You can configure the signing information for the client-side request
generator and the server-side response generator bindings at the server level.
Before you begin
For transitioning users: For WebSphere
® Application Server version
6.x or earlier only, in the server-side extensions file (
ibm-webservices-ext.xmi)
and the client-side deployment descriptor extensions file (
ibm-webservicesclient-ext.xmi),
you must specify which parts of the message are signed. Also, you need to
configure the key information that is referenced by the key information references
on the Signing information panel within the administrative console.
trns
About this task
This task explains the steps that are needed for you to configure
the signing information for the client-side request generator and the server-side
response generator bindings at the server level. WebSphere Application
Server uses the signing information for the default generator to sign parts
of the message that include the body, time stamp, and user name token if these
bindings are not defined at the application level. The Application Server
provides default values for bindings. However, an administrator must modify
the defaults for a production environment.
Procedure
- Access the default bindings for the server level.
- Click Servers > Server Types > WebSphere application
servers > server_name.
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere
Application Server version 6.1 or earlier, click
Web services:
Default bindings for Web services security.
mixv
- Under Default generator bindings, click Signing information.
- Click New to create a signing information configuration,
click Delete to delete an existing configuration, or click the name
of an existing signing information configuration to edit the settings.
If you are creating a new configuration, enter a unique name for the
signing configuration in the Signing information name field. For example,
you might specify gen_signinfo.
- Select a signature method algorithm from the Signature method field.
The algorithm that is specified for the default generator must match
the algorithm that is specified for the default consumer. WebSphere Application
Server supports the following pre-configured algorithms:
- Select a canonicalization method from the Canonicalization method
field. The canonicalization algorithm that you specify for the
generator must match the algorithm for the consumer. WebSphere Application Server supports
the following pre-configured canonical XML and exclusive XML canonicalization
algorithms:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Select a key information signature type from the Key information
signature type field. The key information signature type determines
how to digitally sign the key. WebSphere Application server supports
the following signature types:
- None
- Specifies that the <KeyInfo> element is not signed.
- Keyinfo
- Specifies that the entire <KeyInfo> element is signed.
- Keyinfochildelements
- Specifies that the child elements of the <KeyInfo> element are signed.
The key information signature type for the generator must
match the signature type for the consumer. You might encounter the following
situations:
- If you do not specify one of the previous signature types, WebSphere Application
Server uses keyinfo, by default.
- If you select Keyinfo or Keyinfochildelements and you select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm in a subsequent step, WebSphere Application Server also
signs the referenced token.
- Select a signing key information reference from the Signing key
information field. This selection is a reference to the signing
key that the Application Server uses to generate digital signatures. In the
binding files, this information is specified within the <signingKeyInfo>
tag. The key that is used for signing is specified by the key information
element, which is defined at the same level as the signing information. For
more information, see Configuring the key information for the generator binding using JAX-RPC on the server level.
- Click OK to save the configuration.
- Click the name of the new signing information configuration.
This configuration is the one that you specified in the previous steps.
- Specify the part reference, digest algorithm, and transform algorithm.
The part reference specifies which parts of the message to digitally
sign.
- Under Additional Properties, click Part references >
New to create a new part reference, click Part references >
Delete to delete an existing part reference, or click a part name
to edit an existing part reference.
- Specify a unique part name for the message part that needs signing.
This message part is specified on both the server side and the client
side. You must specify an identical part name for both the server side and
the client side. For example, you might specify reqint for both the
generator and the consumer.
- Select a digest method algorithm in the Digest method algorithm field.
The digest method algorithm that is specified in the binding files within
the <DigestMethod> element is used in the <SigningInfo> element.
WebSphere Application
Server supports the following algorithms:
- http://www.w3.org/2000/09/xmldsig#sha1
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
- Click OK and Save to save the configuration.
- Click the name of the new part reference configuration.
This configuration is the one that you specified in the previous steps.
- Under Additional properties, click Transforms >
New to create a new transform, click Transforms >
Delete to delete a transform, or click a transform name to edit
an existing transform. If you create a new transform configuration,
specify a unique name. For example, you might specify reqint_body_transform1.
- Select a transform algorithm from the menu. The transform
algorithm is specified within the <Transform> element. This algorithm
element specifies the transform algorithm for the digital signature. WebSphere Application
Server supports the following algorithms:
The transform algorithm that you select for the generator must match
the transform algorithm that you select for the consumer.
Important: If
both of the following conditions are true, WebSphere Application Server signs
the referenced token:
- You previously selected the Keyinfo or the Keyinfochildelements option
from the Key information signature type field on the signing information panel.
- You select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm.
- Click Apply.
- Click Save at the top of the panel to save your configuration.
Results
After completing these steps, you have configured the signing information
for the generator on the server level.
What to do next
You must specify a similar signing information configuration for
the consumer.