Adding an XML digital signature to a Web service
You can secure the integrity of your Web service, protecting your information against unauthorized alteration, by adding a digital signature to your Web services.
Prerequisite: Create or import a project containing a Web service.
Both the client and server can be protected using an XML digital signature. In order for an XML digital signature to be accepted for a transmission between a client and server, the signature information must be set for both. To add an XML digital signature to a Web service:
- Change to the Java EE perspective.
- Click
Window | Open Perspective | Other.
- Select Java EE from the list and click OK.
- Expand the
Web Services tab in the Project Explorer view.
- Expand the
Services tab.
- Right-click your service and select
Secure Web Service | Add Digital Signature.
- In the Integrity Message Parts section, there is one Message Part added by default. You can modify the existing default by modifying the Dialect or Key word. You may also add more Message Parts. There is a menu of available message parts settings. The default setting is recommended, however, if you would like more information regarding message parts settings, you may reference message parts settings
- To accept the rest of the defaults and continue to the Token Consumer page, click Next.
Note:
The other available menu allows you to select your preferred signature method algorithm. A signature method is the algorithm that is used to convert the canonicalized <SignedInfo> element in the binding file into the <SignatureValue> element. The algorithm that is specified for the consumer, which is either the request consumer or the response consumer configuration, must match the algorithm specified for the generator, which is either the request generator or response generator configuration.
WebSphere® Application Server supports the following pre-configured algorithms:
- http://www.w3.org/2000/09/xmldsig#rsa-sha1
- http://www.w3.org/2000/09/xmldsig#hmac-sha1
- http://www.w3.org/2000/09/xmldsig#dsa-sha1
- Choose the type of the Token Consumer used from the drop-down list.
- Select
Only trust Certificates with the following reference. If the
Trust any certificate option is selected, a client with any XML digital signature certificate will have access to your server. Without the additional protection of this certificate reference, your server's security will still be at risk.
- Fill out the required information within the Certificate Information group.
- In the
Key store path field, browse to the digital signature key.
- In the
Key store storepass field, enter the password corresponding to the selected key.
- To specify a specific X509 certificate, select the
Use a certificate check box. If this check box is not selected, a client request with any X509 certificate will be accepted.
- Accept the rest of the defaults and select OK to continue to the Server Side Response Generator Digital Signature window.
- In the Integrity Message Parts section, there is one Message Part added by default. You can modify the existing default by modifying the Dialect or Key word. You may also add more Message Parts.
- To accept the rest of the defaults and continue to the Token Generator page, click Next .
- Choose the type of the Token Generator from the drop-down list.
- Fill out the required information within the Key Store Information section.
The
- In the
Key store Path field, type or browse, to the path in which the digital signature key is located.
- In the
Key Store Password field, type the password corresponding to the selected signature key.
Use a key check box can be used to add additional security to your XML digital signature. With this option selected, you can choose an alias and password for your XML digital signature to further protect your Web service. To specify a specific X509 certificate, select the
Use a certificate check box.
- Click Finish. An XML digital signature now secures your server.
- In order for the client to access the server, create a corresponding XML digital signature for the client using one of the following methods:
- To create a corresponding digital signature using the XML digital signature wizard:
- Right-click on the client and select
Secure Web Service Client | Add XML Digital Signature
- Follow steps 5 - 14 above, using the same client information as was used to secure the server.
- If you have finished setting up all types of security for your server you can create a corresponding digital signature for the client using the Based on a Secured Web Service wizard:
- Right-click on the client and select
Secure Web Service Client | Based on a Secured Web Service.
- Verify that the corresponding server is selected from the drop-down menu, click Next.
- Fill out the required information within the Client Side Request Generator:
- In the
Key store Path field, type or browse, to the path in which the digital signature key is located.
- In the
Key Store Password field, type the password corresponding to the selected signature key.
- Click Next.
- Fill out the required information within the Client Side Response Consumer:
- Select
Only trust Certificates with the following reference. If the
Trust any certificate option is selected, a client with any XML digital signature certificate will have access to your server.
- Click Finish.
XML digital signature security will now protect your Web service against integrity threatening attacks. You can see the changes in your XML source by switching to the Resource perspective and opening your Web service .xmi file. To open this file, click
Window | Open Perspective | Other, select Resource, and click OK. Then find the corresponding .xmi file under the
yourProjectName/WebContent/WEB-INF/ directory.
Related concepts
Integrity in Web services security
Related tasks
Adding XML encryption to a Web service
Adding a stand-alone security token to a Web service