+

Search Tips   |   Advanced Search

Digital signing methods using the WSSSignature API

We can configure the signing information for the generator binding using the WSS API. To configure the client for request signing, choose the digital signing methods. The algorithm methods include the signing and canonicalization methods.

We must configure generator signing information to protect message integrity by digitally signing SOAP messages. Integrity refers to digital signature while confidentiality refers to encryption. Integrity decreases the risk of data modification when you transmit data across a network.

After we have specified which message parts to digitally sign, specify which method is used to digitally sign the message.


Methods

Methods used for the signing information include the:

Signature method

Sets the signature algorithm method.

Canonicalization method

Sets the canonicalization algorithm method.


Signature algorithms

The signature algorithms specify the algorithm used to sign the certificate. The signature algorithms specify the Uniform Resource Identifiers (URI) of the signature method. WebSphere Application Server supports the following pre-configured algorithms:

Algorithm Description
WSSSignature.HMAC_SHA1 A URI of the signature algorithm, HMAC: http://www.w3.org/2000/09/xmldsig#hmac-sha1
WSSSignature.RSA_SHA1 (the default value) A URI of the signature algorithm, RSA: http://www.w3.org/2000/09/xmldsig#rsa-sha1

For the WSS APIs, WAS does not support the DSA-SHA1 algorithm, http://www.w3.org/2000/09/xmldsig#dsa-sha1

The signing algorithm specified for the request generator configuration must match the algorithm specified for the request consumer configuration.


Canonicalization algorithms

The canonicalization algorithms specify the Uniform Resource Identifiers (URI) of the canonicalization method. WebSphere Application Server supports the following pre-configured algorithms:

Algorithm Description
WSSSignature.EXC_C14N (the default value) A URI of the exclusive canonicalization algorithm EXC_C14N: http://www.w3.org/2001/10/xml-exc-c14n#
WSSSignature.C14N A URI of the inclusive canonicalization algorithm, C14N: http://www.w3.org/2001/10/xml-c14n#

The canonicalization algorithm specified for the request generator configuration must match the algorithm specified for the request consumer configuration.

The following example provides sample WSS API code that specifies the HMAC_SHA1 as a signature method and C14n as a canonicalization method:

   //generate WSSFactory instance 
   WSSFactory factory = WSSFactory.getInstance();  
      
   //generate WSSGenerationContext instance 
   WSSGenerationContext gencont = factory.newWSSGenerationContext();
  
   //generate callback handler
   X509GenerateCallbackHandler callbackHandler = new 
        X509GenerateCallbackHandler(
     "", "dsig-sender.ks", "jks", 
     "client".toCharArray(), 
     "soaprequester", 
     "client".toCharArray(), 
     "CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP", 
     null);
   
   //generate the security token used to the signature
   SecurityToken token = factory.newSecurityToken(X509Token.class, 
        callbackHandler);

   //generate WSSSignature instance    WSSSignature sig = factory.newWSSSignature(token);
   
   //set the canonicalization method 
   // DEFAULT: WSSSignature.EXC_C14N
   sig.setCanonicalizationMethod(WSSSignature.C14N);
   
   //set the signature method  
   // DEFAULT: WSSSignature.RSA_SHA1
   sig.setSignatureMethod(WSSSignature.HMAC_SHA1);
   
   //add the WSSSignature to the WSSGenerationContext 
   gencont.add(sig);
  
   //generate the WS-Security header 
   gencont.process(msgcontext);


Related tasks

  • Add signed parts using the WSSSignPart API

  • Signed parts methods using the WSSSignPart API
  • Choose the verify parts methods using the WSSVerifyPart API
  • Signature verification methods using the WSSVerification API