Use the WSSSignature and WSSSignPart APIs to choose the signing methods. The request signing methods include the signature, canonicalization, digest, and transform methods.
First, you must have specified which parts of the message sent by the client must be digitally signed using the WSS APIs or configuring policy sets using the administrative console.
The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature specification, which is located at the following Web site http://www.w3.org/TR/xmldsig-core.
Name of method | Description |
---|---|
Canonicalization algorithm | Canonicalizes the <SignedInfo> element before the information is digested as part of the signature operation. |
Signature algorithm | Calculates the signature value of the canonicalized <SignedInfo> element. The algorithm selected for the client request sender configuration must match the algorithm selected in the server request receiver configuration. |
Transform method | Transforms the parts to be signed before the information is digested as part of the signature operation. |
Digest method | Calculates the digest value of the transformed parts. The algorithm selected for the client request sender configuration must match the algorithms selected in the server request receiver configuration. |
You can use the WSS APIs or configure policy sets using the administrative console to configure the signing algorithm methods. If using the WSS APIs, use the WSSSignature and WSSSignPart APIs to specify which message parts to digitally sign when configuring the client for request signing.
The WSSSignature and WSSSignPart APIs complete the following steps to configure the signature and signed part algorithm methods:
The following example is sample code for specifying the signature information, HMAC_SHA1 as signature method, C14N as a canonicalizaion method, SHA256 as a digest method, and EXC_C14N and TRANSFORM_STRT10 as the transform methods:
//get the message context Object msgcontext = getMessageContext(); //generate WSSFactory instance WSSFactory factory = WSSFactory.getInstance(); //generate WSSGenerationContext instance WSSGenerationContext gencont = factory.newWSSGenerationContext(); //generate callback handler X509GenerateCallbackHandler callbackHandler = new X509GenerateCallbackHandler( "", "dsig-sender.ks", "jks", "client".toCharArray(), "soaprequester", "client".toCharArray(), "CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP", null); //generate the security token used to the signature SecurityToken token = factory.newSecurityToken(X509Token.class, callbackHandler); //generate WSSSignature instance WSSSignature sig = factory.newWSSSignature(token); //set the canonicalization method // DEFAULT: WSSSignature.EXC_C14N sig.setCanonicalizationMethod(WSSSignature.C14N); //set the signature method // DEFAULT: WSSSignature.RSA_SHA1 sig.setSignatureMethod(WSSSignature.HMAC_SHA1); //set the part specified by WSSSignPart WSSSignPart sigPart = factory.newWSSSignPart(); //set the digest method // DEFAULT: WSSSignPart.SHA1 sigPart.setDigestMethod(WSSSignPart.SHA256); //add the transform method // DEFAULT: WSSSignPart.TRANSFORM_EXC_C14N sigPart.addTransformMethod(WSSSignPart.TRANSFORM_EXC_C14N); sigPart.addTransformMethod(WSSSignPart.TRANSFORM_STRT10); // add the WSSSignPart to the WSSSignature sig.addSignPart(sigPart); //add the WSSSignature to the WSSGenerationContext gencont.add(sig); //generate the WS-Security header gencont.process(msgcontext);
After you configure the client to digitally sign the message and to choose the algorithm methods, you must configure the server to verify the digital signature for request signing and to choose the algorithm methods.
Configure policy sets using the administrative console to configure the signature verification information and methods on the server.
In this information ... | IBM Redbooks, demos, education, and more |