You can configure the signing information for the server-side and
client-side generator bindings by using an assembly tool. The request generator
is configured for the client and the response generator is configured for
the server.
About this task
Complete the following steps. You must configure either the client-side
bindings in step 2 or the server-side bindings in step 3.
Procedure
- Start the assembly tool.
- Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective.
Click Window > Open Perspective > J2EE.
- Optional: Locate the client-side bindings using the
Project Explorer window. The Client Deployment Descriptor window
is displayed. This Web service contains the bindings that you must configure.
- Expand the Web Services > Client section and double-click
the name of the Web service.
- Click the WS Binding tab and expand the Security Request
Generator Binding Configuration section.
- Optional: Locate the server-side bindings using the
Project Explorer window. The Web Services Editor window is displayed.
This Web service contains the bindings that you must configure.
- Expand the Web Services > Services section and double-click
the name of the Web service.
- Click the Binding Configurations tab and expand the Response
Generator Binding Configuration Details section.
- Expand the Signing Information section and click Add to
add a new entry or select an existing entry and click Edit. The
Signing Information dialog window is displayed.
- Specify a name for the signing information configuration in
the Signing information name field. For example, you might specify gen_signinfo.
- Select a canonicalization method from the Canonicalization
method algorithm field. The canonicalization method algorithm
is used to canonicalize the signing information before it is digested as part
of the signature operation. The following pre-configured algorithms are supported:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
You must specify the same canonicalization algorithm for both the
generator and the consumer. For more information on configuring the signing
information for the consumer, see Configuring signing information for the consumer binding with an assembly
tool
.
- Optional: Select Show only
FIPS Compliant Algorithms if you want only the FIPS compliant algorithms
to show in the encryption method algorithm drop-down lists. Use this option
if you expect this application to run on a WebSphere Application Server that
has set the Use the Federal Information Processing Standard (FIPS) option
in the Global security panel of the administrative console for WebSphere Application
Server.
- Select a signature method algorithm from the Signature method
algorithm field. The following pre-configured algorithms are supported:
You must specify the same canonicalization algorithm for both the
generator and the consumer. For more information on configuring the signing
information for the consumer, see Configuring signing information for the consumer binding with an assembly
tool
.
- Click Add in the Signing Key Information section to add
a new key information entry or click Remove to delete a selected entry.
Complete the following substeps if you are adding a new key information
entry.
- Specify a name in the Key information name field. For
example, you might specify gen_skeyinfo.
- Select a key information reference from the list under the Key
information element field. The value in this field references the
key information configuration that you specified previously. If you have a
key information configuration called gen_signkeyinfo that you want
to use with this signing information configuration, specify gen_signkeyinfo in
the Key information element field. For more information, see Configuring key information for the generator binding with an assembly
tool
.
- Optional: Select the Use key information signature option
if you want to sign the key information within the SOAP message.
- Optional: Select a key information signature type
from the Type field if you select the Use key information signature option.
Select the keyinfo value to specify that the entire KeyInfo element
must be signed within the SOAP message. Select the keyinfochildelements value
to specify that the child elements within the KeyInfo element must be signed,
but the KeyInfo element itself does not need to be signed.
Optional: Determine whether to disable
the Inclusive namespace prefix list. The Exclusive XML Canonicalization Version 1.0 specification
recommends that you include all of the namespace declarations that correspond
to the namespace prefix in the canonicalization form. For security reasons,
WebSphere Application Server, by default, includes the prefix in the digital
signature for Web services security. However, some implementations of Web
services security cannot handle this prefix list. WebSphere Application Server
can handle digitally signed messages that either contain or do not contain
the prefix list. If you experience a signature validation failure when a signed
SOAP message is sent and you are using another vendor in your environment,
it is highly recommended that you check with their Web site for a possible
fix to their implementation before you disable this property. To disable this
property, complete the following steps:
- Under Properties, click Add.
- In the Name field, enter the com.ibm.wsspi.wssecurity.dsig.inclusiveNamespaces property.
- In the Value field, enter the false value.
- Click OK.
- Click OK to save your signing information configuration.
- Expand the Part References subsection and select the signing information
configuration from the Signing Information section.
- Click Add in the Part References subsection to add a new
entry or select an existing entry and click Edit. The Part
References dialog window is displayed.
- Specify a name for the part reference configuration in the Part
reference name field.
- Select a integrity part configuration in the Integrity part
field. For more information on how to configure the integrity
part, see Signing message elements in generator security constraints with keywords
or Signing message elements in generator security constraints with an
XPath expression
.
- Optional: Select Show only
FIPS Compliant Algorithms if you want only the FIPS compliant algorithms
to show in the encryption method algorithm drop-down lists. Use this option
if you expect this application to run on a WebSphere Application Server that
has set the Use the Federal Information Processing Standard (FIPS) option
in the Global security panel of the administrative console for WebSphere Application
Server.
- Select the http://www.w3.org/2000/09/xmldsig#sha1
digest method algorithm in the Digest method algorithm field. This
digest method algorithm is used to create the digest for each message part
that is specified by this part reference.
- Expand the Transforms subsection and the part reference configuration
from the Part reference subsection.
- Click Add in the Transforms subsection to add a new entry
or select an existing entry and click Edit. The Transform
dialog window is displayed.
- Specify a transform name in the Name field. For example,
you might specify reqint_body_transform1.
- Select a transform algorithm from the Algorithm field.
The following transform algorithms are supported:
- http://www.w3.org/2001/10/xml-exc-c14n#
- This algorithm specifies the World Wide Web Consortium (W3C) Exclusive
Canonicalization recommendation.
- http://www.w3.org/TR/1999/REC-xpath-19991116
- This algorithm specifies the W3C XML path language recommendation. If
you specify this algorithm, you must specify the property name and value by
clicking Properties, which is displayed under Additional properties.
For example, you might specify the following information:
- Property
- com.ibm.wsspi.wssecurity.dsig.XPathExpression
- Value
- not(ancestor-or-self::*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#'
and local-name()='Signature'])
- http://www.w3.org/2002/06/xmldsig-filter2
- This algorithm specifies the XML-Signature XPath Filter Version 2.0 proposed
recommendation.
When you use this algorithm, you must specify a set of properties
in the Transform property fields. You can use multiple property sets for the
XPath Filter Version 2. Thus, it is recommended that your property names end
with the number of the property set, which is denoted by an asterisk in the
following examples:
- To specify an XPath expression for the XPath filter2, you might use:
name com.ibm.wsspi.wssecurity.dsig.XPath2Expression_*
- To specify a filter type for each XPath, you might use:
name com.ibm.wsspi.wssecurity.dsig.XPath2Filter_*
Following
this expression, you can have a value, [intersect], [subtract],
or [union].
- To specify the processing order for each XPath, you might use:
name com.ibm.wsspi.wssecurity.dsig.XPath2Order_*
Following
this expression, indicate the processing order of the XPath.
The following is a list of complete examples:
com.ibm.wsspi.wssecurity.dsign.XPath2Filter_1 = [intersect]
com.ibm.wsspi.wssecurity.dsign.XPath2Order_1 = [1]
com.ibm.wsspi.wssecurity.dsign.XPath2Expression_2 = [XPath expression#2]
com.ibm.wsspi.wssecurity.dsign.XPath2Filter_2 = [subtract]
com.ibm.wsspi.wssecurity.dsign.XPath2Filter_2 = [1]
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- http://www.w3.org/2002/07/decrypt#XML
- This algorithm specifies the W3C decryption transform for XML Signature
recommendation.
- http://www.w3.org/2000/09/xmldsig#enveloped-signature
- This algorithm specifies the W3C recommendation for XML digital signatures.
The transform algorithm that you select for the generator
must match the transform algorithm for the consumer.
- Click OK.
What to do next
After you complete this task for the generator binding, you must
configure the signing information for consumer binding.