Configure request signing methods for the client
Use the WSSSignature and WSSSignPart APIs to choose the signing methods. The request signing methods include the signature, canonicalization, digest, and transform methods.
First, you must have specified which parts of the message sent by the client must be digitally signed using the WSS APIs or configuring policy sets using the console.
The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature specification, which is located at the following website http://www.w3.org/TR/xmldsig-core.
Name of method Description Canonicalization algorithm Canonicalizes the <SignedInfo> element before the information is digested as part of the signature operation. Signature algorithm Calculates the signature value of the canonicalized <SignedInfo> element. The algorithm selected for the client request sender configuration must match the algorithm selected in the server request receiver configuration. Transform method Transforms the parts to be signed before the information is digested as part of the signature operation. Digest method Calculates the digest value of the transformed parts. The algorithm selected for the client request sender configuration must match the algorithms selected in the server request receiver configuration. We can use the WSS APIs or configure policy sets using the console to configure the signing algorithm methods. If using the WSS APIs, use the WSSSignature and WSSSignPart APIs to specify which message parts to digitally sign when configuring the client for request signing.
The WSSSignature and WSSSignPart APIs complete the following steps to configure the signature and signed part algorithm methods:
- For the generator binding, the WSSSignature API specifies the signature method. WebSphere Application Server supports the following pre-configured signature methods:
- WSSSignature.RSA_SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#rsa-sha1
- WSSSignature.HMAC_SHA1: http://www.w3.org/2000/09/xmldsig#hmac-sha1
For the WSS APIs, WAS does not support the DSA-SHA1 digital signature method, http://www.w3.org/2000/09/xmldsig#dsa-sha1.
- For the generator binding, the WSSSignature API specifies the canonicalization method. WebSphere Application Server supports the following pre-configured canonicalization algorithms:
- WSSSignature.EXC_C14N (the default value): The exclusive canonicalization algorithm, http://www.w3.org/2001/10/xml-exc-c14n#
- WSSSignature.C14N: The inclusive canonicalization algorithm, http://www.w3.org/2001/10/xml-c14n#
- For the generator binding, the WSSSignPart API specifies the digest method. WebSphere Application Server supports the following pre-configured digest methods:
- WSSSignPart.SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#sha1
- WSSSignPart.SHA256: http://www.w3.org/2001/04/xmlenc#sha256
- WSSSignPart.SHA512: http://www.w3.org/2001/04/xmlenc#sha512
- For the generator binding, the WSSSignPart API specifies the transform method. WebSphere Application Server supports the following pre-configured transform algorithms:
- WSSSignPart.TRANSFORM_EXC_C14N (the default value): http://www.w3.org/2001/10/xml-exc-c14n#
- WSSSignPart.TRANSFORM_XPATH2_FILTER: http://www.w3.org/2002/06/xmldsig-filter2
- WSSSignPart.TRANSFORM_STRT10: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- WSSSignPart.TRANSFORM_ENVELOPED_SIGNATURE: http://www.w3.org/2000/09/xmldsig#enveloped-signature
For the WSS APIs, WAS does not support the following transform algorithms:
- http://www.w3.org/TR/1999/REC-xpath-19991116
- http://www.w3.org/2002/07/decrypt#XML
Results
Use the WSS APIs, we have specified which algorithm methods are used to digitally sign a message when the client sends a message to a server.
Example
The following example is sample code for specifying the signature information, HMAC_SHA1 as signature method, C14N as a canonicalizaion method, SHA256 as a digest method, and EXC_C14N and TRANSFORM_STRT10 as the transform methods:
//get the message context Object msgcontext = getMessageContext(); //generate WSSFactory instance WSSFactory factory = WSSFactory.getInstance(); //generate WSSGenerationContext instance WSSGenerationContext gencont = factory.newWSSGenerationContext(); //generate callback handler X509GenerateCallbackHandler callbackHandler = new X509GenerateCallbackHandler( "", "dsig-sender.ks", "jks", "client".toCharArray(), "soaprequester", "client".toCharArray(), "CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP", null); //generate the security token used to the signature SecurityToken token = factory.newSecurityToken(X509Token.class, callbackHandler); //generate WSSSignature instance WSSSignature sig = factory.newWSSSignature(token); //set the canonicalization method // DEFAULT: WSSSignature.EXC_C14N sig.setCanonicalizationMethod(WSSSignature.C14N); //set the signature method // DEFAULT: WSSSignature.RSA_SHA1 sig.setSignatureMethod(WSSSignature.HMAC_SHA1); //set the part specified by WSSSignPart WSSSignPart sigPart = factory.newWSSSignPart(); //set the digest method // DEFAULT: WSSSignPart.SHA1 sigPart.setDigestMethod(WSSSignPart.SHA256); //add the transform method // DEFAULT: WSSSignPart.TRANSFORM_EXC_C14N sigPart.addTransformMethod(WSSSignPart.TRANSFORM_EXC_C14N); sigPart.addTransformMethod(WSSSignPart.TRANSFORM_STRT10); // add the WSSSignPart to the WSSSignature sig.addSignPart(sigPart); //add the WSSSignature to the WSSGenerationContext gencont.add(sig); //generate the WS-Security header gencont.process(msgcontext);
What to do next
After you configure the client to digitally sign the message and to choose the algorithm methods, configure the server to verify the digital signature for request signing and to choose the algorithm methods.
Configure policy sets using the console to configure the signature verification information and methods on the server.
Related tasks
Configure response signature verification methods for the client