Configure signing information using JAX-RPC for the generator binding on the application level

Configure signing information for the client-side request generator and the server-side response generator bindings at the application level.

For WebSphere Application Server version 6.x or earlier only, in the server-side extensions file (ibm-webservices-ext.xmi) and the client-side deployment descriptor extensions file (ibm-webservicesclient-ext.xmi), specify which parts of the message are signed. Also, configure the key information referenced by the key information references on the signing information panel within the administrative console.

This task explains the required steps to configure the signing information for the client-side request generator and the server-side response generator bindings at the application level. WAS uses the signing information for the default generator to sign parts of the message including the body, time stamp, and user name token. The Application Server provides default values for bindings. However, an administrator must modify the defaults for a production environment. Configure signing information for the generator sections of the bindings files on the application level:

Tasks

1. Locate the signing information configuration panel in the administrative console.
   Applications > Application Types > WebSphere enterprise applications > application_name > Manage modules > URI_name

   Under Web Services Security Properties, we can access the signing information for the request generator and the response generator bindings.

   • For the request generator (sender) binding, click...
     Web services: Client security bindings > Request generator (sender) binding > Edit custom

   • For the (sender) binding, click...
     Web services: Server security bindings > Response generatorResponse generator (sender) binding > Edit custom

2. Under Required properties, click Signing information.
   • Select New to create a signing information configuration
   • Select the Delete checkbox to delete an existing configuration
   • Select the name of an existing signing information configuration to edit its settings.

   For a new configuration, enter a name in the Signing information name field. For example: gen_signinfo.

3. Select a signature method algorithm from the Signature method field. The algorithm specified for the generator, which is either the request generator or the response generator configuration, must match the algorithm specified for the consumer, which is either the request consumer or response consumer configuration. WAS supports the following pre-configured algorithms:
   • http://www.w3.org/2000/09/xmldsig#rsa-sha1
   • http://www.w3.org/2000/09/xmldsig#hmac-sha1
   • http://www.w3.org/2000/09/xmldsig#dsa-sha1

     Restriction: Do not use this algorithm if we want the configured application to be compliant with the Basic Security Profile (BSP).

     Any ds:SignatureMethod/@Algorithm element in a SIGNATURE based on a symmetric key must have a value of http://www.w3.org/2000/09/xmldsig#rsa-sha1 or http://www.w3.org/2000/09/xmldsig#hmac-sha1.

4. Select a canonicalization method from the Canonicalization method field. The canonicalization algorithm specified for the generator must match the algorithm for the consumer. WAS supports the following pre-configured algorithms:
   • http://www.w3.org/2001/10/xml-exc-c14n#
   • http://www.w3.org/2001/10/xml-exc-c14n#WithComments
   • http://www.w3.org/TR/2001/REC-xml-c14n-20010315
   • http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

5. Select a key information signature type from the Key information signature type field. WAS supports the following signature types:

   None	<KeyInfo> element is not signed.
   Keyinfo	The entire <KeyInfo> element is signed.
   Keyinfochildelements	Child elements of the <KeyInfo> element are signed.

   The key information signature type for the generator must match the signature type for the consumer. We might encounter the following situations:

   • If we do not specify one of the previous signature types, WAS uses keyinfo, by default.

   • If we select Keyinfo or Keyinfochildelements and we select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform as the transform algorithm in a subsequent step, WAS also signs the referenced token.

6. Select a signing key information reference from the Signing key information field. This selection is a reference to the signing key that the Application Server uses to generate digital signatures.

7. Click OK and Save to save the configuration.

8. Click the name of the new signing information configuration. This configuration is the one specified in a previous step.

9. Part reference, digest algorithm, and transform algorithm. The part reference specifies which parts of the message to digitally sign.

   1. Under Additional properties, click Part references > New to create a new part reference, click Part references > Delete to delete an existing part reference, or click a part name to edit an existing part reference.

   2. Specify a unique part name for this part reference. For example, we might specify reqint.

   3. Select a part reference from the Part reference field.

      The part reference refers to the message part that is digitally signed. The part attribute refers to the name of the <Integrity> element in the deployment descriptor when the <PartReference> element is specified for the signature. We can specify multiple <PartReference> elements within the <SigningInfo> element. The <PartReference> element has two child elements when it is specified for the signature: <DigestTransform> and <Transform>.

   4. Select a digest method algorithm from the menu. The digest method algorithm specified within the <DigestMethod> element is used in the <SigningInfo> element.

      WAS supports the following algorithms:

      • http://www.w3.org/2000/09/xmldsig#sha1
      • http://www.w3.org/2001/04/xmlenc#sha256
      • http://www.w3.org/2001/04/xmlenc#sha512

   5. Click OK to save the configuration.

   6. Click the name of the new part reference configuration. This configuration is the one specified in a previous step.

   7. Under Additional Properties, click Transforms > New to create a new transform, click Transforms > Delete to delete a transform, or click a transform name to edit an existing transform. If we create a new transform configuration, specify a unique name. For example, we might specify reqint_body_transform1.

   8. Select a transform algorithm from the menu. The transform algorithm is specified within the <Transform> element and specifies the transform algorithm for the signature. WAS supports the following algorithms:
      • http://www.w3.org/2001/10/xml-exc-c14n#
      • http://www.w3.org/TR/1999/REC-xpath-19991116

        Restriction: Do not use this transform algorithm if we want your configured application to be compliant with the Basic Security Profile (BSP). Instead use http://www.w3.org/2002/06/xmldsig-filter2 to ensure compliance.

      • http://www.w3.org/2002/06/xmldsig-filter2
      • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
      • http://www.w3.org/2002/07/decrypt#XML
      • http://www.w3.org/2000/09/xmldsig#enveloped-signature

      The transform algorithm that we select for the generator must match the transform algorithm that we select for the consumer.

      If both of the following conditions are true, WAS signs the referenced token:

      • You previously selected the Keyinfo or the Keyinfochildelements option from the Key information signature type field on the signing information panel.

      • You select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform as the transform algorithm.

10. Click Apply.

11. Optional: Determine whether to disable the Inclusive namespace prefix list. The Exclusive XML Canonicalization Version 1.0 specification recommends that you include all of the namespace declarations that correspond to the namespace prefix in the canonicalization form. For security reasons, WAS, by default, includes the prefix in the digital signature for Web Services Security. However, some implementations of Web Services Security cannot handle this prefix list. WAS can handle digitally signed messages that either contain or do not contain the prefix list. If we experience a signature validation failure when a signed Simple Object Access Protocol (SOAP) message is sent and we are using another vendor in the environment, check with your service provider for a possible fix to their implementation before you disable this property. To disable this property:

    1. Under Additional properties, click Properties > New.

    2. In the Property name field, enter the com.ibm.wsspi.wssecurity.dsig.inclusiveNamespaces property.

    3. In the Property value field, enter the false value.

    4. Click OK.

    We can set this property for both the request generator and the response generator configurations.

12. Click Save to save the configuration.

After completing these steps, the signing information is configured for the generator on the application level.

What to do next

Specify a similar signing information configuration for the consumer.

Subtopics

• Signing information collection
• Signing information configuration settings
• Part reference collection
• Part reference configuration settingsTransforms collection
  
• Transforms configuration settings
• Signing information collection
• Signing information configuration settings
• Part reference collection
• Part reference configuration settings
• Transforms collection
• Transforms configuration settings

Related:

Basic Security Profile compliance tips

Configure signing information using JAX-RPC for the consumer binding on the application level