Why and when to perform this task
In UDDI Version 3, Publishers can digitally sign UDDI elements while they are publishing. The UDDI Version 3 schema supports the signing of businessEntity, businessServices, bindingTemplate, tModel, and publisherAssertion elements.
You can validate UDDI elements that have been digitally signed to prove that they have not been modified or tampered with and that their integrity is intact.
For full details about signing UDDI entities and verifying signatures, see Appendix I: Support for XML Digital Signatures in the UDDI Version 3.0.2. specification.
The UDDI registry does not validate signatures at the time that signed elements are published. When the signed elements are retrieved, the retrieving client is responsible for validating the signature and to provide his own mechanism for ensuring the signer's certificate is signed by a Certification Authority (CA) that the clients approves and trusts. If a signature is decrypted successfully by using the signer's public key, it is an indication that only the owner of the corresponding private key could have signed and published this element.
Generating a signature
Because an element's attributes are included in the generation of an element's signature, all entity keys must be available at the time that the signature is generated. Publishers are recommended to generate publisher-assigned-keys for all of an element's keys before signing. Alternatively, publishers can publish the element without keys; this causes the Registry Node to generate the required entity keys and then retrieve, sign, and republish the signed element.
Validating a signature
The signature element to validate is the one in the top level element that is returned by a call to getXXDetails(). It is the client's responsibility to perform the validation. The client must have previously imported the publishers X509.3 certificate and validated it based on the CA it trusts. This way the client will have access to the publisher's public validation key that corresponds to the private signing key that the publisher used to sign the entity before publishing it.
The IBM UDDI Version 3 Client can be used to construct JAX-RPC objects and to invoke the UDDI Version 3 WebService. As part of this client a helper class, com.ibm.uddi.v3.client.apilayer.xmldig.SignatureUtilities, can be used to create and validate digital signatures on the UDDI Version 3 Entities that support them. See the Javadoc welcome page for details of API of this class and its Exception SignatureUtilitiesException.
An example of how to use this class can be found at Samples for WebSphere Application Server called UDDIv3ClientSignedBusinessSample.java.
See Securing Web services using XML digital signature for a full explanation about Digital Signatures.