You can configure the signing information for the client-side
request generator and the server-side response generator bindings
at the server or cell level.
Before you begin
In
the server-side extensions file (ibm-webservices-ext.xmi)
and the client-side deployment descriptor extensions file (ibm-webservicesclient-ext.xmi),
you must specify which parts of the message are signed. Also, you
need to configure the key information that is referenced by the key
information references on the Signing information panel within the
administrative console.
About this task
This task explains the steps that are needed for you to
configure the signing information for the client-side request generator
and the server-side response generator bindings at the server or cell level.
WebSphere Application Server uses the signing information for the
default generator to sign parts of the message that include the body,
time stamp, and user name token if these bindings are not defined
at the application level. The Application Server provides default
values for bindings. However, an administrator must modify the defaults
for a production environment.
You can
configure the signing information for the generator binding on the
server level and the cell level. In the following steps, use the first
step to configure the signing information for the server level and
use the second step to configure the signing information on the cell
level:
Complete
the following steps to configure the signing information for the generator
sections of the bindings files on the server level:
Procedure
- Access the default bindings for the server level.
- Click Servers > Application servers > server_name .
- Under Security, click Web services: Default bindings
for Web services security.
- Click Security
> Web services to access the default bindings on the cell level.
- Under Default generator bindings, click Signing information.
- Click New to create a signing information configuration,
click Delete to delete an existing configuration, or click
the name of an existing signing information configuration to edit
the settings. If you are creating a new configuration,
enter a unique name for the signing configuration in the Signing information
name field. For example, you might specify gen_signinfo.
Avoid trouble: ![[Updated in July 2011]](../../delta.gif)
If you create more than one signing
information configuration, the WS-Security runtime environment only
honors the first configuration listed in the bindings file.
![[Updated in July 2011]](../../deltaend.gif)
jul2011
gotcha
- Select a signature method algorithm from the Signature
method field. The algorithm that is specified for the default
generator must match the algorithm that is specified for the default
consumer. WebSphere Application Server supports the following pre-configured
algorithms:
- Select a canonicalization method from the Canonicalization
method field. The canonicalization algorithm that you specify
for the generator must match the algorithm for the consumer. WebSphere
Application Server supports the following pre-configured canonical
XML and exclusive XML canonicalization algorithms:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Select a key information signature type from the Key information
signature type field. The key information signature type
determines how to digitally sign the key. WebSphere Application server
supports the following signature types:
- None
- Specifies that the KeyInfo element is not signed.
- Keyinfo
- Specifies that the entire KeyInfo element is signed.
- Keyinfochildelements
- Specifies that the child elements of the KeyInfo element are signed.
The key information signature type for the generator
must match the signature type for the consumer. You might encounter
the following situations:
- If you do not specify one of the previous signature types, WebSphere
Application Server uses keyinfo, by default.
- If you select Keyinfo or Keyinfochildelements and you select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm in a subsequent step, WebSphere Application
Server also signs the referenced token.
- Select a signing key information reference from the Signing
key information field. This selection is a reference to
the signing key that the Application Server uses to generate digital
signatures. In the binding files, this information is specified within
the <signingKeyInfo> tag. The key that is used for signing is specified
by the key information element, which is defined at the same level
as the signing information. For more information, see Configuring the key information for the generator binding on the server or cell level.
- Click OK to save the configuration.
- Click the name of the new signing information configuration.
This configuration is the one that you specified in the previous
steps.
- Specify the part reference, digest algorithm, and transform
algorithm. The part reference specifies which parts of
the message to digitally sign.
- Under Additional Properties, click Part references
> New to create a new part reference, click Part references
> Delete to delete an existing part reference, or click a part
name to edit an existing part reference.
- Specify a unique part name for the message part that
needs signing. This message part is specified on both the
server side and the client side. You must specify an identical part
name for both the server side and the client side. For example, you
might specify reqint for both the generator and the consumer.
Important: You do not need to specify a value for the Part reference
in the default bindings like you specify on the application level
because the part reference on the application level points to a particular
part of the message that is signed. Because the default bindings for
the server and cell levels are applicable to all of the services that
are defined on a particular server, you cannot specify this value.
- Select a digest method algorithm in the Digest method
algorithm field. The digest method algorithm that is specified
in the binding files within the <DigestMethod> element is used
in the <SigningInfo> element.
WebSphere Application Server supports
the following algorithms:
- http://www.w3.org/2000/09/xmldsig#sha1
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
- Click OK and Save to save the configuration.
- Click the name of the new part reference configuration.
This configuration is the one that you specified in the previous
steps.
- Under Additional properties, click Transforms > New to
create a new transform, click Transforms > Delete to delete
a transform, or click a transform name to edit an existing transform.
If you create a new transform configuration, specify a unique
name. For example, you might specify reqint_body_transform1.
- Select a transform algorithm from the menu. The
transform algorithm is specified within the <Transform> element.
This algorithm element specifies the transform algorithm for the
digital signature. WebSphere Application Server supports the following
algorithms:
The transform algorithm that you select for the generator
must match the transform algorithm that you select for the consumer.
Important: If both of the following conditions are true, WebSphere
Application Server signs the referenced token:
- You previously selected the Keyinfo or the Keyinfochildelements
option from the Key information signature type field on the signing
information panel.
- You select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm.
- Click Apply.
- Optional: Determine whether
to disable the Inclusive namespace prefix list. The Exclusive
XML Canonicalization Version 1.0 specification recommends that
you include all of the namespace declarations that correspond to the
namespace prefix in the canonicalization form. For security reasons,
WebSphere Application Server, by default, includes the prefix in the
digital signature for Web services security. However, some implementations
of Web services security cannot handle this prefix list. WebSphere
Application Server can handle digitally signed messages that either
contain or do not contain the prefix list. If you experience a signature
validation failure when a signed Simple Object Access Protocol (SOAP)
message is sent and you are using another vendor in your environment,
it is highly recommended that you check with their Web site for a
possible fix to their implementation before you disable this property.
To disable this property, complete the following steps:
- Under Additional properties, click Properties > New.
- In the Property name field, enter the com.ibm.wsspi.wssecurity.dsig.inclusiveNamespaces property.
- In the Property value field, enter the false value.
- Click OK.
- Click Save at the top of the panel to save your
configuration.
Results
After completing these steps, you have configured the signing
information for the generator on the server or cell level.
What to do next
You must specify a similar signing information configuration
for the consumer.