InfoCenter Home >
4: Developing applications >
4.8: Web services - an overview >
4.8.4: Securing SOAP services >
4.8.4.2: SOAP signature components >
4.8.4.2.4: Verification Header Handler

4.8.4.2.4: Verification Header Handler

The Verification Header Handler (VHH) validates a digital signaure header in a SOAP envelope. Its configuration can be customized using a configuration file where you specify the following:

  • a verification policy
  • the certificate path
  • logging files to record verified messages

There are two signature configuration files:

Samples of these configuration files are provided in the soapsamples.ear file.

An explanation of each configuration element in the Verification Header follows:
  • AllowedAlgorithms

    All the algorithms supported by this VHH must be listed in this element. Algorithms other than these cannot be used in SOAP-SEC:Signature header. The current implementation supports all required algorithms in the XML Signature specification, except for SHA1-MAC.

  • RequiredAuthenticatedParts

    This section specifies what parts of SOAP message need to be authenticated through the SOAP-SEC:Signature header. Currently two values are supported for the part attribute:

      1. When part="root," the whole evelope must be signed through the enveloped-signature transform.
      2. When part="body," the SOAP-ENV:Body element in the SOAP envelope must be referenced by one of the reference elements in the signature.

    Part="" allows an attachment to be specified.

    If the specified parts are not authenticated through the signature header entry, verification fails.

  • DefaultVerificationKeys

    When KeyInfo is missing in the signature, the content of this element is used as a part of the signature. When communicating parties know the identity of each other, the default KeyInfo can be used to reduce the communication data volume.

  • Log

    Specifies the logging behavior. The following versions of logging exist:

    • When target="all," all verification attempts are logged.
    • When target="success," only successful verification are logged.
    • When target="fail," only unsuccessful verification are logged.

       Multiple LogFile elements can be specified.

    The following example illustrates how to specify logging:

    <Log>
    <SOAPDSigLogger
    class="com.ibm.xml.soap.security.dsig.SOAPDSigLoggerImpl">
    <LogFile target="all" path="SOAPVHH-all.log" append="yes"/>
    </SOAPDSigLogger>
    <SOAPDSigLogger
    class="com.ibm.xml.soap.security.dsig.SOAPDSigLoggerImpl">
    <LogFile target="fail" path="SOAPVHH-fail.log" append="yes"/>
    </SOAPDSigLogger>
    </Log>
    
  • PKIXParameters

    Currently VHH supports X.509/PKIX certificates only (no HMAC, no PGP, and so forth). The policies for PKIX certificate verification are specified in this element. This is a straightforward mapping of Java CertPath API. Not all of the entries are meaningful in this initial release.

    Current implementation only allows the use of keystore as the means of specifying trusted root.

Go to previous article: Signature Header Handler Go to next article: Programming model for the Connector Architectue (J2C)

 

 
Go to previous article: Signature Header Handler Go to next article: Programming model for the Connector Architectue (J2C)