You can configure the signing information for the server-side and
client-side bindings using an assembly tool. The signing information on the
consumer side is used to verify the integrity of the received SOAP message
by validating the message parts that are signed. The response consumer is
configured for the client and the request consumer is configured for the server.
About this task
Complete the following steps. You must configure either the client-side
bindings in step 2 or the server-side bindings in step 3.
Procedure
- Start the assembly tool.
- Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective.
Click Window > Open Perspective > J2EE.
- Optional: Locate the client-side bindings using the
Project Explorer window. The Client Deployment Descriptor window
is displayed. This Web service contains the bindings that you must configure.
Complete the following steps to locate the client-side bindings:
- Expand the Web Services > Client section and double-click the
name of the Web service.
- Click the WS Binding tab and expand the Security Response
Consumer Binding Configuration section.
- Optional: Locate the server-side bindings using the
Project Explorer window. The Web Services Editor window is displayed.
This Web service contains the bindings that you must configure. Complete the
following steps to locate the server-side bindings:
- Expand the Web Services > Services section and double-click
the name of the Web service.
- Click the Binding Configurations tab and expand the Request
Consumer Binding Configuration Details section.
- Expand the Signing Information section and click Add to
add a new entry or select an existing entry and click Edit. The
Signing Information Dialog window is displayed. Complete the following steps
to specify the signing information:
- Specify a name for the signing information configuration in
the Signing information name field.
- Select a canonicalization method from the Canonicalization method
algorithm field. The canonicalization method algorithm is used
to canonicalize the signing information before it is integrated as part of
the signature operation. The following pre-configured algorithms are supported:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
You must specify the same canonicalization algorithm for both the
generator and the consumer. For more information on configuring the signing
information for the generator, see Configuring signing information for the generator binding with an assembly
tool
.
- Optional: Select Show only
FIPS Compliant Algorithms if you want only the FIPS compliant algorithms
to show in the Digest method algorithm drop-down list. Use this option
if you expect this application to run on a WebSphere Application Server that
has set the Use the Federal Information Processing Standard (FIPS) option
in the Global security panel of the administrative console for WebSphere Application
Server.
- Select a signature method algorithm from the Signature method
algorithm field. The following pre-configured algorithms are supported:
You must specify the same signature algorithm for both the generator
and the consumer. For more information on configuring the signing information
for the generator, see Configuring signing information for the generator binding with an assembly
tool
.
- Click Add in the Signing Key Information section to add
a new key information entry or click Remove to delete a selected entry.
Complete the following substeps if you are adding a new key information
entry.
- Specify a name in the Key information name field.
- Select a key information reference from the list under the Key
information element field. The value in this field references the
key information configuration that you specified previously. If you have a
key information configuration called con_signkeyinfo that you want
to use with this signing information configuration, specify con_signkeyinfo in
the Key information element field. For more information, see Configuring key information for the consumer binding with an assembly
tool
.
- Optional: Select the Use key information signature option
if you want to sign the key information within the SOAP message.
- Optional: Select a key information signature type from
the Type field if you select the Use key information signature option.
Select the keyinfo value to specify that the entire KeyInfo element
must be signed within the SOAP message. Select the keyinfochildelements value
to specify that the child elements within the KeyInfo element must be signed.
However, the KeyInfo element itself does not need to be signed.
- Click OK to save your signing information configuration.
- Expand the Part References subsection and select the signing information
configuration from the Signing Information section.
- Click Add in the Part References subsection to add a new
entry or select an existing entry and click Edit. The Part
References Dialog window is displayed. Complete the following steps to configure
a part reference:
- Specify a name for the part reference configuration in the Part
reference name field.
- Select a required integrity part configuration in the RequiredIntegrity
part field. The required integrity part configuration specifies
the message parts that are required to be signed. For more information on
how to configure the required integrity, see Signing message elements in consumer security constraints with keywords
or Signing message elements in consumer security constraints with an XPath
expression
.
- Optional: Select Show only
FIPS Compliant Algorithms if you want only the FIPS compliant algorithms
to show in the Digest method algorithm drop-down list. Use this option
if you expect this application to run on a WebSphere Application Server that
has set the Use the Federal Information Processing Standard (FIPS) option
in the Global security panel of the administrative console for WebSphere Application
Server.
- Select the http://www.w3.org/2000/09/xmldsig#sha1
digest method algorithm in the Digest method algorithm field. This
digest method algorithm is used to create the digest for each message part
that is specified by this part reference.
- Click OK to save your part reference configuration.
- Expand the Transforms subsection and the part reference configuration
from the Part reference subsection.
- Click Add in the Transforms subsection to add a new entry
or select an existing entry and click Edit. The Transform
dialog window is displayed.
- Specify a transform name in the Name field.
- Select a transform algorithm from the Algorithm field.
The following transform algorithms are supported:
- http://www.w3.org/2001/10/xml-exc-c14n#
- This algorithm specifies the World Wide Web Consortium (W3C) Exclusive
Canonicalization recommendation.
- http://www.w3.org/TR/1999/REC-xpath-19991116
- This algorithm specifies the W3C XML path language recommendation. If
you specify this algorithm, you must click Add to specify the property
name and value, which is displayed under Transform properties. For example,
you might specify the following information:
- Name
- com.ibm.wsspi.wssecurity.dsig.XPathExpression
- Value
- not(ancestor-or-self::*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#'
and local-name()='Signature'])
- http://www.w3.org/2002/06/xmldsig-filter2
- This algorithm specifies the XML-Signature XPath Filter Version 2.0 proposed
recommendation.
When you use this algorithm, you must specify a set of properties
in the Transform property fields. You can use multiple property sets for the
XPath Filter Version 2.
Note: End your property
names with the number of the property set, which is denoted by an asterisk
in the following examples:
- To specify an XPath expression for the XPath filter2, you might use:
name com.ibm.wsspi.wssecurity.dsig.XPath2Expression_*
- To specify a filter type for each XPath, you might use:
name com.ibm.wsspi.wssecurity.dsig.XPath2Filter_*
Following
this expression, you can have a value, [intersect], [subtract],
or [union].
- To specify the processing order for each XPath, you might use:
name com.ibm.wsspi.wssecurity.dsig.XPath2Order_*
Following
this expression, indicate the processing order of the XPath.
The following is a list of complete examples:
com.ibm.wsspi.wssecurity.dsign.XPath2Filter_1 = [intersect]
com.ibm.wsspi.wssecurity.dsign.XPath2Order_1 = [1]
com.ibm.wsspi.wssecurity.dsign.XPath2Expression_2 = [XPath expression#2]
com.ibm.wsspi.wssecurity.dsign.XPath2Filter_2 = [subtract]
com.ibm.wsspi.wssecurity.dsign.XPath2Filter_2 = [1]
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- http://www.w3.org/2002/07/decrypt#XML
- This algorithm specifies the W3C decryption transform for XML Signature
recommendation.
- http://www.w3.org/2000/09/xmldsig#enveloped-signature
- This algorithm specifies the W3C recommendation for XML digital signatures.
- Click OK to save your transforms configuration.
What to do next
After you complete this task for the consumer binding, you must configure
the signing information for generator binding if this task was not previously
completed.