InfoCenter Home >
4: Developing applications >
4.8: Web services - an overview >
4.8.4: Securing SOAP services >
4.8.4.2: SOAP signature components >
4.8.4.2.4: Verification Header Handler
4.8.4.2.4: Verification Header Handler
The Verification Header Handler (VHH) validates
a digital signaure header in a SOAP envelope.
Its configuration can be customized using
a configuration file where you specify the following:
- a verification policy
- the certificate path
- logging files to record verified messages
There are two signature configuration files:
product_installation_root\installedApps\<ear_file_name>\soapsec.war\conf\sv-ver-config.xml
product_installation_root\installedApps\<ear_file_name>\soapsec.war\conf\cl-ver-config.xml
Samples of these configuration files are
provided in the soapsamples.ear file.
An explanation of each configuration element in the Verification Header follows:
AllowedAlgorithms
All the algorithms supported by this VHH must be listed in this element.
Algorithms other than these cannot be used in SOAP-SEC:Signature header.
The current implementation supports all required algorithms in the
XML Signature specification, except for SHA1-MAC.
RequiredAuthenticatedParts
This section specifies what parts of SOAP message need to be authenticated
through the SOAP-SEC:Signature header. Currently two values are supported
for the part attribute:
-
When part="root," the whole evelope must be signed through the
enveloped-signature transform.
-
When part="body," the SOAP-ENV:Body element in the SOAP envelope must be
referenced by one of the reference elements in the signature.
Part="" allows an attachment to be specified.
If the specified parts are not authenticated through the signature
header entry, verification fails.
DefaultVerificationKeys
When KeyInfo is missing in the signature, the content of this element
is used as a part of the signature. When communicating
parties know the identity of each other, the default KeyInfo can be
used to reduce the communication data volume.
Log
Specifies the logging behavior. The following versions of logging exist:
- When target="all," all verification attempts are logged.
- When target="success," only successful verification are logged.
- When target="fail," only unsuccessful verification are logged.
Multiple LogFile elements can be specified.
The following example illustrates how to specify logging:
<Log>
<SOAPDSigLogger
class="com.ibm.xml.soap.security.dsig.SOAPDSigLoggerImpl">
<LogFile target="all" path="SOAPVHH-all.log" append="yes"/>
</SOAPDSigLogger>
<SOAPDSigLogger
class="com.ibm.xml.soap.security.dsig.SOAPDSigLoggerImpl">
<LogFile target="fail" path="SOAPVHH-fail.log" append="yes"/>
</SOAPDSigLogger>
</Log>
PKIXParameters
Currently VHH supports X.509/PKIX certificates only (no HMAC, no
PGP, and so forth). The policies for PKIX certificate verification are
specified in this element. This is a straightforward mapping
of Java CertPath API. Not all of the entries are meaningful
in this initial release.
Current implementation only allows the use
of keystore as the means of specifying trusted
root.
|
|