Signature authentication refers to an X.509 certificate that is
sent by the client to the server. The certificate is used to authenticate
to the user registry that is configured at the server. The client collects
the authentication information for signature authentication.
About this task
Important: There is an important distinction between
Version 5.x and Version 6.0.x and later applications. The information
in this article supports Version 5.x applications only that are used
with WebSphere® Application
Server Version 6.0.x and later. The information does not apply to Version
6.0.x and later applications.
You can configure signature
authentication. A signature refers to the use of an X.509 certificate to login
on the target server.
Complete the following steps to specify how the
client collects the authentication information for signature authentication:
Procedure
- Launch an assembly tool. For more information, see the
related information on Assembly Tools.
- Switch to the Java Platform, Enterprise Edition (Java EE)
perspective. Click Window > Open Perspective > J2EE.
- Click Application Client Projects > application_name >
appClientModule > META-INF.
- Right-click the application-client.xml file, select Open
with > Deployment descriptor editor.
- Click the WS Binding tab, which is located at the bottom of the
deployment descriptor editor within the assembly tool.
- Expand the Security request sender binding configuration >
Signing information and click Edit to modify the signing
key name and signing key locator. To create new signing information, click Enable.
The certificate that is sent to log in at the server is the one configured
in the Signing Information section. Review the key locator information to
understand how the signing key name maps to a key within the key locator entry.
The
following list describes the purpose of this information. Some of these definitions
are based on the XML-Signature specification, which is located at the following
Web address:
http://www.w3.org/TR/xmldsig-core
- Canonicalization method algorithm
- Canonicalizes the <SignedInfo> element before it is digested as part
of the signature operation.
- Digest mehod algorithm
- Represents the algorithm that is applied to the data after transforms
are applied, if specified, to yield the <DigestValue> element. The signing
of the <DigestValue> element binds the resource content to the signer key.
The algorithm selected for the client request sender configuration must match
the algorithm selected in the server request receiver configuration.
- Signature method algorithm
- Represents the algorithm that is used to convert the canonicalized <SignedInfo>
element value into the <SignatureValue> value. The algorithm selected
for the client request sender configuration must match the algorithm selected
in the server request receiver configuration.
- Signing key name
- Represents the key entry that is associated with the signing key locator.
The key entry refers to an alias of the key, which is used to sign the request.
- Signing key locator
- Represents a reference to a key locator implementation.
- Expand the Security request sender binding configuration >
Login binding section.
- Click Edit to view the login binding information.
Select or enter the following information:
- Authentication method
- Specifies the type of authentication that occurs. Select Signature to
use signature authentication.
- Token value type URI and Token value type URI local name
- When you select Signature, you cannot edit token value type Uniform
Resource Identifier (URI) and local name values. Specifies custom authentication
types. For signature authentication, leave these fields blank.
- Callback handler
- Specifies the Java Authentication and Authorization Server (JAAS)
callback handler implementation for collecting signature information. Enter
the following callback handler for signature authentication: com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
This
callback handler is used because the signature method does not require user
interaction.
- Basic authentication user ID and Basic authentication password
- Leave the BasicAuth fields blank when signature authentication is used.
- Property name and property value
- This field enables you to enter properties and name and value pairs for
use by custom callback handlers. For signature authentication, do not enter
any information.
What to do next
Other customization entries: There is a basic authentication
entry in the Port Qualified Name Binding Details section. This entry is used
for HTTP transport authentication, which might be required if the router servlet
is protected.
Information specified in the Web services security signature
authentication section overrides the basic authentication information specified
in the Port Qualified Name Binding Details section for authorizing the Web
service.
To use the signature authentication method, you must specify
the authentication method in the Login configuration section of an assembly
tool.