You can configure the signing information for the server-side
request consumer and the client-side response consumer bindings at
the application level.
Before you begin
Note: For WebSphere® Application Server
version 6.x or earlier only, in the server-side extensions file and
the client-side deployment descriptor extensions file, you must specify
which parts of the message are signed.
About this task
Configure the key information that is referenced by the key
information references on the signing information panel within the
administrative console. WebSphere Application Server
uses the signing information on the consumer side to verify the integrity
of the received SOAP message by validating that the message parts
are signed. Complete the following steps to configure the signing
information for the server-side request consumer and client-side response
consumer sections of the bindings files on the application level.
Procedure
- Access the administrative console.
To access the administrative console, enter http://server_name:port_number/ibm/console in
your web browser unless you have changed the port number.
- Click .
- Under Manage modules, click URI_name.
- Under Web Services Security Properties you can access the
signing information for the request generator and response generator
bindings.
- To configure the request consumer signing information, click Web
services: Server security bindings. Under Request consumer
(receiver) binding, click Edit custom.
- To configure the response consumer signing information, click Web
services: Client security bindings. Under Response consumer
(receiver) binding, click Edit custom.
- Under Required properties, click Signing information.
- Click New to create a signing information
configuration, click Delete to delete an existing
configuration, or click the name of an existing signing information
configuration to edit its settings. If you are creating
a new configuration, enter a name in the Signing information name
field.
- Select a signature method algorithm from the Signature
method field. The signature method is the algorithm that
is used to convert the canonicalized <SignedInfo> element in
the binding file into the <SignatureValue> element. The algorithm
that is specified for the consumer, which is either the request consumer
or the response consumer configuration, must match the algorithm specified
for the generator, which is either the request generator or response
generator configuration. WebSphere Application Server
supports the following pre-configured algorithms:
- Select a canonicalization method from the Canonicalization
method field. The canonicalization method algorithm is
used to canonicalize the <SignedInfo> element before it is incorporated
as part of the digital signature operation. The canonicalization algorithm
that you specify for the generator must match the algorithm for the
consumer. WebSphere Application Server supports the
following pre-configured algorithms:
- Select a key information signature type from the Key information
signature type field. The key information signature type
specifies how the <KeyInfo> element in the SOAP message is digitally
signed. WebSphere Application Server supports the
following signature types:
- None
- Specifies that the key is not signed.
- Keyinfo
- Specifies that the entire KeyInfo element is signed.
- Keyinfochildelements
- Specifies that the child elements of the KeyInfo element are signed.
If you do not specify one of the previous signature
types, WebSphere Application Server uses keyinfo,
by default. The key information signature type for the consumer must
match the signature type for the generator.
- Under Additional properties, click Key information
references.
- Click New to create a key information
reference or click the name of an existing entry to edit its configuration.
The Key information references panel is displayed.
- Enter a name in the Name field.
- Select a key information reference in the Key information
reference field. This reference is the key information
configuration name that specifies the key information that is used
by this signing information configuration.
- Return to the Signing information panel. Under Additional
properties, click Part references. On
the Part references panel, you can specify references to the message
parts that are defined in the deployment descriptor extensions file.
- Click New to create a new Part
reference or click the name of an existing part reference to edit
its configuration. The Part reference panel is displayed.
- Enter a name in the Part name field. This
name is the name of the required integrity configuration in the deployment
descriptor extensions file and specifies the message parts that must
be digitally signed.
- Select a digest method algorithm from the Digest method
algorithm field.
WebSphere Application
Server supports the following pre-configured algorithms:
- http://www.w3.org/2000/09/xmldsig#sha1
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
If you want to specify a custom algorithm,
you must configure the custom algorithm in the Algorithm URI panel
before setting the digest method algorithm.
- Under Additional properties, click Transforms.
- Click New to create a new transform
or click the name of an existing transform to edit its configuration.
- Enter a name in the Transform name field.
- Select a transform algorithm from the Transform algorithm
field. WebSphere Application Server
supports the following pre-configured algorithms:
The transform algorithm that you select for the consumer must
match the transform algorithm that you select for the generator. For
each part reference in the signing information, specify both a digest
method algorithm and a transform algorithm.
- Click OK.
- Click Save at the top of the panel
to save your configuration.
Results
After completing these steps, you have configured the signing
information for the consumer.
What to do next
You must specify a similar signing information configuration
for the generator.