XML digital signature is one of the methods WebSphere Application
Server provides to secure your Web services. It provides message integrity
and authentication capabilities when used with SOAP messages.
Before you begin
Important: There is an important distinction between
Version 5.x and Version 6.0.x and later applications.
The information in this article supports Version 5.x applications
only that are used with WebSphere Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
WebSphere Application Server provides
several different methods to secure your Web services; XML digital
signature is one of these methods. You can secure your Web services
by using any of the following methods:
- XML digital signature
- XML encryption
- Basicauth authentication
- Identity assertion authentication
- Signature authentication
- Pluggable token
About this task
XML digital signature provides both message integrity and
authentication capabilities when it is used with SOAP messages. A
message receiver can verify that attackers or accidents have not altered
parts of the message after the message was signed by a key. If a message
has a digital certificate issued by a certificate authority (CA) and
a signature in the message is validated successfully by a public key
in the certificate, it is proof that the signer has the corresponding
private key. To use XML digital signature to secure Web services,
complete the following steps:
Procedure
- Define the security constraints or extensions. To
configure the security constraints, you must use and assembly tool.
For more information, see Assembly tools.
- Configure the client to digitally sign a message request.
To configure the client, complete the following steps to specify
which parts of the SOAP message to digitally sign and define the method
used to digitally sign the message. The client in these steps is the
request sender.
- Specify the message parts by following the steps found in Configuring the client
for request signing: digitally signing message parts.
- Select the method used to digitally sign the request message.
You can select the digital signature method by following the steps
in Configuring
the client for request signing: choosing the digital signature method.
- Configure the server to verify the digital signature
that is used in the message request. To configure the server,
you must specify which parts of the SOAP message, sent by the request
sender, contain digitally signed information and which method was
used to digitally sign the message. The settings chosen for the request
receiver, or the server in this step, must match the settings chosen
for the request sender in the previous step.
- Define the message parts by following the steps found in Configuring the
server for request digital signature verification: verifying message
parts.
- Select the same method used by the request sender to digitally
sign the message. You can select the digital signature method by following
the steps in Configuring
the server for request digital signature verification: choosing the
verification method
- Configure the server to digitally sign a message response.
To configure the server, complete the following steps to specify
which parts of the SOAP message to digitally sign and define the method
used to digitally sign the message. The sender in these steps is the
response sender.
- Specify which message parts to digitally sign by following the
steps found in Configuring
the server for response signing: digitally signing message parts.
- Select the method used to digitally sign the response message.
You can select the digital signature method by following the steps
in Configuring
the server for response signing: choosing the digital signature method
- Configure the client to verify the digital signature
that is used in the message response. To configure the
client, you must specify which parts of the SOAP message sent by the
response sender contain digitally signed information and which method
was used to digitally sign the message. The settings chosen for the
response receiver, or client in this step, must match the settings
chosen for the response sender in the previous step.
- Define the message parts by following the steps found in Configuring the
client for response digital signature verification: verifying message
parts
- Select the same method used by the response sender to digitally
sign the message. You can select the digital signature method by following
the steps in Configuring
the client for response digital signature verification: choosing the
verification method
- Define the client security bindings. To configure
the client security bindings, complete the steps in either of the
following topics:
- Define the server security bindings. To configure
the server security bindings, complete the steps in either of the
following topics:
Results
After completing these steps, you have secured your Web services
using XML digital signature.