Configuring a policy set and bindings for Signer Certificate Encryption
This procedure describes how to configure a JAX-WS consumer/provider for signer certificate encryption. Signer certificate encryption means that the client's public certificate that is used to verify the digital signature of the inbound request message is used to encrypt the outbound response.
Before you begin
This task assumes that the service provider and client that you are configuring are in the JaxWSServicesSamples application. Refer to the topic Accessing Samples for more information on how to obtain and install this application.
*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all: com.ibm.ws.wssecurity.*=all:
com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all:
com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:
com.ibm.ws.webservices.multiprotocol.AgnosticService=all:
com.ibm.ws.websvcs.utils.SecurityContextMigrator=all
About this task
Since signer certificate encryption is being used, only the client's digital signature keystore will be used in this procedure. The service will obtain the public certificate used for signature verification from the inbound request then use it to encrypt the response. On the provider side, the custom property com.ibm.wsspi.wssecurity.token.cert.useRequestorCert=true on the provider's encryption generator is used to accomplish this.
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
- Only outbound digital signature and inbound encryption will be configured.
- General bindings will be used for both the client and the provider.

After completing the task, if you have to go back and edit the general bindings that you have created, you will need to restart the application server after saving your updates. Although you can create a general binding and use it immediately without restarting the application server, once a general binding has been loaded by an application, changes to the binding will not be recognized until the server is restarted.
gotcha