Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-RPC web services > Configure message-level security for JAX-RPC at the application level


Configure the key information for the consumer binding on the application level

We can configure the key information for the request consumer (server side) and the response consumer (client side) bindings at the application level. Configure the key locators and the token consumers that are referenced by the Key locator reference and the Token reference fields within the key information panel. This task provides the steps that are needed for configuring the key information for the request consumer (server side) and the response consumer (client side) bindings at the application level. The key information on the consumer side is used for specifying the information about the key, which is used for validating the digital signature in the received message or for decrypting the encrypted parts of the message. Complete the following steps to configure the key information for consumer binding on the application level.


Procedure

  1. Locate the key information configuration panel in the administrative console.

    1. Click Applications > Application Types > WebSphere enterprise applications > application_name .

    2. Under Manage modules, click URI_name.

    3. Under Web Services Security Properties, you can access the key information for the request consumer and response consumer bindings.

      • For the request consumer (receiver) binding, click Web services: Server security bindings. Under request consumer (receiver) binding, click Edit custom.

      • For the response consumer (receiver) binding, click Web services: Client security bindings. Under response consumer (receiver) binding, click Edit custom.

    4. Under Required properties, click Key information.

    5. Click one of the following to work with key information configuration:

      New

      To create a key information configuration. Enter a name in the Key information name field. For example, you might specify con_signkeyinfo.

      Delete

      To delete a configuration (selected in the box next to that configuration).

      an existing key information configuration

      To edit the settings of a key information configuration.

  2. Select a key information type from the Key information type field. The key information types specify different mechanisms for referencing security tokens using the <wsse:SecurityTokenReference> element within the <ds:KeyInfo> element. WAS supports the following key information types:

    Key identifier

    The security token is referenced using an opaque value that uniquely identifies the token. The algorithm used for generating the <KeyIdentifier> element value depends upon the token type. For example, you can use the identifier for the public keys that are defined in the Internet Engineering Task Force (IETF) Request for Comment (RFC) 3280. The following <KeyInfo> element is generated in the SOAP message for this key information type:
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference>
    <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01
          /oasis-200401-wss-x509-token-profile-1.0#X509v3SubjectKeyIdentifier">       /62wXO...
    
    </wsse:KeyIdentifier>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo> 

    Key name

    The security token is referenced using a name that matches an identity assertion within the token. IBM recommends that you do not use this key type as it might result in multiple security tokens that match the specified name. The following <KeyInfo> element is generated in the SOAP message for this key information type:
    <ds:KeyInfo>
    <ds:KeyName>CN=Group1
    </ds:KeyName>
    </ds:KeyInfo> 

    In general, use a key name when you use a Key-Hashing Message Authentication Code (HMAC) digital signature algorithm, such as http://www.w3.org/2000/09/xmldsig#hmac-sha1.

    Security token reference

    The security token is directly referenced using Universal Resource Identifiers (URIs). The following <KeyInfo> element is generated in the SOAP message for this key information type:
    <ds:KeyInfo>
    <wsse:SecurityTokenReference>
    <wsse:Reference URI='#SomeCert'
           ValueType="http://docs.oasis-open.org/wss/2004/01/
              oasis-200401-wss-x509-token-profile-1.0#X509v3" />
    </wsse:SecurityTokenReference>
    </ds:KeyInfo> 

    Attention: As stated in the WS-I Basic Security Profile v1 draft and shown in the previous example, the wsse:Reference element in a SECURE_ENVELOPE must have a ValueType attribute.

    Embedded token

    The security token is directly embedded within the <SecurityTokenReference> element. The following <KeyInfo> element is generated in the SOAP message for this key information type:
    <ds:KeyInfo>
    <wsse:SecurityTokenReference>
    <wsse:Embedded wsu:Id=”tok1” />          …
    
    </wsse:Embedded>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo> 

    X509 issuer name and issuer serial

    The security token is referenced by an issuer name and an issuer serial number of an X.509 certificate. The following <KeyInfo> element is generated in the SOAP message for this key information type:
    <ds:KeyInfo>
    <wsse:SecurityTokenReference>
    <ds:X509Data>  
    <ds:X509IssuerSerial>     
    <ds:X509IssuerName>CN=Jones, O=IBM, C=US
    </ds:X509IssuerName>     
    <ds:X509SerialNumber>1040152879
    </ds:X509SerialNumber>  
    </ds:X509IssuerSerial>
    </ds:X509Data>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo> 
    Each type of key information is described in the Web Services Security: SOAP Message Security 1.0 (WS-Security 2004) OASIS standard, which is located at: http://www.oasis-open.org/home/index.php under Web Services Security.

  3. Select a key locator reference from the Key locator reference field. The value of this field is a reference to a key locator that WAS uses to locate the keys that are used for digital signature and encryption. Before you can select a key locator, configure a key locator. For more information on configuring a key locator, see Configure the key locator using JAX-RPC for the consumer binding on the application level.

  4. Select a token reference from the Token reference field. The token reference specifies a reference to a token consumer used for processing the security token in the message. However, WAS requires this field only when you select Security token reference or Embedded token in the Key information type field. Before specifying a token reference, configure a token consumer. For more information on configuring a token consumer, see Configure token consumers using JAX-RPC to protect message authenticity at the application level.

    Select (none) if a token consumer is not required for this key information configuration.

  5. Click OK and Save to save this configuration.


Results

You have configured the key information for the request or response (or both) consumer binding at the application level.


What to do next

If we have not configured the key information for the generator binding, specify a similar key information configuration for the generator. After you configure the key information for both the consumer and the generator, configure the signing information or encryption information, which references the key information specified in this key information task.
Configure the key information using JAX-RPC for the generator binding on the application level
Configure the signing information using JAX-RPC for the consumer binding on the application level
Configure the key locator using JAX-RPC for the consumer binding on the application level
Configure token consumers using JAX-RPC to protect message authenticity at the application level
Configure consumer signing using JAX-RPC to protect message integrity

+

Search Tips   |   Advanced Search