Configuring request signing methods for the client

Use the WSSSignature and WSSSignPart APIs to choose the signing methods. The request signing methods include the signature, canonicalization, digest, and transform methods.

Before you begin

First, you must have specified which parts of the message sent by the client must be digitally signed using the WSS APIs or configuring policy sets using the administrative console.

About this task

The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature specification, which is located at the following Web site http://www.w3.org/TR/xmldsig-core.

Table 1. Signing methods. Use the signing methods to secure messages.
Name of method Description
Canonicalization algorithm Canonicalizes the <SignedInfo> element before the information is digested as part of the signature operation.
Signature algorithm Calculates the signature value of the canonicalized <SignedInfo> element. The algorithm selected for the client request sender configuration must match the algorithm selected in the server request receiver configuration.
Transform method Transforms the parts to be signed before the information is digested as part of the signature operation.
Digest method Calculates the digest value of the transformed parts. The algorithm selected for the client request sender configuration must match the algorithms selected in the server request receiver configuration.

You can use the WSS APIs or configure policy sets using the administrative console to configure the signing algorithm methods. If using the WSS APIs, use the WSSSignature and WSSSignPart APIs to specify which message parts to digitally sign when configuring the client for request signing.

The WSSSignature and WSSSignPart APIs complete the following steps to configure the signature and signed part algorithm methods:

Procedure

  1. For the generator binding, the WSSSignature API specifies the signature method. WebSphere® Application Server supports the following pre-configured signature methods:
    • WSSSignature.RSA_SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#rsa-sha1
    • WSSSignature.HMAC_SHA1: http://www.w3.org/2000/09/xmldsig#hmac-sha1
    For the WSS APIs, WebSphere Application Server does not support the DSA-SHA1 digital signature method, http://www.w3.org/2000/09/xmldsig#dsa-sha1.
  2. For the generator binding, the WSSSignature API specifies the canonicalization method. WebSphere Application Server supports the following pre-configured canonicalization algorithms:
    • WSSSignature.EXC_C14N (the default value): The exclusive canonicalization algorithm, http://www.w3.org/2001/10/xml-exc-c14n#
    • WSSSignature.C14N: The inclusive canonicalization algorithm, http://www.w3.org/2001/10/xml-c14n#
  3. For the generator binding, the WSSSignPart API specifies the digest method. WebSphere Application Server supports the following pre-configured digest methods:
    • WSSSignPart.SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#sha1
    • WSSSignPart.SHA256: http://www.w3.org/2001/04/xmlenc#sha256
    • WSSSignPart.SHA512: http://www.w3.org/2001/04/xmlenc#sha512
  4. For the generator binding, the WSSSignPart API specifies the transform method. WebSphere Application Server supports the following pre-configured transform algorithms:
    • WSSSignPart.TRANSFORM_EXC_C14N (the default value): http://www.w3.org/2001/10/xml-exc-c14n#
    • WSSSignPart.TRANSFORM_XPATH2_FILTER: http://www.w3.org/2002/06/xmldsig-filter2
    • WSSSignPart.TRANSFORM_STRT10: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
    • WSSSignPart.TRANSFORM_ENVELOPED_SIGNATURE: http://www.w3.org/2000/09/xmldsig#enveloped-signature
    For the WSS APIs, WebSphere Application Server does not support the following transform algorithms:
    • http://www.w3.org/TR/1999/REC-xpath-19991116
    • http://www.w3.org/2002/07/decrypt#XML

Results

Using the WSS APIs, you have specified which algorithm methods are used to digitally sign a message when the client sends a message to a server.

Example

The following example is sample code for specifying the signature information, HMAC_SHA1 as signature method, C14N as a canonicalizaion method, SHA256 as a digest method, and EXC_C14N and TRANSFORM_STRT10 as the transform methods:

	  //get the message context
	  Object msgcontext = getMessageContext();
	  
	  //generate WSSFactory instance
	  WSSFactory factory = WSSFactory.getInstance();		
	  	  
	  //generate WSSGenerationContext instance 
	  WSSGenerationContext gencont = factory.newWSSGenerationContext();
		
	  //generate callback handler
	  X509GenerateCallbackHandler callbackHandler = new X509GenerateCallbackHandler(
			  "",
			  "dsig-sender.ks",
			  "jks", 
			  "client".toCharArray(), 
			  "soaprequester", 
			  "client".toCharArray(), 
			  "CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP", 
			  null);
	  
	  //generate the security token used to the signature 
	  SecurityToken token = factory.newSecurityToken(X509Token.class, callbackHandler);

	  //generate WSSSignature instance 
	  WSSSignature sig = factory.newWSSSignature(token);
	  
	  //set the canonicalization method
	  // DEFAULT: WSSSignature.EXC_C14N
	  sig.setCanonicalizationMethod(WSSSignature.C14N);
	  
	  //set the signature method
	  // DEFAULT: WSSSignature.RSA_SHA1
	  sig.setSignatureMethod(WSSSignature.HMAC_SHA1);

	  //set the part specified by WSSSignPart
	  WSSSignPart sigPart = factory.newWSSSignPart();
	
	  //set the digest method
 	  // DEFAULT: WSSSignPart.SHA1
	  sigPart.setDigestMethod(WSSSignPart.SHA256);

	  //add the transform method
	  // DEFAULT: WSSSignPart.TRANSFORM_EXC_C14N
	  sigPart.addTransformMethod(WSSSignPart.TRANSFORM_EXC_C14N);
	  sigPart.addTransformMethod(WSSSignPart.TRANSFORM_STRT10);

    // add the WSSSignPart to the WSSSignature
    sig.addSignPart(sigPart);	  
		  
	  //add the WSSSignature to the WSSGenerationContext
	  gencont.add(sig);
		
	  //generate the WS-Security header
	  gencont.process(msgcontext);

What to do next

After you configure the client to digitally sign the message and to choose the algorithm methods, you must configure the server to verify the digital signature for request signing and to choose the algorithm methods.

Configure policy sets using the administrative console to configure the signature verification information and methods on the server.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 1:44:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-express-dist&topic=twbs_confwsssignalgorithms
File name: twbs_confwsssignalgorithms.html