You can configure
the signing information for the client-side
request generator and the server-side response generator bindings
at the application level.
Before you begin
Note: For WebSphere® Application Server version
6.x or earlier only, in the server-side extensions file (ibm-webservices-ext.xmi)
and the client-side deployment descriptor extensions file (ibm-webservicesclient-ext.xmi),
you must specify which parts of the message are signed. Also, you
must configure the key information that is referenced by the key information
references on the signing information panel within the administrative
console.
About this task
This task explains the required
steps to configure the
signing information for the client-side request generator and the
server-side response generator bindings at the application level. WebSphere Application Server uses the signing
information for the default generator to sign parts of the message
including the body, time stamp, and user name token. The Application
Server provides default values for bindings. However, an administrator
must modify the defaults for a production environment. Complete the
following steps to configure the signing information for the generator
sections of the bindings files on the application level:
Procedure
- Locate the signing information configuration panel
in the
administrative console.
- Click .
- Under Manage modules, click URI_name.
- Under Web Services Security Properties, you
can access
the signing information for the request generator and the response
generator bindings.
- For the request generator (sender)
binding, click Web
services: Client security bindings. Under Request generator
(sender) binding, click Edit custom.
- For
the response generator (sender) binding, click Web
services: Server security bindings. Under Response generator
(sender) binding, click Edit custom.
- Under Required properties, click Signing
information.
- Click New to
create a signing
information configuration, select the box next to the configuration
and click Delete to delete an existing configuration,
or click the name of an existing signing information configuration
to edit its settings. If you are creating a new configuration,
enter a name in the Signing information name field. For example, you
might specify gen_signinfo.
- Select a signature method algorithm from
the Signature
method field. The algorithm that is specified for the generator,
which is either the request generator or the response generator configuration,
must match the algorithm that is specified for the consumer, which
is either the request consumer or response consumer configuration. WebSphere Application Server supports the following
pre-configured algorithms:
- Select a canonicalization method from
the Canonicalization
method field. The canonicalization algorithm
that you specify for the generator must match the algorithm for the
consumer. WebSphere Application Server supports
the following pre-configured algorithms:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Select a key information signature type
from the Key information
signature type field. WebSphere Application Server supports the following
signature types:
- None
- Specifies that the <KeyInfo>
element is not signed.
- Keyinfo
- Specifies
that the entire <KeyInfo> element is signed.
- Keyinfochildelements
- Specifies that the child
elements of the <KeyInfo> element
are signed.
The key information signature type
for the generator
must match the signature type for the consumer. You might encounter
the following situations:
- If you do not specify one of the
previous signature types, WebSphere Application Server uses keyinfo,
by default.
- If you select Keyinfo or Keyinfochildelements
and you select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm in a subsequent step, WebSphere Application Server also signs the
referenced token.
- Select a signing
key information reference from the Signing
key information field. This selection is a reference to
the signing key that the Application Server uses to generate digital
signatures.
- Click OK and Save to
save the configuration.
- Click the name of the
new signing information configuration. This configuration
is the one that you specified in a previous
step.
- Specify the part reference, digest algorithm,
and transform
algorithm. The part reference specifies which parts of
the message to digitally sign.
- Under
Additional properties, click to create a new part reference,
click to delete an existing part reference, or click a part
name to edit an existing part reference.
- Specify
a unique part name for this part reference. For example,
you might specify reqint.
- Select a part reference from the Part reference field.
The part reference refers to the message part that is digitally
signed. The part attribute refers to the name of the <Integrity>
element in the deployment descriptor when the <PartReference>
element is specified for the signature. You can specify multiple <PartReference>
elements within the <SigningInfo> element. The <PartReference>
element has two child elements when it is specified for the signature: <DigestTransform>
and <Transform>.
- Select a
digest method algorithm from the menu. The digest method
algorithm specified within the <DigestMethod>
element is used in the <SigningInfo> element.
WebSphere Application Server supports the following
algorithms:
- http://www.w3.org/2000/09/xmldsig#sha1
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
- Click OK to save the
configuration.
- Click the name of the
new part reference configuration. This configuration is
the one that you specified in a previous
step.
- Under Additional Properties, click to create a new transform, click to delete a transform,
or click a transform name to edit an existing transform. If
you create a new transform configuration, specify a unique name. For
example, you might specify reqint_body_transform1.
- Select a transform algorithm from the menu.
The
transform algorithm is that is specified within the <Transform>
element and specifies the transform algorithm for the signature. WebSphere Application Server supports the following
algorithms:
The transform algorithm that you select for the generator
must match the transform algorithm that you select for the consumer.
Important: If both of the following conditions are true,
WebSphere Application Server signs the referenced
token:
- You previously selected the Keyinfo or the Keyinfochildelements
option from the Key information signature type field on the signing
information panel.
- You select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm.
- Click Apply.
- Optional: Determine whether to disable
the
Inclusive namespace prefix list. The Exclusive
XML Canonicalization Version 1.0 specification recommends that
you include all of the namespace declarations that correspond to the
namespace prefix in the canonicalization form. For security reasons, WebSphere Application Server, by default, includes
the prefix in the digital signature for Web Services Security. However,
some implementations of Web Services Security cannot handle this prefix
list. WebSphere Application Server can
handle digitally signed messages that either contain or do not contain
the prefix list. If you experience a signature validation failure
when a signed Simple Object Access Protocol (SOAP) message is sent
and you are using another vendor in your environment, check with your
service provider for a possible fix to their implementation before
you disable this property. To disable this property, complete the
following steps:
- Under Additional properties,
click .
- In the Property name
field, enter the com.ibm.wsspi.wssecurity.dsig.inclusiveNamespaces property.
- In the Property value field, enter the false value.
- Click OK.
You can set this property for both the request
generator
and the response generator configurations.
- Click Save at
the top of the panel
to save your configuration.
Results
After completing
these steps, the signing information is configured
for the generator on the application level.
What to do next
You must
specify a similar signing information configuration
for the consumer.