Signing message elements in consumer security constraints with keywords

 

Before you begin

Prior to completing this task, import your application into an assembly tool. For information on how to import your application, see Import enterprise applications.

 

Overview

Complete the following steps to specify which message parts or elements must be signed when you configure the consumer security constraints for either the response consumer or the request consumer. The response consumer is configured for the client and the request consumer is configured for the server. If the required parts are not signed, the request or response is rejected and a Simple Object Access Protocol (SOAP) fault is returned to the caller. In the following steps, configure either the client-side extensions in step 2 or the server-side extensions in step 3.

 

Procedure

  1. Start the assembly tool and click Window > Open Perspective > J2EE.

  2. Optional: Locate the client-side extensions using the Project Explorer window. The Client Deployment Descriptor window is displayed. This Web service contains the extensions that we need to configure.

    1. Expand the Web Services > Client section and double-click the name of the Web service.

    2. Click the WS Extension tab and expand the Response Consumer Configuration section.

  3. Optional: Locate the server-side extensions using the Project Explorer window. The Web Services Editor window is displayed. This Web service contains the extensions that we need to configure.

    1. Expand the Web Services > Services section and double-click the name of the Web service.

    2. Click the Extensions tab and expand the Request Consumer Service Configuration Details section.

  4. Expand the Required Integrity section. Integrity refers to digital signature while confidentiality refers to encryption. Integrity decreases the risk of data modification when you transmit data across a network. For more information on digitally signing SOAP messages, see XML digital signature.

  5. Click Add to indicate which message parts or elements the consumer expects to be signed. The Required Integrity Dialog window is displayed.

    1. Specify a name for the integrity element under Required Integrity Name field.

    2. Specify a usage type in the Usage type field. This field specifies the requirement for the integrity element. The following options are available:

      Required

      If you select Required and the required message parts or elements are not signed, then the message is rejected with SOAP fault.

      Optional

      If you select Optional, then the digital signature of the selected message parts or elements is verified if they are signed. However, the consumer does not reject the message if the selected message parts or elements are not signed.

  6. Click Add under the Message Parts section and select the Message parts dialect. The http://www.ibm.com/websphere/webservices/wssecurity/dialect-was dialect specifies which message parts or elements are expected to be signed using keywords. If you select this dialect, one can select one of the following keywords under the Message parts keyword heading:

    body

    Specifies the user data portion of the message. If you select this keyword, the body is checked to see if it is signed.

    timestamp

    Specifies that the stand-alone timestamp element within the message is checked for a digital signature. The timestamp element determines whether the message is valid based upon the time that the message is sent and then received. If the timestamp option is selected, make sure that there is a stand-alone timestamp element in the message. If the element does not exist, see Adding a stand-alone time stamp in consumer security constraints.

    securitytoken

    Specifies that the security token authenticates the client. If this keyword is selected, the security token or tokens in the SOAP message are checked to determine if they are signed. For example, if you are sending a UsernameToken element within the message, one can specify that it is signed using this keyword.

    dsigkey

    Specifies that the key information element, which is used for digital signature, is checked to determine if it is signed.

    enckey

    Specifies that the key information element, which is used for encryption, is checked to determine if it is signed.

    messageid

    Specifies that the <wsa:MessageID> element within the message is checked to determine if it is signed.

    to

    Specifies that the <wsa:To> element within the message is checked to determine if it is signed.

    action

    Specifies that the <wsa:Action> element is checked to determine if it is signed.

    relatesto

    Specifies that the <wsa:RelatesTo> element within the message is checked to determine if it is signed.

  7. Click OK to save the configuration changes.

    Note: These configurations for the consumer and the generator must match.

    In addition to specifying the message parts or elements that are expected to be signed, you also can specify that nonce and timestamp elements are expected to be included in the signed elements. For more information, see the following articles:

 

What to do next

After you specify which message parts to check for a digital signature, specify which signature algorithm is used to validate the signature. For more information, see Configuring signing information for the consumer binding with an assembly tool.

 

See also


Adding time stamps for integrity in consumer security constraints with keywords
Adding a nonce for integrity in consumer security constraints with keywords

 

See Also


XML digital signature

 

Related Tasks


Adding a stand-alone time stamp in consumer security constraints
Adding time stamps for integrity in consumer security constraints with an XPath expression
Adding a nonce for integrity in consumer security constraints with an XPath expression
Configuring signing information for the consumer binding with an assembly tool