+

Search Tips   |   Advanced Search

Digital signing methods using the WSSSignature API

We can configure the signing information for the generator binding using the WSS API. To configure the client for request signing, choose the digital signing methods. The algorithm methods include the signing and canonicalization methods.

Configure generator signing information to protect message integrity by digitally signing SOAP messages. Integrity refers to digital signature while confidentiality refers to encryption. Integrity decreases the risk of data modification when you transmit data across a network.

After we have specified which message parts to digitally sign, specify which method is used to digitally sign the message.


Methods

Methods used for the signing information include the:

Signature method

Set the signature algorithm method.

Canonicalization method

Set the canonicalization algorithm method.


Signature algorithms

The signature algorithms specify the algorithm used to sign the certificate. The signature algorithms specify the Uniform Resource Identifiers (URI) of the signature method. WebSphere Application Server supports the following pre-configured algorithms:

Algorithm Description
WSSSignature.HMAC_SHA1 A URI of the signature algorithm, HMAC: http://www.w3.org/2000/09/xmldsig#hmac-sha1
WSSSignature.RSA_SHA1 (the default value) A URI of the signature algorithm, RSA: http://www.w3.org/2000/09/xmldsig#rsa-sha1

For the WSS APIs, WAS does not support the DSA-SHA1 algorithm, http://www.w3.org/2000/09/xmldsig#dsa-sha1

The signing algorithm specified for the request generator configuration must match the algorithm specified for the request consumer configuration.


Canonicalization algorithms

The canonicalization algorithms specify the Uniform Resource Identifiers (URI) of the canonicalization method. WAS supports the following pre-configured algorithms:

Algorithm Description
WSSSignature.EXC_C14N (the default value) A URI of the exclusive canonicalization algorithm EXC_C14N: http://www.w3.org/2001/10/xml-exc-c14n#
WSSSignature.C14N A URI of the inclusive canonicalization algorithm, C14N: http://www.w3.org/2001/10/xml-c14n#

The canonicalization algorithm specified for the request generator configuration must match the algorithm specified for the request consumer configuration.

The following example provides sample WSS API code that specifies the HMAC_SHA1 as a signature method and C14n as a canonicalization method:

	  //generate WSSFactory instance 
	  WSSFactory factory = WSSFactory.getInstance();		
	  	  
	  //generate WSSGenerationContext instance 
	  WSSGenerationContext gencont = factory.newWSSGenerationContext();
		
	  //generate callback handler
	  X509GenerateCallbackHandler callbackHandler = new 
        X509GenerateCallbackHandler(
			  "",
			  "dsig-sender.ks",
			  "jks", 
			  "client".toCharArray(), 
			  "soaprequester", 
			  "client".toCharArray(), 
			  "CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP", 
			  null);
	  
	  //generate the security token used to the signature
	  SecurityToken token = factory.newSecurityToken(X509Token.class, 
        callbackHandler);

	  //generate WSSSignature instance
	  WSSSignature sig = factory.newWSSSignature(token);
	  
	  //set the canonicalization method 
	  // DEFAULT: WSSSignature.EXC_C14N
	  sig.setCanonicalizationMethod(WSSSignature.C14N);
	  
	  //set the signature method  
	  // DEFAULT: WSSSignature.RSA_SHA1
	  sig.setSignatureMethod(WSSSignature.HMAC_SHA1);
	  
	  //add the WSSSignature to the WSSGenerationContext 
	  gencont.add(sig);
		
	  //generate the WS-Security header 
	  gencont.process(msgcontext);

  • Add signed parts using the WSSSignPart API
  • Signed parts methods using the WSSSignPart API
  • Choosing the verify parts methods using the WSSVerifyPart API
  • Signature verification methods using the WSSVerification API