You can configure the signing information for the server-side request
consumer and the client-side response consumer bindings at the application
level.
Before you begin
newfeat Best practice: The WebSphere® Application Server Version 6.1
Feature Pack for Web Services extends the capabilities of this product
to introduce support for the Java API for XML-Based Web Services (JAX-WS) 2.0 programming model.
JAX-WS is the next generation Web services programming model complimenting
the foundation provided by the Java API for XML-based RPC (JAX-RPC) programming model. Using the strategic
JAX-WS programming model, development of Web services and clients
is simplified through support of a standards-based annotations model.
Although the JAX-RPC programming model and applications are still
supported, take advantage of the easy-to-implement JAX-WS programming
model to develop new Web services applications and clients. bprac
In
the server-side extensions file and the client-side deployment descriptor
extensions file, you must specify which parts of the message are signed. Also,
you must configure the key information that is referenced by the key information
references on the signing information panel within the administrative console.
About this task
WebSphere Application Server uses the signing information on the
consumer side to verify the integrity of the received SOAP message by validating
that the message parts are signed. Complete the following steps to configure
the signing information for the server-side request consumer and client-side
response consumer sections of the bindings files on the application level:
Procedure
- Access the administrative console.
To
access the administrative console, enter http://localhost:port_number/ibm/console in
your Web browser unless you have changed the port number.
To
access the administrative console, enter http://server_name:port_number/ibm/console in
your Web browser unless you have changed the port number.
- Click Applications > Enterprise applications > application_name.
- Under Manage modules, click URI_name.
- Under Web Services Security Properties you can
access the signing information for the request generator and response generator
bindings.
- To configure the request consumer signing information, click Web services:
Server security bindings. Under Request consumer (receiver) binding, click Edit
custom.
- To configure the response consumer signing information, click Web services:
Client security bindings. Under Response consumer (receiver) binding,
click Edit custom.
- Under Required properties, click Signing information.
- Click New to create a signing information configuration,
click Delete to delete an existing configuration, or click the name
of an existing signing information configuration to edit its settings.
If you are creating a new configuration, enter a name in the Signing
information name field.
- Select a signature method algorithm from the Signature method field.
The signature method is the algorithm that is used to convert the canonicalized <SignedInfo>
element in the binding file into the <SignatureValue> element. The algorithm
that is specified for the consumer, which is either the request consumer or
the response consumer configuration, must match the algorithm specified for
the generator, which is either the request generator or response generator
configuration. WebSphere Application Server supports the following pre-configured
algorithms:
- Select a canonicalization method from the Canonicalization method
field. The canonicalization method algorithm is used to canonicalize
the <SignedInfo> element before it is incorporated as part of the digital
signature operation. The canonicalization algorithm that you specify for the
generator must match the algorithm for the consumer. WebSphere Application
Server supports the following pre-configured algorithms:
- Select a key information signature type from the Key information
signature type field. The key information signature type specifies
how the <KeyInfo> element in the SOAP message is digitally signed. WebSphere
Application Server supports the following signature types:
- None
- Specifies that the key is not signed.
- Keyinfo
- Specifies that the entire KeyInfo element is signed.
- Keyinfochildelements
- Specifies that the child elements of the KeyInfo element are signed.
If you do not specify one of the previous signature types,
WebSphere Application Server uses keyinfo, by default. The key information
signature type for the consumer must match the signature type for the generator.
- Under Additional properties, click Key information references.
- Click New to create a key information reference or click
the name of an existing entry to edit its configuration. The Key
information references panel is displayed.
- Enter a name in the Name field.
- Select a key information reference in the Key information reference
field. This reference is the key information configuration name
that specifies the key information that is used by this signing information
configuration.
- Return to the Signing information panel. Under Additional properties,
click Part references. On the Part references panel, you
can specify references to the message parts that are defined in the deployment
descriptor extensions file.
- Click New to create a new Part reference or click the
name of an existing part reference to edit its configuration. The
Part reference panel is displayed.
- Enter a name in the Part name field. This name is
the name of the required integrity configuration in the deployment descriptor
extensions file and specifies the message parts that must be digitally signed.
- Select a digest method algorithm from the Digest method algorithm
field.
WebSphere Application Server supports the following pre-configured
algorithms:
- http://www.w3.org/2000/09/xmldsig#sha1
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
If you want to specify a custom algorithm, you must configure
the custom algorithm in the Algorithm URI panel before setting the digest
method algorithm.
- Under Additional properties, click Transforms.
- Click New to create a new transform or click the name
of an existing transform to edit its configuration.
- Enter a name in the Transform name field.
- Select a transform algorithm from the Transform algorithm field.
WebSphere Application Server supports the following pre-configured algorithms:
The transform algorithm that you select for the consumer must match
the transform algorithm that you select for the generator. For each part reference
in the signing information, specify both a digest method algorithm and a transform
algorithm.
- Click OK.
- Click Save at the top of the panel to save your configuration.
Results
After completing these steps, you have configured the signing information
for the consumer.
What to do next
You must specify a similar signing information configuration for
the generator.