You can configure the key information for the request consumer
(server side) and the response consumer (client side) bindings at the application
level.
Before you begin
Configure the key locators and the token consumers that are referenced
by the Key locator reference and the Token reference fields within the key
information panel.
About this task
This task provides the steps that are needed for configuring the
key information for the request consumer (server side) and the response consumer
(client side) bindings at the application level. The key information on the
consumer side is used for specifying the information about the key, which
is used for validating the digital signature in the received message or for
decrypting the encrypted parts of the message. Complete the following steps
to configure the key information for consumer binding on the application level.
Procedure
- Locate the key information configuration panel in the administrative
console.
- Click Applications > Enterprise applications > application_name.
- Under Manage modules, click URI_name.
- Under Web Services Security Properties, you
can access the key information for the request consumer and response consumer
bindings.
- For the request consumer (receiver) binding, click Web services: Server
security bindings. Under request consumer (receiver) binding, click Edit
custom.
- For the response consumer (receiver) binding, click Web services: Client
security bindings. Under response consumer (receiver) binding, click Edit
custom.
- Under Required properties, click Key information.
- Click one of the following to work with key information configuration:
- New
- To create a key information configuration. Enter a name in the Key information
name field. For example, you might specify con_signkeyinfo.
- Delete
- To delete a configuration (selected in the box next to that configuration).
- an existing key information configuration
- To edit the settings of a key information configuration.
- Select a key information type from the Key information type field.
The key information types specify different mechanisms for referencing
security tokens using the <wsse:SecurityTokenReference> element within
the <ds:KeyInfo> element. WebSphere Application Server supports the following
key information types:
- Key identifier
- The security token is referenced using an opaque value that uniquely identifies
the token. The algorithm that is used for generating the <KeyIdentifier>
element value depends upon the token type. For example, you can use the identifier
for the public keys that are defined in the Internet Engineering Task Force (IETF) Request for Comment
(RFC) 3280. The following <KeyInfo> element is generated in the
Simple Object Access Protocol (SOAP) message for this key information type:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01
/oasis-200401-wss-x509-token-profile-1.0#X509v3SubjectKeyIdentifier">
/62wXO...
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- Key name
- The security token is referenced using a name that matches an identity
assertion within the token. It is recommended that you do not use this key
type as it might result in multiple security tokens that match the specified
name. The following <KeyInfo> element is generated in the SOAP message
for this key information type:
<ds:KeyInfo>
<ds:KeyName>CN=Group1</ds:KeyName>
</ds:KeyInfo>
In general, use a key name when you use a Key-Hashing Message
Authentication Code (HMAC) digital signature algorithm, such as http://www.w3.org/2000/09/xmldsig#hmac-sha1.
- Security token reference
- The security token is directly referenced using Universal Resource Identifiers
(URIs). The following <KeyInfo> element is generated in the SOAP message
for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI='#SomeCert'
ValueType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- Embedded token
- The security token is directly embedded within the <SecurityTokenReference>
element. The following <KeyInfo> element is generated in the SOAP message
for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Embedded wsu:Id=”tok1” />
…
</wsse:Embedded>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- X509 issuer name and issuer serial
- The security token is referenced by an issuer name and an issuer serial
number of an X.509 certificate. The following <KeyInfo> element is generated
in the SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Jones, O=IBM, C=US</ds:X509IssuerName>
<ds:X509SerialNumber>1040152879</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
Each type of key information is described in the Web Services
Security: SOAP Message Security 1.0 (WS-Security 2004) OASIS standard, which
is located at: http://www.oasis-open.org/home/index.php under Web
services security.
- Select a key locator reference from the Key locator reference
field. The value of this field is a reference to a key locator
that WebSphere Application Server uses to locate the keys that are used for
digital signature and encryption. Before you can select a key locator, you
must configure a key locator. For more information on configuring a key locator,
see Configuring the key locator using JAX-RPC for the consumer binding on the application level.
- Select a token reference from the Token reference field.
The token reference specifies a reference to a token consumer that is
used for processing the security token in the message. However, WebSphere
Application Server requires this field only when you select Security token
reference or Embedded token in the Key information type field. Before specifying
a token reference, you must configure a token consumer. For more information
on configuring a token consumer, see Configuring token consumers using JAX-RPC to protect message authenticity at the application level.
Select (none) if
a token consumer is not required for this key information configuration.
- Click OK and Save to save this configuration.
Results
You have configured the key information for the request or response
(or both) consumer binding at the application level.
What to do next
If you have not configured the key information for the generator
binding, you must specify a similar key information configuration for the
generator. After you configure the key information for both the consumer and
the generator, configure the signing information or encryption information,
which references the key information that is specified in this key information
task.