To configure the client for request signing, specify which
message parts to digitally sign when configuring the client.
Before you begin
Important: There is an important distinction between
Version 5.x and Version 6 and later applications. The information
supports Version 5.x applications only that are used with WebSphere® Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
Prior to completing these steps, read
either of the following topics to become familiar with the
Security
Extensions tab and the
Port Binding tab
in the Web Services Client Editor within an assembly tool.
These two tabs are used to configure the Web Services Security
extensions and the Web Services Security bindings, respectively.
About this task
Complete the following steps to specify which message parts
to digitally sign when configuring the client for request signing:
Procedure
- Launch an assembly tool. For more information,
see the related information on Assembly Tools.
- Click .
- Click .
- Right-click the application-client.xml file,
select , and click the WS
Extension tab. The Client Deployment Descriptor
is displayed.
- Expand . Integrity refers
to digital signature while confidentiality refers to encryption. Integrity
decreases the risk of data modification while the data is transmitted
across the Internet. For more information on
digitally signing SOAP messages, see XML digital signature.
- Indicate which parts of the message to sign by clicking Add and
selecting body, timestamp,
or SecurityToken. The following list contains descriptions of the message parts
- body
- The body is the user data portion of the message.
- timestamp
- The time stamp determines if the message is valid based on the
time that the message is sent and then received. If timestamp is selected, proceed to the next
step and select Add created time stamp to add
a time stamp to a message.
- SecurityToken
- The security token authenticates the client. If this option is
selected, the message is signed.
You can choose to digitally sign the message using
a time stamp if Add created time stamp is selected
and configured. You can digitally sign the message using a security
token if a login configuration authentication method is selected.
- Optional: Expand the Add created
time stamp section and select this option if you want
a time stamp added to the message. You can specify an expiration
time for the time stamp, which helps defend against replay attacks.
The lexical representation for duration is the [ISO
8601] extended format PnYnMnDTnHnMnS,
where:
- nY represents the number of years
- nM represents the number of months
- nD represents the number of days
- T is the date and time separator
- nH represents the number of hours
- nM represents the number of minutes
- nS represents the number of seconds. The number
of seconds can include decimal digits to arbitrary precision.
For example, to indicate a duration of 1 year, 2 months,
3 days, 10 hours, and 30 minutes, the format is: P1Y2M3DT10H30M.
Typically, you configure a message time stamp for about 10 to 30 minutes,
for example, 10 minutes is represented as: P0Y0M0DT0H10M0S.
The P character precedes time and date values.
Results
Important: If you configure the client and server
signing information correctly, but receive a
Soap body not
signed error when executing the client, you might need to
configure the actor. You can configure the actor in the following
locations on the client in the Web Services Client Editor within an
assembly tool:
- Click and indicate the actor information in the Actor
URI field.
- Click and indicate the actor information in the Actor field.
You must configure the same actor strings for the web service
on the server, which processes the request and sends the response
back. Configure the actor in the following locations:
- Click .
- Click and indicate the actor
information in the Actor field.
The actor information on both the client and server must
refer to the same exact string. When the Actor fields
on the client and server match, the request or response is acted upon
instead of being forwarded downstream. The Actor fields
might be different when you have web services acting as a gateway
to other web services. However, in all other cases, make sure that
the actor information matches on the client and server. When web services
are acting as a gateway and they do not have the same actor configured
as the request passing through the gateway, web services do not process
the message from a client. Instead, these web services send the request
downstream. The downstream process that contains the correct actor
string processes the request. The same situation occurs for the response.
Therefore, it is important that you verify that the appropriate client
and server Actor fields are synchronized.
What to do next
After you have specified which message parts to digitally
sign, you must specify which method is used to digitally sign the
message. See
Configuring the client for request signing: choosing the digital signature method for
more information.