

  1. Invoke the Key Management Tool (IKeyman)
  2. From the file menu, select open (or new if you are creating a new keystore)
  3. Change directory (CD) to the directory where the keystore file is located.
  4. Select the file.
  5. For Signer Certificates, add the "intca1.arm" and the "soapca.arm" you exported in the previous section.
  6. For Personal Certificates, click Import.
  7. Specify a key type of PKCS12
  8. Browse the sslserver.p12 file located in:
    product_installation_root/InstalledApps/soapsamples.ear/soapsec.war/key/
  9. Click OK
  10. .
  11. Enter "server" when prompted for a password.
  12. Select "sslserver" from the key list and press OK.
  13. Save the updated keystore file
Go to previous article: Securing SOAP services Go to next article: SOAP signature components

 

 
Go to previous article: Securing SOAP services Go to next article: SOAP signature components