You can configure the key information for the server-side and client-side
bindings by using an assembly tool. The key information on the consumer side
is used for specifying the information about the key that is used for validating
the digital signature in the received message or for decrypting the encrypted
parts of the message. The response consumer is configured for the client,
and the request consumer is configured for the server.
About this task
Complete the following steps. You must configure either the client-side
bindings in step 2 or the server-side bindings in step 3.
Procedure
- Start the assembly tool and click Window > Open Perspective
> J2EE.
- Optional: Locate the client-side bindings using the
Project Explorer window. The Client Deployment Descriptor window
is displayed. This Web service contains the extensions that you must configure.
Complete the following steps to locate the client-side bindings:
- Expand the Web Services > Client section and double-click
the name of the Web service.
- Click the WS Binding tab and expand the Security Response
Consumer Binding Configuration section.
- Optional: Locate the server-side bindings using the
Project Explorer window. The Web Services Editor window is displayed.
This Web service contains the bindings that you must configure. Complete the
following steps to locate the server-side bindings:
- Expand the Web Services > Services section and double-click
the name of the Web service.
- Click the Binding Configurations tab and expand the Request
Consumer Binding Configuration Details section.
- Expand the Key Information section and click Add to add
a new entry or click Edit to edit a selected entry.
- Specify a name for this configuration in the Key information name
field. This configuration name is referenced by the Key information
element within the Signing Information and Encryption Information Dialog windows.
For more information, see Configuring signing information for the consumer binding with an assembly tool and Configuring encryption information for the consumer binding with an assembly tool.
- Select a key information type from the Key information type field.
The key information types specify different mechanisms for referencing
security tokens. The assembly tools support the following key information
types:
- STRREF
- This type is the security token reference. The security token is directly
referenced using Universal Resource Identifiers (URIs). The following <KeyInfo> element
is generated in the SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#mytoken" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- EMB
- This type is the embedded token. The security token is directly embedded
within the <SecurityTokenReference> element. The following <KeyInfo>
element is generated in the SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Embedded wsu:Id="tok1" />
…
</wsse:Embedded>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- KEYID
- This type is a key identifier. The security token is referenced using
an opaque value that uniquely identifies the token. The algorithm that is
used for generating the key identifier value depends upon the token type.
For example, a hash of the important elements of the security token is used
for generating the KeyIdentifier value. The following <KeyInfo> element
is generated in the SOAP message for this key information type:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier ValueType="wsse:X509v3">/62wXO...</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- KEYNAME
- This type is the key name. The security token is referenced using a name
that matches an asserted identity within the token.
Note: To be compliant
with the Basic Security Profile (BSP), do not use the KEYNAME information
type. A SECURITY_TOKEN_REFERENCE must not use a KEYNAME to reference a SECURITY_TOKEN.
- X509ISSUER
- This type is the X.509 certificate issuer name and serial number. The
security token is referenced by an issuer name and issuer serial number of
an X.509 certificate. The following <KeyInfo> element is generated in the
SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Jones, O=IBM, C=US</ds:X509IssuerName>
<ds:X509SerialNumber>1040152879</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- Select the Use key locator option. Complete the
following steps:
- Select the name of a key locator configuration from the Key
locator field. The value of this field is a reference to a key
locator that specifies how to find keys or certificates. For more information,
see Configuring the key locator for the consumer binding with an assembly tool.
- Optional: Specify a key name in the Key name field.
You do not need to specify the key name when you configure the key information
for the consumer.
- Optional: Select the Use token option and a
token consumer configuration in the Token field if a token consumer is required
for the key information configuration. The token that you select
specifies a reference to a token consumer that is used for processing the
security token within the message. A token consumer is required for all key
information types except the KEYNAME type. Before you specify a token reference,
you must configure a token consumer. For more information on token consumer
configurations, see Configuring token consumers with an assembly tool.