Configure a policy set and bindings for Signer Certificate Encryption
This procedure describes how to configure a JAX-WS consumer/provider for signer certificate encryption. Signer certificate encryption means that the client's public certificate used to verify the digital signature of the inbound request message is used to encrypt the outbound response.
This task assumes that the service provider and client that we are configuring are in the JaxWSServicesSamples application. Refer to the topic Accessing Samples for more information on how to obtain and install this application.
Use the following trace specification on the server. These specifications allow us to debug any future configuration problems that might occur.
*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all: com.ibm.ws.wssecurity.*=all:
com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all:
com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:
com.ibm.ws.webservices.multiprotocol.AgnosticService=all:
com.ibm.ws.websvcs.utils.SecurityContextMigrator=all
Since signer certificate encryption is being used, only the client's digital signature keystore will be used in this procedure. The service will obtain the public certificate used for signature verification from the inbound request then use it to encrypt the response. On the provider side, the custom property com.ibm.wsspi.wssecurity.token.cert.useRequestorCert=true on the provider's encryption generator is used to accomplish this.
The keystore used in this procedure is provided with WebSphere Application Server and is installed in every profile created. We can use the ${USER_INSTALL_ROOT} variable directly in the configuration to conveniently point to the keystore location without using a fully-qualified path. ${USER_INSTALL_ROOT} resolves to a path such as c:/WebSphere/AppServer/profiles/AppSrv01.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
Because of the nature of JaxWSServicesSamples, to apply the policy set and bindings to this application, in the console click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples. When using our own applications, we can use the following paths as an alternative way to access the provider and client for attachment of the policy set and bindings:
- Services > Service providers > (AppName)
- Services > Service clients > (AppName)
This procedure will do the following to simplify the task:
- Only outbound digital signature and inbound encryption will be configured.
- General bindings will be used for both the client and the provider.
Avoid trouble:
After completing the task, if you have to go back and edit the general bindings that you have created, you will need to restart the application server after saving the updates. Although we can create a general binding and use it right away without restarting the application server, once a general binding has been loaded by an application, changes to the binding will not be recognized until the server is restarted. gotcha
- Create the custom policy set..
- In the console, click Services > Policy Sets > Application Policy sets.
- Click New.
- Specify name=OutSignInEncPolicy.
- Under Policies, click Add > WS-Security.
- In the console, click Services > Policy Sets > Application Policy sets.
- Edit the custom policy set to remove outbound encryption and inbound signature.
- In the console, click WS-Security > Main Policy.
- Under Message level protection, click Request message part protection.
- Click app_encparts.
- Click Delete.
- Click Done.
- Click Response message part protection.
- Click app_sigparts.
- Click Delete.
- Click Done.
- In the console, click WS-Security > Main Policy.
- Click Save to save the configuration changes.
- Create the provider general binding.
- In the console, click Services > Policy sets > General provider policy set bindings..
- Check Provider sample.
- Click Copy....
- Specify name=ProviderSignerCertGeneralBinding.
- Click OK.
- In the console, click Services > Policy sets > General provider policy set bindings..
- Edit ProviderSignerCertGeneralBinding to perform signer certificate encryption.
- Click ProviderSignerCertGeneralBinding > WS-Security > Authentication and protection > gen_encx509token > Callback handler.
- Under Custom properties, enter:
Name=com.ibm.wsspi.wssecurity.token.cert.useRequestorCert value=true
- Under Keystore, select Name=None
- Click OK.
- Click ProviderSignerCertGeneralBinding > WS-Security > Authentication and protection > gen_encx509token > Callback handler.
- Create the client general binding.
- In the console, click...
-
Services > Policy Sets > General client policy set bindings
- Check Client samples.
- Click Copy....
- Specify name=ClientSignerCertGeneralBinding.
- Click OK.
- In the console, click...
- Edit ClientSignerCertGeneralBinding to use its own signing key to decrypt the message.
- Click ClientSignerCertGeneralBinding > WS-Security > Authentication and protection > con_encx509token > Callback handler > Custom keystore configuration.
- Under keystore, enter the same keystore used by the signature generator:
Full path=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks Type=JKS Password=client - Under key, enter the same key used by the signature generator:
Name=CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP Alias=soaprequester Password=client
- Click OK.
- Click ClientSignerCertGeneralBinding > WS-Security > Authentication and protection > con_encx509token > Callback handler > Custom keystore configuration.
- Configure the client to use the OutSignInEncPolicy policy set and ClientSignerCertGeneralBinding general binding.
- In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
- Select the web services client resource (JaxWSServicesSamples).
- Click Attach Policy Set.
- SelectOutSignInEncPolicy.
- Select the web services client resource again (JaxWSServicesSamples).
- Click Assign Binding.
- Select ClientSignerCertGeneralBinding.
- In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
- Configure the provider to use the SimpleSignEncPolicy policy set and ProviderSignerCertGeneralBinding general binding.
- In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings.
- Select the web services provider resource (JaxWSServicesSamples).
- Click Attach Policy Set.
- SelectOutSignInEncPolicy.
- Select the web services provider resource again (JaxWSServicesSamples).
- Click Assign Binding.
- Select PrioviderSignerCertGeneralBinding.
- In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings.
- Click Save to save the configuration changes.
- Restart the client and the provider.
- Stop the client and the provider.
- Restart the client and the provider.
- Stop the client and the provider.
- Test the service.
- Point the web browser to the JaxWSServicesSamples:
http://localhost:9080/wssamplesei/demo.
Avoid trouble: Make sure we provide the correct hostname and port if the provider is not on the same machine, or the port is not 9080.gotcha
- Select Message Type Synchronous Echo.
- Make sure Use SOAP 1.2 is not selected.
- Enter a message and click Send Message.
- Point the web browser to the JaxWSServicesSamples:
http://localhost:9080/wssamplesei/demo.
Results
The JaxWSServicesSamples web services application is configured to encrypt responses using the certificate used to sign the request.Related concepts
Related tasks