You can configure the signing information for the client-side request
generator and server-side response generator bindings at the server level.
Before you begin
For transitioning users: For WebSphere
® Application Server version
6.x or earlier only, in the server-side extensions file (
ibm-webservices-ext.xmi)
and the client-side deployment descriptor extensions file (
ibm-webservicesclient-ext.xmi),
you must specify which parts of the message are signed. Also, you need to
configure the key information that is referenced by the key information references
on the signing information panel within the administrative console.
trns
About this task
This task explains the steps that are needed for you to configure
the signing information for the client-side request generator and server-side
response generator bindings at the server level. WebSphere Application
Server uses the signing information for the default generator to sign parts
of the message including the body, time stamp, and user name token, if these
bindings are not defined at the application level. The Application Server
provides default values for bindings. However, an administrator must modify
the defaults for a production environment.
Complete the following steps
to configure the signing information for the consumer sections of the bindings
files on the server level:
Procedure
- Access the default bindings for the server level.
- Click Servers > Server Types > WebSphere application
servers > server_name.
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere
Application Server version 6.1 or earlier, click
Web services:
Default bindings for Web services security.
mixv
- Under Default consumer bindings, click Signing information.
- Click New to create a signing information configuration,
click Delete to delete an existing configuration, or click the name
of an existing signing information configuration to edit the settings.
If you are creating a new configuration, enter a unique name for the
signing configuration in the Signing information name field. For example,
you might specify gen_signinfo.
- Select a signature method algorithm from the Signature method field.
The algorithm that is specified for the default consumer must match
the algorithm that is specified for the default generator. WebSphere Application
Server supports the following pre-configured algorithms:
- Select a canonicalization method from the Canonicalization method
field. The canonicalization algorithm that you specify for the
generator must match the algorithm for the consumer. WebSphere Application Server supports
the following pre-configured canonical XML and exclusive XML canonicalization
algorithms:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Select a key information signature type from the Key information
signature type field. The key information signature type determines
how to digitally sign the key. WebSphere Application Server supports
the following signature types:
- None
- Specifies that the KeyInfo element is not signed.
- Keyinfo
- Specifies that the entire KeyInfo element is signed.
- Keyinfochildelements
- Specifies that the child elements of the KeyInfo element are signed.
The key information signature type for the consumer must
match the signature type for the generator. You might encounter the following
situations:
- If you do not specify one of the previous signature types, WebSphere Application
Server uses keyinfo, by default.
- If you select Keyinfo or Keyinfochildelements and you select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm in a subsequent step, WebSphere Application Server also
signs the referenced token.
- Click OK to save the configuration.
- Click the name of the new signing information configuration.
This configuration is the one that you specified in the previous steps.
- Specify the key information reference, part reference, digest algorithm,
and transform algorithm.
- Under Additional properties, click Key information
references > New to create a new reference, click Key
information references > Delete to delete an existing reference,
or click a reference name to edit an existing key information reference.
- Enter a name for the configuration in the Name field.
For example, enter con_skeyinfo.
- Select a key information reference from the Key information
reference field. The key Information reference points to the key
that WebSphere Application
Server uses for digital signing. In the binding files, the reference is specified
within the <signingKeyInfo> element. The key that is used for signing
is specified by the Key information element, which is defined at the same
level as the signing information. For more information, see Configuring the key information for the consumer binding on the application level.
- Click OK and Save to save the configuration.
- Under Additional Properties, click Part references >
New to create a new part reference, click Part references >
Delete to delete an existing part reference, or click a part name
to edit an existing part reference. The part reference specifies
which parts of the message to digitally sign. The part attribute refers to
the name of the <RequiredIntegrity> element in the deployment descriptor
when <PartReference> is specified for the digital signature. WebSphere Application
Server enables you to specify multiple <PartReference> elements for
the <SigningInfo> element. The <PartReference> element
has two child elements: <DigestMethod> and <Transform>
- Specify a unique part name for this part reference. For
example, you might specify reqint.
Important: You do not need to specify a value for the Part reference
field like you specify on the application level because the part reference
on the application level points to a particular part of the message that is
signed. Because the default bindings for the server level is applicable to
all of the services that are defined on a particular server, you cannot specify
this value.
- Select a digest method algorithm in the Digest method algorithm field.
The digest method algorithm specified within the <DigestMethod>
element that is used in the <SigningInfo> element.
WebSphere Application
Server supports the following algorithms:
- http://www.w3.org/2000/09/xmldsig#sha1
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
- Click OK and Save to save the configuration.
- Click the name of the new part reference configuration.
This configuration is the one that you specified in the previous steps.
- Under Additional properties, click Transforms >
New to create a new transform, click Transforms >
Delete to delete a transform, or click a transform name to edit
an existing transform. If you create a new transform configuration,
specify a unique name. For example, you might specify reqint_body_transform1.
- Select a transform algorithm from the menu. The transform
algorithm is specified within the <Transform> element. It specifies
the transform algorithm for the signature. WebSphere Application Server supports
the following algorithms:
The transform algorithm that you select for the consumer must match
the transform algorithm that you select for the generator.
Important: If
both of the following conditions are true, WebSphere Application Server signs
the referenced token:
- You previously selected the Keyinfo or the Keyinfochildelements option
from the Key information signature type field on the signing information panel.
- You select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm.
- Click OK.
- Click Save at the top of the panel to save your configuration.
Results
After completing these steps, you have configured the signing information
for the consumer on the server level.
What to do next
You must specify a similar signing information configuration for
the generator.