Configure generator signing information to protect message integrity using the WSS APIs

We can configure the signing information to protect message integrity for the request (client side) generator binding. Signing information includes the signature and the signed parts. To keep the integrity of the message, digital signatures are typically applied.

In addition to using a digital signature and configuring the signing information, the following tasks should also be performed:

• Verify the signing information.

• Incorporate encryption.

• Attach security tokens.

Integrity refers to digital signature while confidentiality refers to encryption. Integrity is provided by applying a digital signature to a SOAP message. To configure the signing information to protect message integrity, first digitally sign and then verify the signature for the SOAP messages. Integrity decreases the risk of data modification when you transmit data across a network.

Also, message integrity is provided by digitally signing the body, time stamp, and WS-Addressing headers using the signature algorithm methods. The WSS APIs specify which algorithm is to be used to sign the certificate. The signature algorithms specify the Uniform Resource Identifiers (URI) of the signature method. WebSphere Application Server supports several pre-configured request signing algorithm methods.

We can use the following interfaces to configure Web Services Security and to protect SOAP message integrity:

• Use the console to configure policy sets for the signing information.

• Use the Web Services Security APIs (WSS API) to configure the SOAP message context (only for the client).

Perform the following signing tasks, using the WSS APIs, to configure the signing information and to protect message integrity for the generator binding.

• Configure the signing information using the WSSSignature API. Configure the signing information for the generator binding using the WSSSignature API. Signing information is used to sign parts of a message including the SOAP body, the time stamp, and the WS-Addressing headers. Both signing and encryption can be applied to the same message parts, such as the SOAP body.

• Add or change signed parts using the WSSSignPart API.

• Configure the client for request signing methods using the WSSSignature or WSSSignPart APIs. To configure the client for request signing, choose the signing methods. The request signing methods include the signature, the canonicalization, the digest, and the transform methods. Use the WSSSignature API to configure the signature and canonicalization methods. Use the WSSSignPart API to configure the digest and transform methods.

Results

The WSS APIs also specify the security token for the generator (client) binding and set the type of token reference to protect message authenticity. By completing the steps in these tasks, we have configured generator signing to protect the integrity of the SOAP message.

What to do next

Next, verify the consumer signing information using the WSS APIs or by configuring policy sets using the console.

Subtopics

• Configure signing information using the WSS APIs
  We can configure the signing information for the client-side request generator (sender) bindings. Signing information is used to sign and validate parts of a message including the SOAP body, the timestamp information, and the Username token. To configure the client for request signing, specify which message parts to digitally sign when configuring the client.

• Configure signing information using the WSSSignature API
  We can secure the SOAP messages, without using policy sets for configuration, using the Web Services Security APIs (WSS API). To configure the signing information for the generator binding sections for the client-side request, use the WSSSignature API. The WSSSignature API is part of the com.ibm.websphere.wssecurity.wssapi.signature package.

• Add signed parts using the WSSSignPart API
  We can secure the SOAP messages, without using policy sets for configuration, using the Web Services Security APIs (WSS API). To configure parts to be signed for the request generator (client side) bindings, use the WSSSignPart API to protect the integrity of messages and to configure the digest and transform algorithm methods. The WSSSignPart API is part of the com.ibm.websphere.wssecurity.wssapi.signature package.

• Configure request signing methods for the client
  Use the WSSSignature and WSSSignPart APIs to choose the signing methods. The request signing methods include the signature, canonicalization, digest, and transform methods.

• Digital signing methods using the WSSSignature API
  We can configure the signing information for the generator binding using the WSS API. To configure the client for request signing, choose the digital signing methods. The algorithm methods include the signing and canonicalization methods.

• Signed parts methods using the WSSSignPart API
  We can configure the signed parts information for the generator binding using the WSS API. The algorithms include the digest and transform methods.

Related tasks

Verify consumer signing information to protect message integrity using WSS APIs

Symmetric signature and encryption policies settings