+

Search Tips   |   Advanced Search

Configure a policy set and bindings for Signer Certificate Encryption

This procedure describes how to configure a JAX-WS consumer/provider for signer certificate encryption. Signer certificate encryption means that the client's public certificate used to verify the digital signature of the inbound request message is used to encrypt the outbound response.

This task assumes that the service provider and client that you are configuring are in the JaxWSServicesSamples application. Refer to the topic Accessing Samples for more information on how to obtain and install this application.

Use the following trace specification on the server. These specifications enable you to debug any future configuration problems that might occur.

*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all:  com.ibm.ws.wssecurity.*=all:
    com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all:
    com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:
    com.ibm.ws.webservices.multiprotocol.AgnosticService=all:
    com.ibm.ws.websvcs.utils.SecurityContextMigrator=all 

Since signer certificate encryption is being used, only the client's digital signature keystore will be used in this procedure. The service will obtain the public certificate used for signature verification from the inbound request then use it to encrypt the response. On the provider side, the custom property com.ibm.wsspi.wssecurity.token.cert.useRequestorCert=true on the provider's encryption generator is used to accomplish this.

The keystore used in this procedure is provided with WebSphere Application Server and is installed in every profile created. We can use the ${USER_INSTALL_ROOT} variable directly in the configuration to conveniently point to the keystore location without using a fully-qualified path. ${USER_INSTALL_ROOT} resolves to a path such as c:/WebSphere/AppServer/profiles/AppSrv01.

Because of the nature of JaxWSServicesSamples, to apply the policy set and bindings to this application, in the console click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples. When using our own applications, we can use the following paths as an alternative way to access the provider and client for attachment of the policy set and bindings:

This procedure will do the following to simplify the task:

Avoid trouble:

After completing the task, if we have to go back and edit the general bindings that we have created, you will need to restart the application server after saving the updates. Although we can create a general binding and use it right away without restarting the application server, once a general binding has been loaded by an application, changes to the binding will not be recognized until the server is restarted. gotcha

  1. Create the custom policy set..

    1. In the console, click Services > Policy Sets > Application Policy sets.

    2. Click New.

    3. Specify name=OutSignInEncPolicy.

    4. Under Policies, click Add > WS-Security.

  2. Edit the custom policy set to remove outbound encryption and inbound signature.

    1. In the console, click WS-Security > Main Policy.

    2. Under Message level protection, click Request message part protection.

    3. Click app_encparts.

    4. Click Delete.

    5. Click Done.

    6. Click Response message part protection.

    7. Click app_sigparts.

    8. Click Delete.

    9. Click Done.

  3. Click Save to save the configuration changes.

  4. Create the provider general binding.

    1. In the console, click Services > Policy sets > General provider policy set bindings..

    2. Check Provider sample.

    3. Click Copy....

    4. Specify name=ProviderSignerCertGeneralBinding.

    5. Click OK.

  5. Edit ProviderSignerCertGeneralBinding to perform signer certificate encryption.

    1. Click ProviderSignerCertGeneralBinding > WS-Security > Authentication and protection > gen_encx509token > Callback handler.

    2. Under Custom properties, enter:
      Name=com.ibm.wsspi.wssecurity.token.cert.useRequestorCert
      value=true

    3. Under Keystore, select Name=None

    4. Click OK.

  6. Create the client general binding.

    1. In the console, click Services > Policy Sets > General client policy set bindings.

    2. Check Client samples.

    3. Click Copy....

    4. Specify name=ClientSignerCertGeneralBinding.

    5. Click OK.

  7. Edit ClientSignerCertGeneralBinding to use its own signing key to decrypt the message.

    1. Click ClientSignerCertGeneralBinding > WS-Security > Authentication and protection > con_encx509token > Callback handler > Custom keystore configuration.

    2. Under keystore, enter the same keystore used by the signature generator:
      Full path=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
      Type=JKS
      Password=client

    3. Under key, enter the same key used by the signature generator:
      Name=CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP
      Alias=soaprequester
      Password=client

    4. Click OK.

  8. Configure the client to use the OutSignInEncPolicy policy set and ClientSignerCertGeneralBinding general binding.

    1. In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.

    2. Select the web services client resource (JaxWSServicesSamples).

    3. Click Attach Policy Set.

    4. SelectOutSignInEncPolicy.

    5. Select the web services client resource again (JaxWSServicesSamples).

    6. Click Assign Binding.

    7. Select ClientSignerCertGeneralBinding.

  9. Configure the provider to use the SimpleSignEncPolicy policy set and ProviderSignerCertGeneralBinding general binding.

    1. In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings.

    2. Select the web services provider resource (JaxWSServicesSamples).

    3. Click Attach Policy Set.

    4. SelectOutSignInEncPolicy.

    5. Select the web services provider resource again (JaxWSServicesSamples).

    6. Click Assign Binding.

    7. Select PrioviderSignerCertGeneralBinding.

  10. Click Save to save the configuration changes.

  11. Restart the client and the provider.

    1. Stop the client and the provider.

    2. Restart the client and the provider.

  12. Test the service.

    1. Point the web browser to the JaxWSServicesSamples: http://localhost:9080/wssamplesei/demo.

      Avoid trouble: Make sure you provide the correct hostname and port if the provider is not on the same machine, or the port is not 9080.gotcha

    2. Select Message Type Synchronous Echo.

    3. Make sure Use SOAP 1.2 is not selected.

    4. Enter a message and click Send Message.
    The sample application should reply with JAXWS==>Message.


Results

The JaxWSServicesSamples web services application is configured to encrypt responses using the certificate used to sign the request.


Related concepts

  • Access the samples


    Related tasks

  • Configure a policy set and bindings for Asymmetric XML Digital Signature and/or XML Encryption with client and provider general bindings

  • Callback handler settings for JAX-WS