The key information is used to specify the configuration
needed to generate the key for digital signature and encryption. The
signing information and the encryption information configurations
can share the key information, so they are both defined at the same
level.
Before you begin
Before you begin this task, configure the key locators and
the token consumers that are referenced by the Key locator reference
and Token reference fields within the key information panel.
About this task
This task provides the steps needed for configuring the
key information for the request generator (client side) and the response
generator (server side) bindings at the application level.
Complete
the following information to configure the key information for the
generator binding on the application level:
Procedure
- Locate the key information configuration panel in the administrative
console.
- Click .
- Under Manage modules, click URI_name.
- Under Web Services Security Properties you can access
the key information for the request generator and response generator
bindings.
- For the request generator (sender) binding, click Web
services: Client security bindings. Under Request generator
(sender) binding, click Edit custom.
- For the response generator (sender) binding, click Web
services: Server security bindings. Under Response generator
(sender) binding, click Edit custom.
- Under Required properties, click Key information.
- Click New to create a key information
configuration, select the box next to an existing configuration and
click Delete to delete the configuration, or
click the name of an existing signing information configuration to
edit its settings. If you are creating a new configuration,
enter a name in the Key information name field. For example, you might
specify gen_signkeyinfo.
- Select a key information type from the Key information
type field. The key information type specifies how to reference
the security tokens. WebSphere® Application Server
supports the following key information types:
- Key identifier
- The security token is referenced using an opaque value that uniquely
identifies the token. The algorithm that is used for generating the <KeyIdentifier>
element value depends upon the token type. For example, a hash of
the important elements of the security token is used for generating
the <KeyIdentifier> element value. The following <KeyInfo>
element is generated in the SOAP message for this key information
type:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier ValueType="wsse:X509v3">/62wXO...
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- Key name
- The security token is referenced using a name that matches an
identity assertion within the token. It is recommended that you do
not use this key type as it might result in multiple security tokens
that match the specified name. The following <KeyInfo> element
is generated in the SOAP message for this key information type:
<ds:KeyInfo>
<ds:KeyName>CN=Group1</ds:KeyName>
</ds:KeyInfo>
- Security token reference
- The security token is directly referenced using Universal Resource
Identifiers (URIs). The following <KeyInfo> element is generated
in the SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#mytoken" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- Embedded token
- The security token is directly embedded within the <SecurityTokenReference>
element. The following <KeyInfo> element is generated in the
SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Embedded wsu:Id=”tok1” />
...
</wsse:Embedded>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- X509 issuer name and issuer serial
- The security token is referenced by an issuer name and an issuer
serial number of an X.509 certificate. The following <KeyInfo>
element is generated in the SOAP message for this key information
type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Jones, O=IBM, C=US
</ds:X509IssuerName>
<ds:X509SerialNumber>1040152879
</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
Each type of key information is described in the Web
Services Security: SOAP Message Security 1.0 (WS-Security 2004) OASIS
standard, which is located at: http://www.oasis-open.org/home/index.php under
Web Services Security.
- Select a key locator reference from the Key locator reference
field. This reference specifies a key locator that WebSphere Application Server uses to locate
the keys that are used for digital signature and encryption. Before
you can select a key locator, you must have configured a key locator.
For more information on configuring a key locator, see the following
articles:
- Click Get keys to view a list of
key name references. After you click Get keys,
the key names that are defined in the <sig_klocator> element
are shown in the key name reference menu. If you change the key locator
reference, you must click Get keys again to
display the list of key names associated with the new key locator.
- Select a key name reference from the Key name reference
field. This reference specifies the name of a key that
is used for generating a digital signature and for encryption. The
list of key names provided comes from the key locator specified with
the key locator reference.
- Select a token reference from the Token reference field. This token reference specifies the name of token generator that
is used for processing the security token. However, WebSphere Application
Server requires this field only when you select Security token reference
or Embedded token in the Key information type field. Before specifying
a token reference, you must configure a token generator. For more
information on configuring a token generator, see Configuring token generators using JAX-RPC to protect message authenticity at the application level.
- Optional: If you select Key identifier as the
key information type on this panel, you must specify an encoding method,
calculation method, value type namespace URI, and a value type local
name.
- Select an encoding method from the Encoding method field. The encoding method specifies the encoding format for the key
identifier. WebSphere Application Server supports the
following encoding methods:
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
- Select a calculation method from the Calculation method
field. WebSphere Application Server
supports the following calculation methods:
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#ITSHA1
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#IT60SHA1
- Specify a value type namespace Uniform Resource Identifier
(URI) in the Namespace URI field. In this field, specify
the namespace URI of the value type for a security token that is referenced
by the key identifier. When you specify the X.509 certificate token,
you do not need to specify this option. If you want to specify another
token, you must specify the URI of the qualified name (QName) for
value type.
- Specify a value type local name. This name
is the local name of the value type for a security token that is referenced
by the key identifier. When this local name is used in conjunction
with the corresponding namespace URI, the information is called the
value type qualified name or QName.
When you specify the X.509 certificate
token, it is recommended that you use the predefined local names.
When you specify the predefined local names, you do not need to specify
the namespace URI of the value type. However, if you do not use one
of the predefined local names, you must specify both the uniform resource
identifier (URI) and the local name. WebSphere Application
Server provides the following predefined local names:
- X.509 certificate token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
- X.509 certificates in a PKIPath
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1
- A list of X509 certificates and CRLs in a PKCS#7
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7
- LTPA
- Lightweight Third-Party Authentication token. When you specify
a value type local name of LTPA, you must also specify a namespace
URI of http://www.ibm.com/websphere/appserver/tokentype/5.0.2.
- LTPA_PROPAGATION
- Lightweight Third-Party Authentication propagation token. When
you specify a value type local name of LTPA_PROPAGATION, you must
also specify a namespace URI of http://www.ibm.com/websphere/appserver/tokentype.
- Click OK and then click Save to
save the configuration.
Results
You have configured the key information for the generator
binding at the application level
What to do next
You must specify a similar key information configuration
for the consumer.