You can configure the signing information for the client-side
request generator and server-side response generator bindings at the
server or cell level.
Before you begin
Note: For WebSphere® Application Server
version 6.x or earlier only, in the server-side extensions file (ibm-webservices-ext.xmi)
and the client-side deployment descriptor extensions file (ibm-webservicesclient-ext.xmi),
you must specify which parts of the message are signed. Also, you
need to configure the key information that is referenced by the key
information references on the signing information panel within the
administrative console.
About this task
This task explains the steps that are needed for you to
configure the signing information for the client-side request generator
and server-side response generator bindings at the server or cell level. WebSphere Application
Server uses the signing information for the default generator to sign
parts of the message including the body, time stamp, and user name
token, if these bindings are not defined at the application level.
The Application Server provides default values for bindings. However,
an administrator must modify the defaults for a production environment.
You can configure the signing information for the
consumer binding on the server level and the cell level. In the following
steps, use the first step to access the server-level default bindings
and use the second step to access the cell-level bindings.
Procedure
- Access the default bindings for the server level.
- Click .
- Under Security, click JAX-WS and JAX-RPC
security runtime.
Mixed-version environment: In
a mixed node cell with a server using Websphere Application Server
version 6.1 or earlier, click
Web services: Default bindings
for Web Services Security.
mixv
- Click to access the default
bindings on the cell level.
- Under Default consumer bindings, click Signing
information.
- Click New to create a signing information
configuration, click Delete to delete an existing
configuration, or click the name of an existing signing information
configuration to edit the settings. If you are creating
a new configuration, enter a unique name for the signing configuration
in the Signing information name field. For example, you might specify gen_signinfo.
Avoid trouble: If you create more than one signing
information configuration, the WS-Security runtime environment only
honors the first configuration listed in the bindings file.
gotcha
- Select a signature method algorithm from the Signature
method field. The algorithm that is specified for the default
consumer must match the algorithm that is specified for the default
generator. WebSphere Application Server supports the
following pre-configured algorithms:
- Select a canonicalization method from the Canonicalization
method field. The canonicalization algorithm that you specify
for the generator must match the algorithm for the consumer. WebSphere Application Server supports the
following pre-configured canonical XML and exclusive XML canonicalization
algorithms:
- http://www.w3.org/2001/10/xml-exc-c14n#
- http://www.w3.org/2001/10/xml-exc-c14n#WithComments
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315
- http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
- Select a key information signature type from the Key information
signature type field. The key information signature type
determines how to digitally sign the key. WebSphere Application
Server supports the following signature types:
- None
- Specifies that the KeyInfo element is not signed.
- Keyinfo
- Specifies that the entire KeyInfo element is signed.
- Keyinfochildelements
- Specifies that the child elements of the KeyInfo element are signed.
The key information signature type for the consumer
must match the signature type for the generator. You might encounter
the following situations:
- If you do not specify one of the previous signature types, WebSphere Application Server uses keyinfo,
by default.
- If you select Keyinfo or Keyinfochildelements and
you select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform as
the transform algorithm in a subsequent step, WebSphere Application
Server also signs the referenced token.
- Click OK to save the configuration.
- Click the name of the new signing information configuration. This configuration is the one that you specified in the previous
steps.
- Specify the key information reference, part reference,
digest algorithm, and transform algorithm.
- Under Additional properties, click to create a new reference, click to delete an existing reference, or click a reference
name to edit an existing key information reference.
- Enter a name for the configuration in the Name field. For example, enter con_skeyinfo.
- Select a key information reference from the Key information
reference field. The key Information reference points to
the key that WebSphere Application Server uses for digital
signing. In the binding files, the reference is specified within the <signingKeyInfo>
element. The key that is used for signing is specified by the Key
information element, which is defined at the same level as the signing
information. For more information, see Configuring the key information for the consumer binding on the application level.
- Click OK and Save to
save the configuration.
- Under Additional Properties, click to create a new part reference, click to delete an existing part reference, or click a part
name to edit an existing part reference. The part reference
specifies which parts of the message to digitally sign. The part attribute
refers to the name of the <RequiredIntegrity> element
in the deployment descriptor when <PartReference> is
specified for the digital signature. WebSphere Application
Server enables you to specify multiple <PartReference> elements
for the <SigningInfo> element. The <PartReference> element
has two child elements: <DigestMethod> and <Transform>.
- Specify a unique part name for this part reference. For example, you might specify reqint.
Important: You do not need to specify a value
for the Part Reference field like you specify on the application level
because the part reference on the application level points to a particular
part of the message that is signed. Because the default bindings for
the server and cell levels are applicable to all of the services defined
on a particular server, you cannot specify this value.
- Select a digest method algorithm in the Digest
method algorithm field. The digest method algorithm
specified within the <DigestMethod> element
that is used in the <SigningInfo> element.
WebSphere Application Server supports the
following algorithms:
- http://www.w3.org/2000/09/xmldsig#sha1
- http://www.w3.org/2001/04/xmlenc#sha256
- http://www.w3.org/2001/04/xmlenc#sha512
- Click OK and Save to
save the configuration.
- Click the name of the new part reference configuration. This configuration is the one that you specified in the previous
steps.
- Under Additional properties, click to create a new transform, click to delete a transform,
or click a transform name to edit an existing transform. If
you create a new transform configuration, specify a unique name. For
example, you might specify reqint_body_transform1.
- Select a transform algorithm from the menu. The
transform algorithm is specified within the <Transform> element.
It specifies the transform algorithm for the signature. WebSphere Application Server supports the
following algorithms:
The transform algorithm that you select for the consumer must
match the transform algorithm that you select for the generator.
Important: If both of the following conditions are true, WebSphere Application Server signs the
referenced token:
- You previously selected the Keyinfo or the Keyinfochildelements
option from the Key information signature type field on the signing
information panel.
- You select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
as the transform algorithm.
- Click OK.
- Click Save at the top of the panel
to save your configuration.
Results
After completing these steps, you have configured the signing
information for the consumer on the server
or
cell level.
What to do next
You must specify a similar signing information configuration
for the generator.