To configure the client for request signing, specify which
message parts to digitally sign when configuring the client.
Before you begin
Important: There is an important distinction between
Version 5.x and Version 6 and later applications. The information
supports Version 5.x applications only that are used with WebSphere® Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
Prior to completing these steps, read
either of the following topics to become familiar with the
Security
extensions tab and the
Port binding tab
in the web services client editor within an assembly tool:
These two tabs are used to configure the Web Services Security
extensions and the Web Services Security bindings, respectively. You
must specify which parts of the message sent by the client must be
digitally signed. See
Configuring the client for request signing: digitally signing message parts for
more information.
About this task
Complete the following steps to specify which message parts
to digitally sign when configuring the client for request signing:
Procedure
- Launch an assembly tool. For more information,
see the related information on assembly tools.
- Switch to the Java™ Platform,
Enterprise Edition (Java EE) perspective. Click .
- Click .
- Right-click the application-client.xml file,
select , and click the WS
Binding tab. The Client Deployment Descriptor
is displayed.
- Expand .
- Select Edit to view the signing
information and select a digital signature method from the Signature
method algorithm field. The following table
describes the purpose of this information. Some of these definitions
are based on the XML-Signature specification, which is located at
the following website http://www.w3.org/TR/xmldsig-core.
Table 1. Digital signature methods. The
digital signature method information is stored in the client deployment
descriptor.Name |
Purpose |
Canonicalization method algorithm |
Canonicalizes the <SignedInfo> element
before the information is digested as part of the signature operation. |
Digest method algorithm |
Applies to the data after transforms are applied,
if specified, to yield the <DigestValue> element.
Signing the <DigestValue> element
binds the resource content to the signer key. The algorithm selected
for the client request sender configuration must match the algorithm
selected in the server request receiver configuration. |
Signature method algorithm |
Converts the canonicalized <SignedInfo> element
into the <SignatureValue> element.
The algorithm selected for the client request sender configuration
must match the algorithm selected in the server request receiver configuration. |
Signing key name |
Represents the key entry associated with the
signing key locator. The key entry refers to an alias of the key,
which is found in the key store and is used to sign the request. |
Signing key locator |
Represents a reference to a key locator implementation
class that locates the correct hey store where the alias and the certificate
exist. |
- Optional: Select Show only FIPS
Compliant Algorithms if you only want the FIPS compliant
algorithms to be shown in the Digest method algorithm and Signature
method algorithm drop-down lists. Use this option if you
expect this application to be run on a WebSphere Application
Server that has set the Use the United States Federal Information
Processing Standard (FIPS) algorithms option in the SSL
certificate and key management panel of the WebSphere administrative
console.
Results
Important: If you configure the client and server
signing information correctly, but receive a
Soap body not
signed error when running the client, you might need to configure
the actor. You can configure the actor in the following locations
on the client in the web services client editor within an assembly
tool:
- Click and indicate the actor information in the Actor
URI field.
- Click and indicate the actor information in the Actor field.
You must configure the same actor strings for the web service
on the server, which processes the request and sends the response
back. Configure the actor in the following locations in the web services
editor within an assembly tool:
- Click .
- Click and indicate the actor
information in the Actor field.
The actor information on both the client and server must
refer to the same exact string. When the actor fields on the client
and server match, the request or response is acted upon instead of
being forwarded downstream. The Actor fields
might be different when you have web services acting as a gateway
to other web services. However, in all other cases, make sure that
the actor information matches on the client and server. When web services
are acting as a gateway and they do not have the same actor configured
as the request passing through the gateway, web services do not process
the message from a client. Instead, these web services send the request
downstream. The downstream process that contains the correct actor
string processes the request. The same situation occurs for the response.
Therefore, it is important that you verify that the appropriate client
and server actor fields are synchronized.
You have specified
which method is used to digitally sign a message when the client sends
a message to a server.
What to do next
After you configure the client to digitally sign the message,
you must configure the server to verify the digital signature. See
Configuring the server for request digital signature verification: Verifying the message parts for more
information.