Configure response signature verification methods for the client

Use the WSSVerification and WSSVerifyPart APIs to choose the signing verification methods. The request signing verification methods include the digest algorithm and the transport methods.

To complete configuration of the signature verification information to secure SOAP messages, perform the following algorithm tasks:

to configure the algorithm methods to use when configuring the client for request signing.

The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature specification, which is located at the following website http://www.w3.org/TR/xmldsig-core.

Name of method Purpose
Digest algorithm Applies to the data after transforms are applied, if specified, to yield the <DigestValue> element. Signing the <DigestValue> element binds the resource content to the signer key. The algorithm selected for the client request sender configuration must match the algorithm selected in the client request receiver configuration.
Transform algorithm Applies to the <Transform> element.
Signature algorithm Uniform Resource Identifiers (URI) of the signature verification method.
Canonicalization algorithm Uniform Resource Identifiers (URI) of the canonicalization method.

After configuring the client to digitally sign the message, configure the client to verify the digital signature. We can use the WSS APIs or configure policy sets using the console to verify the digital signature and to choose the verification and verify part algorithms. If using the WSS APIs to configure, use the WSSVerification and WSSVerifyPart APIs to specify which digitally signed message parts to verify and to specify which algorithm methods to use when configuring the client for request signing.

The WSSVerification and WSSVerifyPart APIs perform the following steps to configure the signature verification and verify parts algorithm methods:

  1. For the consumer binding, the WSSVerification API specifies the signature methods to allow for the signature verification. WebSphere Application Server supports the following pre-configured signature methods:

    • WSSVerification.RSA_SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#rsa-sha1

    • WSSVerification.HMAC_SHA1: http://www.w3.org/2000/09/xmldsig#hmac-sha1

    The DSA-SHA1 digital signature method (http://www.w3.org/2000/09/xmldsig#dsa-sha1) is not supported.

  2. For the consumer binding, the WSSVerification API specifies the canonicalization method to allow for the signature verification. WebSphere Application Server supports the following pre-configured canonicalization methods by default:

    • WSSVerification.EXC_C14N (the default value): http://www.w3.org/2001/10/xml-exc-c14n#

    • WSSVerification.C14N: http://www.w3.org/2001/10/xml-c14n#

  3. For the consumer binding, the WSSVerifyPart API specifies the digest method, as needed. WebSphere Application Server supports the following digest method algorithms for signed parts verification:

    • WSSVerifyPart.SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#sha1

    • WSSVerifyPart.SHA256: http://www.w3.org/2001/04/xmlenc#sha256

    • WSSVerifyPart.SHA512: http://www.w3.org/2001/04/xmlenc#sha512

  4. For the consumer binding, the WSSVerifyPart API specifies the transform method. WebSphere Application Server supports the following transform algorithms for verify parts:

    • WSSVerifyPart.TRANSFORM_EXC_C14N (the default value): http://www.w3.org/2001/10/xml-exc-c14n#

    • WSSVerifyPart.TRANSFORM_XPATH2_FILTER: http://www.w3.org/2002/06/xmldsig-filter2

    • WSSVerifyPart.TRANSFORM_STRT10: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform

    • WSSVerifyPart.TRANSFORM_ENVELOPED_SIGNATURE: http://www.w3.org/2000/09/xmldsig#enveloped-signature

    For the WSS APIs, WAS does not support these algorithms:

    • http://www.w3.org/2002/07/decrypt#XML

    • http://www.w3.org/TR/1999/REC-xpath-19991116


We have specified which method to use when verifying a digital signature when the client sends a message.


The following example provides sample WSS API code that specifies the verification information, the body as a part to be verified, the HMAC_SHA1 as a signature method, C14N and EXC_C14N as the candidates of canonicalization methods, TRANSFORM_STRT10 as a transform method, and SHA256 as a digest method.

// Get the message context
   Object msgcontext = getMessageContext();

// Generate the WSSFactory instance    WSSFactory factory = WSSFactory.getInstance();

// Generate the WSSConsumingContext instance    WSSConsumingContext concont = factory.newWSSConsumingContext();

// Generate the certificate list    String certpath = "intca2.cer";
// The location of the X509 certificate file      X509Certificate x509cert = null;
      try {
            InputStream is = new FileInputStream(certpath);
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
           x509cert = (X509Certificate)cf.generateCertificate(is);
      } catch(FileNotFoundException e1){
          throw new WSSException(e1);
      } catch (CertificateException e2) {
          throw new WSSException(e2);

      Set<Object> eeCerts = new HashSet<Object>();
// Create the certStore
   java.util.List<CertStore> certList = new 
   CollectionCertStoreParameters certparam = new 
   CertStore cert = null;
      try {
            cert = CertStore.getInstance("Collection", 
      } catch (NoSuchProviderException e1) {
           throw new WSSException(e1);
      } catch (InvalidAlgorithmParameterException e2) {
           throw new WSSException(e2);
      } catch (NoSuchAlgorithmException e3) {
           throw new WSSException (e3);
      if(certList != null ){

// Generate the callback handler
   X509ConsumeCallbackHandler callbackHandler = new 
                                 "jks", "server".toCharArray(), 

// Generate the WSSVerification instance    WSSVerification ver = factory.newWSSVerification(X509Token.class, 

// Set one or more candidates of the signature method used for 
//    verification (step. 1)
// DEFAULT : WSSVerification.RSA_SHA1

// Set one or more candidates of the canonicalization method used for 
//    verification (step. 2)
// DEFAULT : WSSVerification.EXC_C14N 

// Set the part to be specified by WSSVerifyPart
   WSSVerifyPart verPart = factory.newWSSVerifyPart();

// Set the part to be specified by the keyword

// Set the candidates of digest methods to use for verification (step. 3)
// DEFAULT : WSSVerifypart.TRANSFORM_EXC_C14N : String

// Set the candidates of digest methods to use for verification (step. 4)
// DEFAULT : WSSVerifyPart.SHA1

// Set WSSVerifyPart to WSSVerification

// Add the WSSVerification to the WSSConsumingContext

// Validate the WS-Security header

What to do next

We have completed configuring the signature verification algorithms. Next, configure the encryption or decryption algorithms, if not already configured. Or, configure the security token information, as needed.

