You can specify that the parent element of the timestamp be expected
in the element. Also, the timestamp is included in the signature for the message
parts. Configure the consumer security constraints for either the response
consumer or the request consumer. The response consumer is configured for
the client, and the request consumer is configured for the server.
Before you begin
Prior to completing this task, you must import your application into
an assembly tool.
For information on how to import
your application, see Importing
enterprise applications.
About this task
Complete the following steps. You must configure either the client-side
extensions in step 2 or the server-side extensions in step 3.
Procedure
- Start the assembly tool.
- Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective.
Click Window > Open Perspective > J2EE.
- Optional: Locate the client-side extensions using the
Project Explorer window. The Client Deployment Descriptor window
is displayed. This Web service contains the extensions that you need to configure.
Complete the following steps to locate the client-side extensions:
- Expand the Web Services > Client section and double-click
the name of the Web service.
- Click the WS Extension tab and expand the Response Consumer
Configuration section.
- Optional: Locate the server-side extensions using the
Project Explorer window. The Web Services Editor window is displayed.
This Web service contains the extensions that you need to configure. Complete
the following steps to locate the server-side extensions:
- Expand the Web Services > Services section and double-click
the name of the Web service.
- Click the Extensions tab and expand the Request Consumer
Service Configuration Details section.
- Expand the Required Integrity section. Integrity refers
to digital signature while confidentiality refers to encryption. Integrity
decreases the risk of data modification when you transmit data across a network.
For more information on digitally signing SOAP messages, see XML digital signature
.
- Click Add to specify a timestamp that is expected in the
parent element of the keyword. The parent element of the timestamp is also
expected to be included in the signature for the message part. The
Required Integrity Dialog window is displayed. Before you configure the timestamp
in the Required Integrity, you must configure at least one message part or
element that is expected to be signed. Complete the following steps to specify
a configuration:
- Specify a name for the integrity element in the Required Integrity
Name field.
- Specify a usage type in the Usage type field. This
field specifies the requirement for the integrity element. The value of this
attribute is either Required or Optional. The following options are available:
- Required
- If you select Required and the required message parts or elements
are not signed, then the message is rejected with SOAP fault.
- Optional
- If you select Optional, then the digital signature of the selected
message parts or elements is verified if they are signed. However, the consumer
does not reject the message if the selected message parts or elements are
not signed.
- In the Timestamp section, click Add and select the Timestamp
dialect. The http://www.ibm.com/websphere/webservices/wssecurity/dialect-was dialect
specifies the parent element of the expected timestamp. If you select this
dialect, you can select one of the following keywords under the Timestamp
keyword heading:
- body
- Specifies the user data portion of the message. If you select the body
option, a timestamp is embedded in SOAP body. Also, the parent of the timestamp
(SOAP body) is expected to be signed with the message parts in the Required
Integrity.
- securitytoken
- Specifies that a timestamp is expected to be embedded in the security
token element. Also, the parent of the timestamp (security token) is expected
to be signed with the message parts in the Required Integrity.
- dsigkey
- Specifies that the timestamp is inserted into the key information element,
which is used for digital signature, and the key information element is signed.
- enckey
- Specifies that the timestamp is inserted into the key information element,
which is used for encryption, and the key information element is signed.
- messageid
- Specifies that the timestamp is inserted into the <wsa:MessageID> element
and the <wsa:MessageID> element is signed.
- to
- Specifies that the timestamp is inserted into the <wsa:To> element
within the message and that the <wsa:To> element is signed.
- action
- Specifies that the <wsa:Action> element is signed.
- relatesto
- Specifies that the times tamp is inserted into the <wsa:RelatesTo>
element within the message and the <wsa:RelatesTo> element is signed.
- If you have not defined a message part for Required Integrity,
you must define at least one message part to add a timestamp for Required
Integrity. Complete the following steps to define a message part:
- In the Message Parts section, click Add and select http://www.ibm.com/websphere/webservices/wssecurity/dialect-was in
the Message parts dialect field.
- In the Message Parts section, select the message parts keyword.
- Click OK to save the configuration changes.
Note: These configurations for the consumer and the generator must match.
In
addition to the timestamp, you can specify that the nonce is signed. For more
information, see the following articles: