You can secure the integrity of your Web service, protecting your
information against unauthorized alteration, by adding a digital signature
to your Web services.
Prerequisite: Create or import a project containing a Web service.
Both the client and server can be protected using an XML digital
signature. In order for an XML digital signature to be accepted for a transmission
between a client and server, the signature information must be set for both.
To add an XML digital signature to a Web service:
- Change to the J2EE perspective.
- Click .
- Select J2EE from the list and click OK.
- Expand the Web Services tab in the Project
Explorer view.
- Expand the Services tab.
- Right-click your service and select .
- In the Integrity Message Parts section, there is one Message Part
added by default. You can modify the existing default by modifying the Dialect
or Key word. You may also add more Message Parts. There is a menu
of available message parts settings. The default setting is recommended, however,
if you would like more information regarding message parts settings, you may
reference message parts settings
- To accept the rest of the defaults and continue to the Token Consumer
page, click Next.
Note: The other available
menu allows you to select your preferred signature method algorithm. A signature
method is the algorithm that is used to convert the canonicalized <SignedInfo>
element in the binding file into the <SignatureValue> element. The algorithm
that is specified for the consumer, which is either the request consumer or
the response consumer configuration, must match the algorithm specified for
the generator, which is either the request generator or response generator
configuration.
WebSphere
® Application Server supports the following
pre-configured algorithms:
- http://www.w3.org/2000/09/xmldsig#rsa-sha1
- http://www.w3.org/2000/09/xmldsig#hmac-sha1
- http://www.w3.org/2000/09/xmldsig#dsa-sha1
- Choose the type of the Token Consumer used from the drop-down list.
- Select Only trust Certificates with the following reference. If the Trust any certificate option is selected,
a client with any XML digital signature certificate will have access to your
server. Without the additional protection of this certificate reference, your
server's security will still be at risk.
- Fill out the required information within the Certificate Information
group.
- In the Key store path field, browse to
the digital signature key.
- In the Key store storepass field, enter
the password corresponding to the selected key.
- To specify a specific X509 certificate, select the Use
a certificate check box. If this check box is not selected, a
client request with any X509 certificate will be accepted.
- Accept the rest of the defaults and select OK to
continue to the Server Side Response Generator Digital Signature window.
- In the Integrity Message Parts section, there is one Message Part
added by default. You can modify the existing default by modifying the Dialect
or Key word. You may also add more Message Parts.
- To accept the rest of the defaults and continue to the Token Generator
page, click Next .
- Choose the type of the Token Generator from the drop-down list.
- Fill out the required information within the Key Store Information
section.
- In the Key store Path field, type or
browse, to the path in which the digital signature key is located.
- In the Key Store Password field, type
the password corresponding to the selected signature key.
The Use a key check box can be used to add additional
security to your XML digital signature. With this option selected, you can
choose an alias and password for your XML digital signature to further protect
your Web service. To specify a specific X509 certificate, select the Use
a certificate check box.
- Click Finish. An XML digital
signature now secures your server.
- In order for the client to access the server, you must create a
corresponding XML digital signature for the client using one of the following
methods:
- To create a corresponding digital signature using the XML digital
signature wizard:
- Right-click on the client and select
- Follow steps 5 - 14 above, using the same client information as was used
to secure the server.
- If you have finished setting up all types of security for your server
you can create a corresponding digital signature for the client using the
Based on a Secured Web Service wizard:
- Right-click on the client and select .
- Verify that the corresponding server is selected from the drop-down menu,
click Next.
- Fill out the required information within the Client Side Request Generator:
- In the Key store Path field, type or browse, to
the path in which the digital signature key is located.
- In the Key Store Password field, type the password
corresponding to the selected signature key.
- Click Next.
- Fill out the required information within the Client Side Response Consumer:
- Select Only trust Certificates with the following reference.
If the Trust any certificate option is selected, a
client with any XML digital signature certificate will have access to your
server.
- Click Finish.
XML digital signature security will now protect your Web service
against integrity threatening attacks. You can see the changes in your XML
source by switching to the Resource perspective and opening your Web service
.xmi file. To open this file, click ,
select Resource, and click OK. Then find the corresponding
.xmi file under the yourProjectName/WebContent/WEB-INF/ directory.