WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-RPC web services > Configure message-level security for JAX-RPC at the server or cell level

Configure the signing information using JAX-RPC for the generator binding on the server level

We can configure the signing information for the client-side request generator and the server-side response generator bindings at the server level.

For WebSphere Application Server version 6.x or earlier only, in the server-side extensions file (ibm-webservices-ext.xmi) and the client-side deployment descriptor extensions file (ibm-webservicesclient-ext.xmi), specify which parts of the message are signed. Also, you need to configure the key information referenced by the key information references on the Signing information panel within the dmgr console. This task explains the steps that are needed for you to configure the signing information for the client-side request generator and the server-side response generator bindings at the server level. WAS uses the signing information for the default generator to sign parts of the message that include the body, time stamp, and user name token if these bindings are not defined at the application level. The Application Server provides default values for bindings. However, an administrator must modify the defaults for a production environment.

To configure the signing information for the generator sections of the bindings files on the server level:

  1. Access the default bindings for the server level.

    1. Click Servers > Server Types > WebSphere application servers > server_name.

    2. Under Security, click JAX-WS and JAX-RPC security runtime.

      In a mixed node cell with a server using WAS v6.1 or earlier, click Web services: Default bindings for Web Services Security.

  2. Under Default generator bindings, click Signing information.

  3. Click New to create a signing information configuration, click Delete to delete an existing configuration, or click the name of an existing signing information configuration to edit the settings. If you are creating a new configuration, enter a unique name for the signing configuration in the Signing information name field. For example, you might specify gen_signinfo.

    If you create more than one signing information configuration, the WS-Security runtime environment only honors the first configuration listed in the bindings file.

  4. Select a signature method algorithm from the Signature method field. The algorithm specified for the default generator must match the algorithm specified for the default consumer. WAS supports the following pre-configured algorithms:

  5. Select a canonicalization method from the Canonicalization method field. The canonicalization algorithm specified for the generator must match the algorithm for the consumer. WAS supports the following pre-configured canonical XML and exclusive XML canonicalization algorithms:

    • http://www.w3.org/2001/10/xml-exc-c14n#
    • http://www.w3.org/2001/10/xml-exc-c14n#WithComments
    • http://www.w3.org/TR/2001/REC-xml-c14n-20010315
    • http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

  6. Select a key information signature type from the Key information signature type field. The key information signature type determines how to digitally sign the key. WebSphere Application server supports the following signature types:

    None

    The <KeyInfo> element is not signed.

    Keyinfo

    The entire <KeyInfo> element is signed.

    Keyinfochildelements

    The child elements of the <KeyInfo> element are signed.

    The key information signature type for the generator must match the signature type for the consumer. You might encounter the following situations:

    • If we do not specify one of the previous signature types, WAS uses keyinfo, by default.

    • If you select Keyinfo or Keyinfochildelements and you select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform as the transform algorithm in a subsequent step, WAS also signs the referenced token.

  7. Select a signing key information reference from the Signing key information field. This selection is a reference to the signing key the Application Server uses to generate digital signatures. In the binding files, this information is specified within the <signingKeyInfo> tag. The key used for signing is specified by the key information element, which is defined at the same level as the signing information. For more information, see Configure the key information for the generator binding using JAX-RPC on the server level.

  8. Click OK to save the configuration.

  9. Click the name of the new signing information configuration. This configuration is the one that you specified in the previous steps.

  10. Specify the part reference, digest algorithm, and transform algorithm. The part reference specifies which parts of the message to digitally sign.

    1. Under Additional Properties, click Part references > New to create a new part reference, click Part references > Delete to delete an existing part reference, or click a part name to edit an existing part reference.

    2. Specify a unique part name for the message part that needs signing. This message part is specified on both the server side and the client side. Specify an identical part name for both the server side and the client side. For example, you might specify reqint for both the generator and the consumer.

      We do not need to specify a value for the Part reference in the default bindings like we specify on the application level because the part reference on the application level points to a particular part of the message that is signed. Because the default bindings for the server level is applicable to all of the services that are defined on a particular server, we cannot specify this value.

    3. Select a digest method algorithm in the Digest method algorithm field. The digest method algorithm specified in the binding files within the <DigestMethod> element is used in the <SigningInfo> element.

      WAS supports the following algorithms:

      • http://www.w3.org/2000/09/xmldsig#sha1
      • http://www.w3.org/2001/04/xmlenc#sha256
      • http://www.w3.org/2001/04/xmlenc#sha512

    4. Click OK and Save to save the configuration.

    5. Click the name of the new part reference configuration. This configuration is the one that you specified in the previous steps.

    6. Under Additional properties, click Transforms > New to create a new transform, click Transforms > Delete to delete a transform, or click a transform name to edit an existing transform.

      If you create a new transform configuration, specify a unique name. For example, you might specify reqint_body_transform1.

    7. Select a transform algorithm from the menu. The transform algorithm is specified within the <Transform> element. This algorithm element specifies the transform algorithm for the digital signature. WAS supports the following algorithms:

      • http://www.w3.org/2001/10/xml-exc-c14n#
      • http://www.w3.org/TR/1999/REC-xpath-19991116

        Restriction: Do not use this transform algorithm if we want our configured application to be compliant with the Basic Security Profile (BSP). Instead use http://www.w3.org/2002/06/xmldsig-filter2 to ensure compliance.

      • http://www.w3.org/2002/06/xmldsig-filter2
      • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
      • http://www.w3.org/2002/07/decrypt#XML
      • http://www.w3.org/2000/09/xmldsig#enveloped-signature

      The transform algorithm that you select for the generator must match the transform algorithm that you select for the consumer.

      If both of the following conditions are true, WAS signs the referenced token:

      • You previously selected the Keyinfo or the Keyinfochildelements option from the Key information signature type field on the signing information panel.
      • You select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform as the transform algorithm.

  11. Click Apply.

  12. Click Save at the top of the panel to save your configuration.


Results

After completing these steps, we have configured the signing information for the generator on the server level.

Specify a similar signing information configuration for the consumer.


Related concepts:

Basic Security Profile compliance tips


Related


Configure the signing information using JAX-RPC for the consumer binding on the server level


+

Search Tips   |   Advanced Search