+

Search Tips   |   Advanced Search

Configure the key information using JAX-RPC for the generator binding on the application level

The key information specifies the configuration needed to generate the key for digital signature and encryption. The signing information and the encryption information configurations can share the key information, so they are both defined at the same level.

Before beginning this task, configure the key locators and the token consumers referenced by the Key locator reference and Token reference fields within the key information panel.

This task provides the steps needed for configuring the key information for the request generator (client side) and the response generator (server side) bindings at the application level.

Complete the following information to configure the key information for the generator binding on the application level:


Tasks

  1. Locate the key information configuration panel in the administrative console.

    1. Click Applications > Application Types > WebSphere enterprise applications > application_name.

    2. Under Manage modules, click URI_name.

    3. Under Web Services Security Properties we can access the key information for the request generator and response generator bindings.

    4. Under Required properties, click Key information.

    5. Click New to create a key information configuration, select the box next to an existing configuration and click Delete to delete the configuration, or click the name of an existing signing information configuration to edit its settings. For a new configuration, enter a name in the Key information name field. For example, we might specify gen_signkeyinfo.

  2. Select a key information type from the Key information type field. The key information type specifies how to reference the security tokens. WebSphere Application Server supports the following key information types:

    Key identifier

    The security token is referenced using an opaque value that uniquely identifies the token. The algorithm used for generating the <KeyIdentifier> element value depends upon the token type. For example, a hash of the important elements of the security token is used for generating the <KeyIdentifier> element value. The following <KeyInfo> element is generated in the SOAP message for this key information type:
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <wsse:SecurityTokenReference>
          <wsse:KeyIdentifier ValueType="wsse:X509v3">/62wXO...
          </wsse:KeyIdentifier>
       </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    

    Key name

    The security token is referenced using a name that matches an identity assertion within the token. IBM recommends that we do not use this key type as it might result in multiple security tokens that match the specified name. The following <KeyInfo> element is generated in the SOAP message for this key information type:
    <ds:KeyInfo>
       <ds:KeyName>CN=Group1</ds:KeyName>
    </ds:KeyInfo>
    

    Security token reference

    The security token is directly referenced using Universal Resource Identifiers (URIs). The following <KeyInfo> element is generated in the SOAP message for this key information type:
    <ds:KeyInfo>
       <wsse:SecurityTokenReference>
          <wsse:Reference URI="#mytoken" />
       </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    

    Embedded token

    The security token is directly embedded within the <SecurityTokenReference> element. The following <KeyInfo> element is generated in the SOAP message for this key information type:
    <ds:KeyInfo>
       <wsse:SecurityTokenReference>
          <wsse:Embedded wsu:Id="tok1" />
             ...
          </wsse:Embedded>
       </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    

    X509 issuer name and issuer serial

    The security token is referenced by an issuer name and an issuer serial number of an X.509 certificate. The following <KeyInfo> element is generated in the SOAP message for this key information type:
    <ds:KeyInfo>
       <wsse:SecurityTokenReference>
         <ds:X509Data>
            <ds:X509IssuerSerial>
               <ds:X509IssuerName>CN=Jones, O=IBM, C=US
               </ds:X509IssuerName>
               <ds:X509SerialNumber>1040152879
                </ds:X509SerialNumber>
            </ds:X509IssuerSerial>
         </ds:X509Data>
       </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    
    Each type of key information is described in the Web Services Security: SOAP Message Security 1.0 (WS-Security 2004) OASIS standard, which is located at: http://www.oasis-open.org/home/index.php under Web Services Security.

  3. Select a key locator reference from the Key locator reference field. This reference specifies a key locator that WAS uses to locate the keys used for digital signature and encryption. Before we can select a key locator, we must have configured a key locator. For more information on configuring a key locator, see the following articles:

  4. Click Get keys to view a list of key name references. After clicking Get keys, the key names defined in the <sig_klocator> element are shown in the key name reference menu. If we change the key locator reference, click Get keys again to display the list of key names associated with the new key locator.

  5. Select a key name reference from the Key name reference field. This reference specifies the name of a key used for generating a digital signature and for encryption. The list of key names provided comes from the key locator specified with the key locator reference.

  6. Select a token reference from the Token reference field. This token reference specifies the name of token generator used for processing the security token. However, WAS requires this field only when we select Security token reference or Embedded token in the Key information type field. Before specifying a token reference, configure a token generator. For more information on configuring a token generator, see Configure token generators using JAX-RPC to protect message authenticity at the application level.

  7. Optional: If we select Key identifier as the key information type on this panel, specify an encoding method, calculation method, value type namespace URI, and a value type local name.

    1. Select an encoding method from the Encoding method field. The encoding method specifies the encoding format for the key identifier. WAS supports the following encoding methods:

      • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
      • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

    2. Select a calculation method from the Calculation method field. WAS supports the following calculation methods:

      • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#ITSHA1
      • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#IT60SHA1

    3. Specify a value type namespace Uniform Resource Identifier (URI) in the Namespace URI field. In this field, specify the namespace URI of the value type for a security token referenced by the key identifier. When we specify the X.509 certificate token, we do not need to specify this option. To specify another token, specify the URI of the qualified name (QName) for value type.

    4. Specify a value type local name. This name is the local name of the value type for a security token referenced by the key identifier. When this local name is used in conjunction with the corresponding namespace URI, the information is called the value type qualified name or QName.

      When we specify the X.509 certificate token, IBM recommends that we use the predefined local names. When we specify the predefined local names, we do not need to specify the namespace URI of the value type. However, if we do not use one of the predefined local names, specify both the uniform resource identifier (URI) and the local name. WAS provides the following predefined local names:

      X.509 certificate token

      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3

      X.509 certificates in a PKIPath

      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1

      A list of X509 certificates and CRLs in a PKCS#7

      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7

      LTPA

      Lightweight Third-Party Authentication token. When we specify a value type local name of LTPA, we must also specify a namespace URI of http://www.ibm.com/websphere/appserver/tokentype/5.0.2.

      LTPA_PROPAGATION

      Lightweight Third-Party Authentication propagation token. When we specify a value type local name of LTPA_PROPAGATION, we must also specify a namespace URI of http://www.ibm.com/websphere/appserver/tokentype.

  8. Click OK and then click Save to save the configuration.

We have configured the key information for the generator binding at the application level


What to do next

Specify a similar key information configuration for the consumer.


Subtopics

  • Configure the key information using JAX-RPC for the consumer binding on the application level
  • Configure signing information using JAX-RPC for the generator binding on the application level
  • Configure the key locator using JAX-RPC for the generator binding on the application level
  • Configure token generators using JAX-RPC to protect message authenticity at the application level