Configure an application for Web services security with an assembly tool
Before you begin
Prior to completing this task, import your application into an assembly tool. For information on how to import your application, see Import enterprise applications.
Overview
There are eight parts of Web services security that configure to secure your SOAP messages using either digital signature or encryption. Four of these parts involve the deployment descriptor extensions and four parts involve the bindings that correspond to the deployment descriptors. The following table illustrates these eight parts that involve both the client and the server or a server acting as a client. It is recommended that you configure each of these parts in order from left to right in the table. For example, configure the request generator extensions and then the request consumer extensions because the configurations must match. After you configure the request generator and request consumer extensions, configure the request generator and the request consumer bindings, and so on.
Table 1. Client and server extensions and bindings relationship Client Server 1. Request generator extensions 2. Request consumer extensions 3. Request generator bindings 4. Request consumer bindings 5. Response consumer extensions 6. Request generator extensions 7. Response consumer bindings 8. Response generator bindings In Web services security for WAS Version 6, integrity refers to digital signature and confidentiality refers to encryption. Integrity decreases the risk of data modification when data is transmitted across a network. Confidentiality reduces the risk of someone intercepting the message as it moves across a network. With confidentiality, however, the message is encrypted before it is sent and decrypted when it is received by its target server. The article provides the steps needed to secure your Web services using either integrity or confidentiality.
In the generator bindings, one can specify which message parts to sign (integrity) or encrypt (confidentiality) and what method is used. In the consumer bindings, you specify when the message parts are signed or encrypted. After you verify the digital signature or encryption in the consumer, the consumer verifies that the specified message parts are actually signed or encrypted. If the digital signature or encryption is required and the message is not signed or encrypted, the message is rejected by the consumer.
There are two different methods to specify what needs to be signed (integrity) or encrypted (confidentiality). Use either keywords or an XPath expression to configure message parts, a nonce, or a time stamp. When you use keywords, one can specify only certain elements within a message. With an XPath expression, one can specify any part of the message.
In addition to securing Web services for integrity and confidentiality, the assembly tools enable you to complete the following tasks:
- Configure a stand-alone time stamp for the generator and the consumer extensions. For more information, see Adding a stand-alone time stamp to generator security constraints and Adding a stand-alone time stamp in consumer security constraints.
- Configure the security token in the generator and consumer constraints. For more information, see Configuring the security token in generator security constraints and Configuring the security token requirement in consumer security constraints.
- Configure a caller part for the consumer security constraints. For more information, see Configuring the caller in consumer security constraints.
- Configure identity assertion. For more information, see Configuring identity assertion.
Steps for this task (dependent on configuration)
- Configure the client and the server for integrity. To properly configure Web services security for integrity, complete the following steps for the request generator and the request consumer and then repeat the steps for the response generator and the response consumer.
- Specify which message elements to sign in the generator security constraints using either keywords on an XPath expression. For more information, see either Signing message elements in generator security constraints with keywords or Signing message elements in generator security constraints with an XPath expression. When you sign the message elements, one can also add a nonce or a time stamp configuration. For more information on these configurations, see:
- Adding time stamps for integrity to generator security constraints with keywords
- Adding time stamps for integrity to generator security constraints with an XPath expression
- Adding a nonce for integrity in generator security constraints with keywords
- Adding a nonce for integrity to generator security constraints with an XPath expression
- Configure a collection certificate store for the generator security constraints. For more information, see Configuring the collection certificate store for the generator binding with an assembly tool.
- Configure the token generator. For more information, see Configuring token generators with an assembly tool.
- Configure the key locators in the generator binding. For more information, see Configuring key locators for the generator binding with an assembly tool.
- Configure the key information in the generator binding. For more information, see Configuring key information for the generator binding with an assembly tool.
- Configure the signing information in the generator binding. For more information, see Configuring signing information for the generator binding with an assembly tool.
- Specify which message elements to sign in the consumer security constraints using either keywords on an XPath expression. For more information, see either Signing message elements in consumer security constraints with keywords or Signing message elements in consumer security constraints with an XPath expression. When you sign the message elements, one can also add a nonce or a time stamp configuration. For more information on these configurations, see:
- Adding time stamps for integrity in consumer security constraints with keywords
- Adding a nonce for integrity in consumer security constraints with keywords
- Adding time stamps for integrity in consumer security constraints with an XPath expression
- Adding a nonce for integrity in consumer security constraints with an XPath expression
- Configure a collection certificate store for the consumer security constraints. For more information, see Configuring the collection certificate store for the consumer binding with an assembly tool.
- Configure a token consumer. For more information, see Configuring token consumers with an assembly tool.
- Configure the key locators in the consumer binding. For more information, see Configuring the key locator for the consumer binding with an assembly tool.
- Configure the key information in the consumer bindings. For more information, see Configuring key information for the consumer binding with an assembly tool.
- Configure the signing information in the consumer binding. For more information, see Configuring signing information for the consumer binding with an assembly tool.
- Configure the client and the server for confidentiality. To properly configure Web services security for confidentiality, complete the following steps for the request generator and the request consumer, and then repeat the steps for the response generator and the response consumer.
- Specify which message elements to encrypt in the generator security constraints using either keywords on an XPath expression. For more information, see either Encrypting the message elements in generator security constraints with keywords or Encrypting the message elements in generator security constraints with an XPath expression. When you encrypt the message elements, one can also add a nonce or a time stamp configuration. For more information on these configurations, see:
- Adding time stamps for confidentiality to generator security constraints with keywords
- Adding the nonce for confidentiality to generator security constraints with keywords
- Adding time stamps for confidentiality to generator security constraints with an XPath expression
- Adding the nonce for confidentiality to generator security constraints with an XPath expression
- Configure the token generator. For more information, see Configuring token generators with an assembly tool.
- Configure the key locators in the generator binding. For more information, see Configuring key locators for the generator binding with an assembly tool.
- Configure the key information in the generator binding. For more information, see Configuring key information for the generator binding with an assembly tool.
- Configure the encryption information in the generator binding. For more information, see Configuring encryption information for the consumer binding with an assembly tool.
- Specify which message elements to encrypt in the consumer security constraints using either keywords on an XPath expression. For more information, see either Encrypting message elements in consumer security constraints with keywords or Encrypting message elements in consumer security constraints with an XPath expression. When you encrypt the message elements, one can also add a nonce or a time stamp configuration. For more information on these configurations, see:
- Adding time stamps for confidentiality in consumer security constraints with keywords
- Adding a nonce for confidentiality in consumer security constraints with keywords
- Adding time stamps for confidentiality in consumer security constraints with an XPath expression
- Adding the nonce for confidentiality in consumer security constraints with an XPath expression
- Configure a token consumer. For more information, see Configuring token consumers with an assembly tool.
Also, the token consumer article provides the steps that are needed to optionally configure a trust anchor.
- Configure the key locators in the consumer binding. For more information, see Configuring the key locator for the consumer binding with an assembly tool.
- Configure the key information in the consumer bindings. For more information, see Configuring key information for the consumer binding with an assembly tool.
- Configure the encryption information in the consumer binding. For more information, see Configuring encryption information for the generator binding with an assembly tool.
Result
By completing the previous steps, you have configured your application for either digital signature (integrity) or encryption (confidentiality).
See also
XML digital signature
Signing message elements in generator security constraints with keywords
Signing message elements in generator security constraints with an XPath expression
Collection certificate store
Configuring the collection certificate store for the generator binding with an assembly tool
Trust anchor
Configuring token generators with an assembly tool
Key locator
Configuring key locators for the generator binding with an assembly tool
Configuring key information for the generator binding with an assembly tool
Configuring signing information for the generator binding with an assembly tool
Signing message elements in consumer security constraints with keywords
Signing message elements in consumer security constraints with an XPath expression
Configuring the collection certificate store for the consumer binding with an assembly tool
Trusted ID evaluator
Configuring token consumers with an assembly tool
Configuring the key locator for the consumer binding with an assembly tool
Configuring key information for the consumer binding with an assembly tool
Configuring signing information for the consumer binding with an assembly tool
Encrypting the message elements in generator security constraints with keywords
Encrypting the message elements in generator security constraints with an XPath expression
XML encryption
Configuring encryption information for the consumer binding with an assembly tool
Encrypting message elements in consumer security constraints with keywords
Encrypting message elements in consumer security constraints with an XPath expression
Configuring encryption information for the generator binding with an assembly tool
Adding a stand-alone time stamp to generator security constraints
Adding a stand-alone time stamp in consumer security constraints
Security token
Configuring the security token in generator security constraints
Configuring the security token requirement in consumer security constraints
Configuring the caller in consumer security constraints
Configuring identity assertion
See Also
Nonce, a randomly generated token