You can configure the key
information for the request consumer
(server side) and the response consumer (client side) bindings at
the application level.
Before you begin
Configure the key
locators and the token consumers that are
referenced by the Key locator reference and the Token reference fields
within the key information panel.
About this task
This task provides
the steps that are needed for configuring
the key information for the request consumer (server side) and the
response consumer (client side) bindings at the application level.
The key information on the consumer side is used for specifying the
information about the key, which is used for validating the digital
signature in the received message or for decrypting the encrypted
parts of the message. Complete the following steps to configure the
key information for consumer binding on the application level.
Procedure
- Locate the key information configuration panel in
the administrative
console.
- Click .
- Under Manage modules, click URI_name.
- Under Web Services Security Properties, you
can access
the key information for the request consumer and response consumer
bindings.
- For the request consumer (receiver) binding,
click Web
services: Server security bindings. Under request consumer
(receiver) binding, click Edit custom.
- For
the response consumer (receiver) binding, click Web
services: Client security bindings. Under response consumer
(receiver) binding, click Edit custom.
- Under Required properties, click Key information.
- Click one of the following to work with key
information
configuration:
- New
- To create
a key information configuration. Enter a name in the
Key information name field. For example, you might specify con_signkeyinfo.
- Delete
- To delete a configuration (selected
in the box next to that configuration).
- an
existing key information configuration
- To edit the settings
of a key information configuration.
- Select a key information type from the
Key information
type field. The key information types specify different
mechanisms for referencing security tokens using the <wsse:SecurityTokenReference>
element within the <ds:KeyInfo> element. WebSphere® Application
Server supports the following key information types:
- Key
identifier
- The security token is referenced using an opaque
value that uniquely
identifies the token. The algorithm that is used for generating the <KeyIdentifier>
element value depends upon the token type. For example, you can use
the identifier for the public keys that are defined in the Internet
Engineering Task Force (IETF) Request for Comment (RFC) 3280.
The following <KeyInfo> element is generated in the SOAP message
for this key information type:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01
/oasis-200401-wss-x509-token-profile-1.0#X509v3SubjectKeyIdentifier">
/62wXO...
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- Key name
- The security token is referenced using a name that matches an
identity assertion within the token. It is recommended that you do
not use this key type as it might result in multiple security tokens
that match the specified name. The following <KeyInfo> element
is generated in the SOAP message for this key information type:
<ds:KeyInfo>
<ds:KeyName>CN=Group1</ds:KeyName>
</ds:KeyInfo>
In general, use a key name when
you use a Key-Hashing Message Authentication Code (HMAC) digital signature
algorithm, such as http://www.w3.org/2000/09/xmldsig#hmac-sha1.
- Security token reference
- The security
token is directly referenced using Universal Resource
Identifiers (URIs). The following <KeyInfo> element is generated
in the SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI='#SomeCert'
ValueType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- Embedded
token
- The security token is directly embedded within the <SecurityTokenReference>
element. The following <KeyInfo> element is generated in the
SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Embedded wsu:Id=”tok1” />
…
</wsse:Embedded>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- X509 issuer
name and issuer serial
- The security token is referenced by
an issuer name and an issuer
serial number of an X.509 certificate. The following <KeyInfo>
element is generated in the SOAP message for this key information
type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Jones, O=IBM, C=US</ds:X509IssuerName>
<ds:X509SerialNumber>1040152879</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
Each type of key
information is described in the Web
Services Security: SOAP Message Security 1.0 (WS-Security 2004) OASIS
standard, which is located at: http://www.oasis-open.org/home/index.php under
Web Services Security.
- Select a key locator
reference from the Key locator reference
field. The value of this field is a reference to a key
locator that WebSphere Application Server uses to locate
the keys that are used for digital signature and encryption. Before
you can select a key locator, you must configure a key locator. For
more information on configuring a key locator, see Configuring the key locator using JAX-RPC for the consumer binding on the application level.
- Select a token reference from the Token reference field.
The token reference specifies a reference to a token consumer
that is used for processing the security token in the message. However, WebSphere Application Server requires this
field only when you select Security token reference or Embedded token
in the Key information type field. Before specifying a token reference,
you must configure a token consumer. For more information on configuring
a token consumer, see Configuring token consumers using JAX-RPC to protect message authenticity at the application level.
Select (none) if
a token consumer is not required for this key information configuration.
- Click OK and Save to
save this configuration.
Results
You have configured
the key information for the request or
response (or both) consumer binding at the application level.
What to do next
If you have not configured the key information for the generator
binding, you must specify a similar key information configuration
for the generator. After you configure the key information for both
the consumer and the generator, configure the signing information
or encryption information, which references the key information that
is specified in this key information task.