You can configure the signing information for the client-side request
generator and server-side response generator bindings at the server or
cell level.
Before you begin
In
the server-side extensions file (ibm-webservices-ext.xmi) and the
client-side deployment descriptor extensions file (ibm-webservicesclient-ext.xmi),
you must specify which parts of the message are signed. Also, you need to
configure the key information that is referenced by the key information references
on the signing information panel within the administrative console.
About this task
This task explains the steps that are needed for you to configure
the signing information for the client-side request generator and server-side
response generator bindings at the server or
cell level. WebSphere Application Server uses the signing information
for the default generator to sign parts of the message including the body,
time stamp, and user name token, if these bindings are not defined at the
application level. The Application Server provides default values for bindings.
However, an administrator must modify the defaults for a production environment.
You can configure
the signing information for the consumer binding on the server level and the
cell level. In the following steps, use the first step to access the server-level
default bindings and use the second step to access the cell-level bindings.
Procedure
- Access the default bindings for the server level.
- Click Servers > Application servers > server_name.
- Under Security, click Web services: Default bindings for
Web services security.
- Click Security
> Web services to access the default bindings on the cell level.
- Under Default consumer bindings, click Signing information.
- Click New to create a signing information configuration,
click Delete to delete an existing configuration, or click the name
of an existing signing information configuration to edit the settings.
If you are creating a new configuration, enter a unique name for the
signing configuration in the Signing information name field. For example,
you might specify gen_signinfo.
- Select a signature method algorithm from the Signature method field.
The algorithm that is specified for the default consumer must match
the algorithm that is specified for the default generator. WebSphere Application
Server supports the following pre-configured algorithms:
- Select a canonicalization method from the Canonicalization method
field. The canonicalization algorithm that you specify for the
generator must match the algorithm for the consumer. WebSphere Application
Server supports the following pre-configured canonical XML and exclusive XML
canonicalization algorithms:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Select a key information signature type from the Key information
signature type field. The key information signature type determines
how to digitally sign the key. WebSphere Application Server supports the following
signature types:
- None
- Specifies that the KeyInfo element is not signed.
- Keyinfo
- Specifies that the entire KeyInfo element is signed.
- Keyinfochildelements
- Specifies that the child elements of the KeyInfo element are signed.
The key information signature type for the consumer must
match the signature type for the generator. You might encounter the following
situations:
- If you do not specify one of the previous signature types, WebSphere Application
Server uses keyinfo, by default.
- If you select Keyinfo or Keyinfochildelements and you select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm in a subsequent step, WebSphere Application Server
also signs the referenced token.
- Click OK to save the configuration.
- Click the name of the new signing information configuration.
This configuration is the one that you specified in the previous steps.
- Specify the key information reference, part reference, digest algorithm,
and transform algorithm.
- Under Additional properties, click Key information references
> New to create a new reference, click Key information references >
Delete to delete an existing reference, or click a reference name to edit
an existing key information reference.
- Enter a name for the configuration in the Name field.
For example, enter con_skeyinfo.
- Select a key information reference from the Key information
reference field. The key Information reference points to the key
that WebSphere Application Server uses for digital signing. In the binding
files, the reference is specified within the <signingKeyInfo> element.
The key that is used for signing is specified by the Key information element,
which is defined at the same level as the signing information. For more information,
see Configuring the key information for the consumer binding on the application level.
- Click OK and Save to save the configuration.
- Under Additional Properties, click Part references > New to
create a new part reference, click Part references > Delete to delete
an existing part reference, or click a part name to edit an existing part
reference. The part reference specifies which parts of the message
to digitally sign. The part attribute refers to the name of the <RequiredIntegrity>
element in the deployment descriptor when <PartReference> is specified
for the digital signature. WebSphere Application Server enables you to specify
multiple <PartReference> elements for the <SigningInfo> element. The <PartReference> element
has two child elements: <DigestMethod> and <Transform>
- Specify a unique part name for this part reference. For
example, you might specify reqint.
Important: You do not need to specify a value for the Part Reference
field like you specify on the application level because the part reference
on the application level points to a particular part of the message that is
signed. Because the default bindings for the server and cell levels are applicable
to all of the services defined on a particular server, you cannot specify
this value.
- Select a digest method algorithm in the Digest method algorithm
field. The digest method algorithm specified within the <DigestMethod>
element that is used in the <SigningInfo> element.
WebSphere
Application Server supports the http://www.w3.org/2000/09/xmldsig#sha1 algorithm.
- Click OK and Save to save the configuration.
- Click the name of the new part reference configuration.
This configuration is the one that you specified in the previous steps.
- Under Additional properties, click Transforms > New to
create a new transform, click Transforms > Delete to delete a transform,
or click a transform name to edit an existing transform. If you
create a new transform configuration, specify a unique name. For example,
you might specify reqint_body_transform1.
- Select a transform algorithm from the menu. The transform
algorithm is specified within the <Transform> element. It specifies the
transform algorithm for the signature. WebSphere Application Server supports
the following algorithms:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/TR/1999/REC-xpath-19991116
- http://www.w3.org/2002/06/xmldsig-filter2
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- http://www.w3.org/2002/07/decrypt#XML
- http://www.w3.org/2000/09/xmldsig#enveloped-signature
The transform algorithm that you select for the consumer must match
the transform algorithm that you select for the generator.
Important: If
both of the following conditions are true, WebSphere Application Server signs
the referenced token:
- You previously selected the Keyinfo or the Keyinfochildelements option
from the Key information signature type field on the signing information panel.
- You select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm.
- Click OK.
- Click Save at the top of the panel to save your configuration.
Results
After completing these steps, you have configured the signing information
for the consumer on the server or
cell level.
What to do next
You must specify a similar signing information configuration for
the generator.