[5.0 only]Securing Apache SOAP services on Secured Sockets Layer with SOAP Signature

Why and when to perform this task

Applications might need non-repudiable proof of exchanged messages. One example is a Web service that accepts part orders. The business partners establish a form of trust relationship based on public keys. This can be done using the public key infrastructure (PKI) through a third party certificate authority (CA), or by exchanging public keys with a secure channel. The following service is deployed with a signature verification function:

  https://foo.com/partorder

Configure signature verification with the following information:

If the signature is missing or if signature verification fails, the signature verification function can be configured so that the servlet returns a SOAP fault.

To send part orders to the https://foo.com/partorder service, the service requester should sign his SOAP messages with a signature component. The signature component is initialized using two templates:

  1. <ds:SignedInfo> template
  2. <ds:KeyInfo> template

The <ds:SignedInfo> template controls the following:

The <ds:KeyInfo> template controls the following:

You can combine the service request with HTTP basic authentication, if necessary.


Related concepts
Apache SOAP signature architecture



Searchable topic ID:   twbs_soapsignature
Last updated: Jun 21, 2007 8:07:48 PM CDT    WebSphere Business Integration Server Foundation, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/twbs_soapsignature.html

Library | Support | Terms of Use | Feedback