WAS v8.5 > Reference > Sets

Signing information configuration settings page

Use this page to configure new signing parameters.

The specifications listed on this page for the signature method, digest method, and canonicalization method are located in the World Wide Web Consortium (W3C) document entitled, XML Signature Syntax and Specification: W3C Recommendation 12 Feb 2002.

To view this dmgr console page on the server level for signing information...

1. Click Servers > Server Types > WebSphere application servers > server_name.

2. Under Security, click JAX-WS and JAX-RPC security runtime.

   In a mixed node cell with a server using WebSphere Application Server version 6.1 or earlier, click Web services: Default bindings for Web Services Security.

3. Under JAX-RPC Default Generator Bindings or JAX-RPC Default Consumer Bindings, click Signing information.

4. Click New to create a signing parameter or click the name of an existing configuration to modify its settings.

To view this dmgr console page on the application level for signing information...

1. Click Applications > Application Types > WebSphere enterprise applications > application_name.

2. Click Manage modules > URI_name.

3. Under Web Services Security Properties, we can access the signing information for the following bindings:

   • For the Request generator (sender) binding, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom.

   • For Response consumer (receiver) binding, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom.

   • For the Request consumer (receiver) binding, click Web services: Server security bindings. Under Request consumer (receiver) binding, click Edit custom.

   • For the Response generator (sender) binding, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom.

4. Under Required properties, click Signing information.

5. Under Additional properties, we can access the signing information for the following bindings:

   • For the Request receiver binding, click Web services: Server security bindings. Under Request receiver binding, click Edit.

   • For the Response receiver binding, click Web services: Client security bindings. Under Response receiver binding, click Edit.

6. Under Additional properties, click Signing information.

7. Click New to create a signing parameter or click the name of an existing configuration to modify its settings.

Signing information name

Name assigned to the signing configuration.

Signature method

Algorithm Uniform Resource Identifiers (URI) of the signature method.

The following pre-configured algorithms are supported:

• http://www.w3.org/2000/09/xmldsig#rsa-sha1
• http://www.w3.org/2000/09/xmldsig#dsa-sha1

  Do not use this algorithm if you want the configured application to be compliant with the Basic Security Profile (BSP). Any ds:SignatureMethod/@Algorithm element in a signature based on a symmetric key must have a value of http://www.w3.org/2000/09/xmldsig#rsa-sha1 or http://www.w3.org/2000/09/xmldsig#hmac-sha1.

• http://www.w3.org/2000/09/xmldsig#hmac-sha1

For v6.0.x applications, we can specify additional signature methods on the Algorithm URI panel. To access the Algorithm URI panel...

1. Click Servers > Server Types > WebSphere application servers > server_name.

2. Under Security, click JAX-WS and JAX-RPC security runtime.

   In a mixed node cell with a server using WAS version 6.1 or earlier, click Web services: Default bindings for Web Services Security.

3. Under Additional properties, click Algorithm mappings > algorithm_factory_engine_class_name > Algorithm URI > New.

When we specify the Algorithm URI, you also must specify an algorithm type. To have the algorithm display as a selection in the Signature method field on the Signing information panel, select Signature as the algorithm type.

This field is available for v6.x and later applications.

Digest method

Algorithm URI of the digest method.

The http://www.w3.org/2000/09/xmldsig#sha1 algorithm is supported.

Canonicalization method

Algorithm URI of the canonicalization method.

The following pre-configured algorithms are supported:

• http://www.w3.org/2001/10/xml-exc-c14n#
• http://www.w3.org/2001/10/xml-exc-c14n#WithComments
• http://www.w3.org/TR/2001/REC-xml-c14n-20010315
• http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

This field is for v6.x and later applications.

Key information signature type

How to sign a KeyInfo element if dsigkey or enckey is specified for the signing part in the deployment descriptor.

WAS v8.5 supports the following keywords:

keyinfo (default)

The entire KeyInfo element is signed.

keyinfochildelements

The child elements of the KeyInfo element is signed.

If we do not specify a keyword, the application server uses the KeyInfo value, by default.

The Key information signature type field is available for the token consumer binding.

For v6.0.x applications, this field is also available for the default consumer, request consumer, and response consumer bindings.

Signing key information

Reference to the key information the application server uses to generate the digital signature.

We can specify one signing key only for the default generator binding on the server level. However, we can specify multiple signing keys for the default consumer bindings. The signing keys for the default consumer bindings are specified using the Key Information references link under Additional properties on the Signing information panel.

On the application level, we can specify only one signing key for the request generator and the response generator. We can specify multiple signing keys for the request consumer and response generator. The signing keys for the request consumer and the response consumer are specified using the Key information references link under Additional properties.

We can specify a signing key configuration for the following bindings on the following levels:

Signing key binding information. The key is used for digital signature of messages.

Binding name	Server level or application level	Path
Default generator binding	Server level	Click Servers > Server Types > WebSphere application servers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using WAS version 6.1 or earlier, click Web services: Default bindings for Web Services Security. Under JAX-RPC Default Generator Bindings, click Key information.
Default consumer binding	Server level	Click Servers > Server Types > WebSphere application servers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using WAS version 6.1 or earlier, click Web services: Default bindings for Web Services Security. Under JAX-RPC Default Consumer Bindings, click Key information.

Certificate path

Settings for the certificate path validation. When you select Trust any, this validation is skipped and all incoming certificates are trusted.

The certificate path options are available in token consumer attributes.

Trust anchor

The application server searches for trust anchor configurations on the application and server levels and lists the configurations in this menu.

We can specify trust anchors as an additional property for the response receiver binding and the request receiver binding.

We can specify a trust anchor configuration for the following bindings on the following levels:

Trust anchor binding information. The trust anchor is used for signing messages.

Binding name	Server level or application level	Path
Default generator binding	Server level	Click Servers > Server Types > WebSphere application servers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using WAS version 6.1 or earlier, click Web services: Default bindings for Web Services Security. Under Additional properties, click Trust anchors > New.
Default consumer binding	Server level	Click Servers > Server Types > WebSphere application servers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using WAS version 6.1 or earlier, click Web services: Default bindings for Web Services Security. Under Additional properties, click Trust anchors > New.
Response receiver	Application level	Click Applications > Application Types > WebSphere enterprise applications > application_name. Under Modules, click Manage modules > URI_name. Click Web services: Client security bindings. Under the Response receiver binding, click Edit. Under Additional properties, click Trust anchors > New.
Request receiver	Application level	Click Applications > Application Types > WebSphere enterprise applications > application_name. Click Manage modules > URI_name. Click Web services: Server security bindings. Under the Request receiver binding, click Edit. Under Additional properties, click Trust anchors > New.

For an explanation of the fields on the trust anchor panel, see the help topic Trust anchor configuration settings.

Certificate store

The application server searches for certificate store configurations on the application and server levels and lists the configurations in this menu.

We can specify a certificate store configuration for the following bindings on the following levels:

Certificate configurations for bindings. The certificate store is used for signing messages.

Binding name	Server level or application level	Path
Default generator binding	Server level	Click Servers > Server Types > WebSphere application servers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using WAS version 6.1 or earlier, click Web services: Default bindings for Web Services Security. Under Additional properties, click Collection certificate store > New.
Default consumer binding	Server level	Click Servers > Server Types > WebSphere application servers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using WAS version 6.1 or earlier, click Web services: Default bindings for Web Services Security. Under Additional properties, click Collection certificate store > New.
Response receiver	Application level	Click Applications > Application Types > WebSphere enterprise applications > application_name. Under Modules, click Manage modules > URI_name. Click Web services: Client security bindings. Under the Response receiver binding, click Edit. Under Additional properties, click Collection certificate store > New.
Request receiver	Application level	Click Applications > Application Types > WebSphere enterprise applications > application_name. Under Modules, click Manage modules > URI_name. Click Web services: Server security bindings. Under the Request receiver binding, click Edit. Under Additional properties, click Collection certificate store > New.

For an explanation of the fields on the collection certificate store panel, see the help topic Collection certificate store configuration settings.

Related concepts:

Basic Security Profile compliance tips

Related

Configure the signing information using JAX-RPC for the generator binding on the application level

Reference:

Signing information page
Trust anchor configuration settings
Collection certificate store configuration settings

+

Search Tips   |   Advanced Search