WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-RPC web services > Configure message-level security for JAX-RPC at the application level > Configure consumer signing using JAX-RPC to protect message integrity

Configure the signing information using JAX-RPC for the consumer binding on the application level

We can configure the signing information for the server-side request consumer and the client-side response consumer bindings at the application level.

For WebSphere Application Server version 6.x or earlier only, in the server-side extensions file and the client-side deployment descriptor extensions file, specify which parts of the message are signed.

Configure the key information referenced by the key information references on the signing information panel within the dmgr console. WAS uses the signing information on the consumer side to verify the integrity of the received SOAP message by validating the message parts are signed. To configure the signing information for the server-side request consumer and client-side response consumer sections of the bindings files on the application level.

1. Access the dmgr console.

   To access the dmgr console, enter http://localhost:port_number/ibm/console in the web browser unless we have changed the port number.

2. Click Applications > Application Types > WebSphere enterprise applications > application_name.

3. Under Manage modules, click URI_name.

4. Under Web Services Security Properties we can access the signing information for the request generator and response generator bindings.
   • To configure the request consumer signing information, click Web services: Server security bindings. Under Request consumer (receiver) binding, click Edit custom.
   • To configure the response consumer signing information, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom.

5. Under Required properties, click Signing information.

6. Click New to create a signing information configuration, click Delete to delete an existing configuration, or click the name of an existing signing information configuration to edit its settings. If we are creating a new configuration, enter a name in the Signing information name field.

7. Select a signature method algorithm from the Signature method field. The signature method is the algorithm used to convert the canonicalized <SignedInfo> element in the binding file into the <SignatureValue> element. The algorithm specified for the consumer, which is either the request consumer or the response consumer configuration, must match the algorithm specified for the generator, which is either the request generator or response generator configuration. WAS supports the following pre-configured algorithms:
   • http://www.w3.org/2000/09/xmldsig#rsa-sha1
   • http://www.w3.org/2000/09/xmldsig#hmac-sha1
   • http://www.w3.org/2000/09/xmldsig#dsa-sha1

     Do not use this algorithm if you want the configured application to be compliant with the Basic Security Profile (BSP). Any ds:SignatureMethod/@Algorithm element in a signature based on a symmetric key must have a value of http://www.w3.org/2000/09/xmldsig#rsa-sha1 or http://www.w3.org/2000/09/xmldsig#hmac-sha1.

8. Select a canonicalization method from the Canonicalization method field. The canonicalization method algorithm is used to canonicalize the <SignedInfo> element before it is incorporated as part of the digital signature operation. The canonicalization algorithm specified for the generator must match the algorithm for the consumer. WAS supports the following pre-configured algorithms:
   • http://www.w3.org/2001/10/xml-exc-c14n#
   • http://www.w3.org/2001/10/xml-exc-c14n#WithComments
   • http://www.w3.org/TR/2001/REC-xml-c14n-20010315
   • http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

9. Select a key information signature type from the Key information signature type field. The key information signature type specifies how the <KeyInfo> element in the SOAP message is digitally signed. WAS supports the following signature types:

   None

   The key is not signed.

   Keyinfo

   The entire KeyInfo element is signed.

   Keyinfochildelements

   The child elements of the KeyInfo element are signed.

   If we do not specify one of the previous signature types, WAS uses keyinfo, by default. The key information signature type for the consumer must match the signature type for the generator.

10. Under Additional properties, click Key information references.

    1. Click New to create a key information reference or click the name of an existing entry to edit its configuration. The Key information references panel is displayed.

    2. Enter a name in the Name field.

    3. Select a key information reference in the Key information reference field. This reference is the key information configuration name that specifies the key information used by this signing information configuration.

11. Return to the Signing information panel. Under Additional properties, click Part references. On the Part references panel, we can specify references to the message parts that are defined in the deployment descriptor extensions file.

    1. Click New to create a new Part reference or click the name of an existing part reference to edit its configuration. The Part reference panel is displayed.

    2. Enter a name in the Part name field. This name is the name of the required integrity configuration in the deployment descriptor extensions file and specifies the message parts that must be digitally signed.

    3. Select a digest method algorithm from the Digest method algorithm field.

       WAS supports the following pre-configured algorithms:

       • http://www.w3.org/2000/09/xmldsig#sha1
       • http://www.w3.org/2001/04/xmlenc#sha256
       • http://www.w3.org/2001/04/xmlenc#sha512

       To specify a custom algorithm, configure the custom algorithm in the Algorithm URI panel before setting the digest method algorithm.

12. Under Additional properties, click Transforms.

    1. Click New to create a new transform or click the name of an existing transform to edit its configuration.

    2. Enter a name in the Transform name field.

    3. Select a transform algorithm from the Transform algorithm field. WAS supports the following pre-configured algorithms:
       • http://www.w3.org/2001/10/xml-exc-c14n#
       • http://www.w3.org/TR/1999/REC-xpath-19991116

         Do not use this transform algorithm if we want our configured application to be compliant with the Basic Security Profile (BSP). Instead use http://www.w3.org/2002/06/xmldsig-filter2 to ensure compliance.

       • http://www.w3.org/2002/06/xmldsig-filter2
       • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
       • http://www.w3.org/2002/07/decrypt#XML
       • http://www.w3.org/2000/09/xmldsig#enveloped-signature

       The transform algorithm that you select for the consumer must match the transform algorithm that you select for the generator. For each part reference in the signing information, specify both a digest method algorithm and a transform algorithm.

13. Click OK.

14. Click Save at the top of the panel to save your configuration.

Results

After completing these steps, we have configured the signing information for the consumer.

Specify a similar signing information configuration for the generator.

Subtopics

• Key information references page
  Use this page to view the key information references that are needed for encryption or signing.
• Key information reference configuration settings
  Use this page to specify a reference to the message parts for signature and encryption defined in the deployment descriptors.

Related concepts:

Basic Security Profile compliance tips

Related

Configure the signing information using JAX-RPC for the generator binding on the application level

+

Search Tips   |   Advanced Search