Before you begin
In the server-side extensions file (
ibm-webservices-ext.xmi)
and the client-side deployment descriptor extensions file (
ibm-webservicesclient-ext.xmi),
you must specify which parts of the message are signed. Also, you need to
configure the key information that is referenced by the key information references
on the signing information panel within the administrative console.
Why and when to perform this task
This task explains the required steps to configure the signing
information for the client-side request generator and the server-side response
generator bindings at the application level. WebSphere Application Server
uses the signing information for the default generator to sign parts of the
message including the body, time stamp, and user name token. The Application
Server provides default values for bindings. However, an administrator must
modify the defaults for a production environment. Complete the following steps
to configure the signing information for the generator sections of the bindings
files on the application level:
Steps for this task
- Locate the signing information configuration panel in the administrative
console.
- Click Applications > Enterprise applications > application_name.
- Under Related Items, click EJB Modules or Web Modules
> URI_name.
- Under Additional properties, you can access the signing information
for the request generator and the response generator bindings.
- For the request generator (sender) binding, click Web services: Client
security bindings. Under Request generator (sender) binding, click Edit
custom.
- For the response generator (sender) binding, click Web services: Server
security bindings. Under Response generator (sender) binding, click Edit
custom.
- Under Required properties, click Signing information.
- Click New to create a signing information configuration,
select the box next to the configuration and click Delete to delete
an existing configuration, or click the name of an existing signing information
configuration to edit its settings. If you are creating a new configuration,
enter a name in the Signing information name field. For example, you might
specify gen_signinfo.
- Select a signature method algorithm from the Signature method field.
The algorithm that is specified for the generator, which is either the
request generator or the response generator configuration, must match the
algorithm that is specified for the consumer, which is either the request
consumer or response consumer configuration. WebSphere Application Server
supports the following pre-configured algorithms:
- http://www.w3.org/2000/09/xmldsig#rsa-sha1
- http://www.w3.org/2000/09/xmldsig#dsa-sha1
- http://www.w3.org/2000/09/xmldsig#hmac-sha1
- Select a canonicalization method from the Canonicalization method
field. The canonicalization algorithm that you specify for the
generator must match the algorithm for the consumer. WebSphere Application
Server supports the following pre-configured algorithms:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Select a key information signature type from the Key information
signature type field. WebSphere Application Server supports the
following signature types:
- None
- Specifies that the KeyInfo element is not signed.
- Keyinfo
- Specifies that the entire KeyInfo element is signed.
- Keyinfochildelements
- Specifies that the child elements of the KeyInfo element are signed.
The key information signature type for the generator must
match the signature type for the consumer. You might encounter the following
situations:
- If you do not specify one of the previous signature types, WebSphere Application
Server uses keyinfo, by default.
- If you select Keyinfo or Keyinfochildelements and you select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm in a subsequent step, WebSphere Application Server
also signs the referenced token.
- Select a signing key information reference from the Signing key
information field. This selection is a reference to the signing
key that the Application Server uses to generate digital signatures.
- Click OK and Save to save the configuration.
- Click the name of the new signing information configuration.
This configuration is the one that you specified in a previous step.
- Specify the part reference, digest algorithm, and transform algorithm.
The part reference specifies which parts of the message to digitally
sign.
- Under Additional properties, click Part references > New to
create a new part reference, click Part references > Delete to delete
an existing part reference, or click a part name to edit an existing part
reference.
- Specify a unique part name for this part reference. For
example, you might specify reqint.
- Select a part reference from the Part reference field.
The part reference refers to the message part that is digitally signed.
The part attribute refers to the name of the <Integrity> element in the
deployment descriptor when the <PartReference> element is specified for
the signature. You can specify multiple <PartReference> elements within
the <SigningInfo> element. The <PartReference> element has two child
elements when it is specified for the signature: <DigestTransform> and <Transform>.
- Select a digest method algorithm from the menu. The
digest method algorithm specified within the <DigestMethod> element is
used in the <SigningInfo> element. WebSphere Application Server supports
the http://www.w3.org/2000/09/xmldsig#sha1 algorithm.
- Click OK to save the configuration.
- Click the name of the new part reference configuration.
This configuration is the one that you specified in a previous step.
- Under Additional Properties, click Transforms > New to
create a new transform, click Transforms > Delete to delete a transform,
or click a transform name to edit an existing transform. If you
create a new transform configuration, specify a unique name. For example,
you might specify reqint_body_transform1.
- Select a transform algorithm from the menu. The transform
algorithm is that is specified within the <Transform> element and specifies
the transform algorithm for the signature. WebSphere Application Server supports
the following algorithms:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/TR/1999/REC-xpath-19991116
- http://www.w3.org/2002/06/xmldsig-filter2
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- http://www.w3.org/2002/07/decrypt#XML
- http://www.w3.org/2000/09/xmldsig#enveloped-signature
The transform algorithm that you select for the generator must match
the transform algorithm that you select for the consumer.
Important: If
both of the following conditions are true, WebSphere Application Server signs
the referenced token:
- You previously selected the Keyinfo or the Keyinfochildelements option
from the Key information signature type field on the signing information panel.
- You select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm.
- Click OK.
- Click Save at the top of the panel to save your configuration.
Result
After completing these steps, the signing information is configured
for the generator on the application level.
What to do next
You must specify a similar signing information configuration for
the consumer.