Configure a policy set and bindings for Asymmetric XML Digital Signature and/or XML Encryption
This procedure describes how to configure the message-level WS-Security policy set and bindings to sign and encrypt a SOAP message using asymmetric XML Digital Signature and Encryption with application specific bindings. As part of this procedure specify whether you will sign and/or encrypt both the request and response messages.
This task assumes that the service provider and client that we are configuring are in the JaxWSServicesSamples application. Refer to the topic Access Samples for more information on how to obtain and install this application.
You should use the following trace specification on the server. These specifications allow us to debug any future configuration problems that might occur.
*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all: com.ibm.ws.wssecurity.*=all: com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all: com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:
This procedure explains the actions we need to complete to configure a WS-Security policy set to use the asymmetric XML-Digital Signature and Encryption WS-Security constraints. This procedure also explains the actions we need to complete to configure asymmetric XML Digital Signature and Encryption application specific custom bindings for a client and provider.
The keystores used in this procedure are provided with WebSphere Application Server and are installed in every profile created. Use the ${USER_INSTALL_ROOT} variable directly in the configuration to conveniently point to the keystore locations without using a fully qualified path. ${USER_INSTALL_ROOT} resolves to a path such as c:/WebSphere/AppServer/profiles/AppSrv01.
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceksBecause of the nature of JaxWSServicesSamples, to apply the policy set and bindings to this application, in the console click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples. When using our own applications, we can use the following paths as an alternative way to access the provider and client for attachment of the policy set and bindings:
- Services > Service Providers > (App Name)
- Services > Service Clients > (App Name)
Avoid trouble: Pay close attention to the names of the token consumers and generators in the console. The Initiator and recipient might not be what you think they should be for the tokens. The usage column in the table specifies whether a token is a consumer token or a generator token.gotcha
- Create the custom policy set.
- In the console, click Services > Policy sets > Application Policy sets.
- Click New.
- Specify Name=AsignEncPolicy.
- Click Apply.
- Under Policies, click Add > WS-Security.
- Edit the custom policy set.
- In the console, click WS-Security > Main Policy.
By default, the policy will now have the following configuration:
- Timestamp sent in outbound messages
- Timestamp required in inbound messages
- Sign the request and the response (Body, WS-Addressing header, and Timestamp)
- Encrypt the request and the response (Body and Signature element in SOAP Security header)
If this is the configuration you want, click Apply, then Save, and continue to the next step.
To change this configuration, complete one or more of the following substeps.
- Optional: Remove Timestamp from both request and response. We cannot do one-way Timestamp.
To remove Timestamp from both request and response, unselect the Include timestamp in security header setting, and then click Apply.
- Optional: Remove request message parts.
- Under Message level protection, click Request message part protection.
- To remove the request encrypted part, click app_encparts, and then click Delete.
- To remove the request signed part, click app_signparts, and then click Delete.
- Click Done.
- Optional: Remove response message parts.
- Under Message level protection, click Response message part protection.
- To remove the response encrypted part, click app_encparts, and then click Delete.
- To remove the response signed part, click app_signparts, and then click Delete.
- Click Done.
- Optional: View or change parts that are being signed or encrypted in the request.
- Under Message level protection, click Request message part protection.
- To view or change the request encrypted part, click app_encparts, and then click Edit.
The Elements in Part page displays with the parts that will be encrypted in the request message. We can update the settings on this page to add, change, or remove elements to encrypt. By default, the Body and an XPath expression to the Signature are configured.
If we would like to add encryption of a UsernameToken, SAML Assertion, or other elements, see Build XPath expressions for WS-Security.
When we finish making the changes, click OK.
- To view or change the request signed part, click app_signparts, and then click Edit.
The Elements in Part page displays with the parts that will be signed in the request message. We can update the settings on this page to add, change, or remove elements to sign. By default, the Body, the QNames for the WS-Addressing header, and XPath expressions to the Timestamp are configured.
If we will be using the STR Dereference Transform (STR-Transform) to sign a security token, add the following XPath expression:
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope'] /*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Header'] /*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security'] /*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#' and local-name()='Signature'] /*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#' and local-name()='KeyInfo'] /*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='SecurityTokenReference']If we would like to sign other elements, such as a BinarySecurityToken, see Build XPath expressions for WS-Security.
When we finish making the changes, click OK.
- Click Done.
- Optional: View or change parts that are being signed or encrypted in the response.
- Under Message level protection, click Response message part protection.
- To view or change the response encrypted part, click app_encparts, and then click Edit.
The Elements in Part page displays with the parts that will be encrypted in the response message. We can update the settings on this page to add, change, or remove elements to encrypt. By default, the Body and an XPath expression to the Signature are configured.
When we finish making the changes, click OK.
- To view or change the response signed part, click app_signparts, and then click Edit.
The Elements in Part page displays with the parts that will be signed in the response message. We can update the settings on this page to add, change, or remove elements to sign. By default, the Body, the QNames for the WS-Addressing header, and XPath expressions to the Timestamp are configured.
When we finish making the changes, click OK.
- Click Done.
- Click Apply.
- Save the configuration.
- Configure the client to use the AsignEncPolicy policy set.
- In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
- Select the web services client resource (JaxWSServicesSamples).
- Click Attach Policy Set.
- Select AsignEncPolicy.
- Create a custom binding for the client.
- Select the web services resource again.
- Click Assign Binding.
- Click New Application Specific Binding to create an application-specific binding.
- Specify the bindings configuration name.
name: signEncClientBinding
- Click Add > WS-Security.
- If the Main Message Security Policy Bindings panel does not display, select WS-Security.
- Configure the client's custom bindings.
- Configure a Certificate Store.
- Click Keys and Certificates.
- Under Certificate store, click New Inbound... .
- Specify name=clientCertStore.
- Specify Intermediate X.509 certificate=${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer
- Click OK.
- Configure a Trust Anchor.
- Under Trust anchor, click New...
- Specify name=clientTrustAnchor
- Click External Keystore .
- Specify Full path=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks.
- Specify Password=client.
- Click OK.
- Click WS-Security in the navigation for this page.
- Optional: If Signing the request message...
- Configure the Signature Generator.
- Click Authentication and protection > AsymmetricBindingInitiatorSignatureToken0 (signature generator), and then click Apply.
- Click Callback handler
- Specify Keystore=custom.
- Click Custom keystore configuration, and then specify
- Full path==${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
- Keystore password=client
- Name=client
- Alias=soaprequester
- Password=client
- Click OK, OK, and OK.
- Configure the request Signing Information.
- Click request:app_signparts, and specify Name=clientReqSignInfo.
- Under Signing Key Information, click New, and then specify:
- Name=clientReqSignKeyInfo
- Type=Security Token reference
- Token generator or consumer name=AsymmetricBindingInitiatorSignatureToken0
- Click OK, and then click Apply.
- Under Message part reference, select request:app_signparts .
- Click Edit.
- Under Transform algorithms, click New
- Specify URL=http://www.w3.org/2001/10/xml-exc-c14n#.
- Click OK, OK, and OK.
- Optional: If Signing the response message...
- Configure the Signature Consumer.
- Click AsymmetricBindingRecipientSignatureToken0 (signature consumer), and then click Apply.
- Click Callback handler
- Under Certificates, click the Certificate store radio button, and specify:
- Certificate store=clientCertStore
- Trusted anchor store=clientTrustAnchor
- Click OK and OK.
- Configure the response Signing Information.
- Click response:app_signparts, and specify Name=clientRspSignInfo.
- Click Apply.
- Under Signing Key Information, click New, and then specify:
- Name=clientReqSignKeyInfo
- Token generator or consumer name=AsymmetricBindingInitiatorSignatureToken0
- Click OK.
- Under Signing Key Information, click clientRspSignKeyinfo, and then click Add.
- Under Message part reference, select response:app_signparts .
- Click Edit.
- Under Transform algorithms, click New
- Specify URL=http://www.w3.org/2001/10/xml-exc-c14n#.
- Click OK, OK, and OK.
- Optional: If Encrypting the request message...
- Configure the Encryption Generator.
- Click AsymmetricBindingRecipientEncryptionToken0 (encryption generator), and then click Apply.
- Click Callback handler, and specify Keystore=custom.
- Click Custom keystore configuration, and then specify
- Full path==${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks
- Type=JCEKS
- Keystore password=storepass
- Key Name=bob
- Key Alias=bob
- Click OK, OK, and OK.
- Configure the request Encryption Information.
The setting for Usage of key information references must be set to Key encryption, which is the default value. Data encryption is used for Symmetric encryption. gotcha
- Click request:app_encparts, and specify Name=clientReqEncInfo.
- Click Apply.
- Under Key Information, click New, and then specify
- Name=clientReqEncKeyInfo
- Type=Key_identifier
- Token generator or consumer name=AsymmetricBindingRecipientEncryptionToken0
- Click OK.
- Under Key Information, select clientReqEncKeyInfo, and then click OK.
- Optional: If Encrypting the response message...
- Configure the Encryption Consumer.
- Click AsymmetricBindingInitiatorEncryptionToken0 (encryption consumer), and then click Apply.
- Click Callback handler, and specify Keystore=custom.
- Click Custom keystore configuration, and then specify
- Full path==${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks
- Type=JCEKS
- Keystore password=storepass
- Key Name=alice
- Key Alias=alice
- Key password=keypass
- Click OK and OK.
- Configure the response Encryption Information.
The setting for Usage of key Information references must be set to Key encryption, which is the default value. Data encryption is used for Symmetric encryption. gotcha
- Click response:app_encparts, and specify Name=clientRspEncInfo.
- Click Apply.
- Under Key Information, click New, and then specify
- Name=clientRspEncKeyInfo
- Token generator or consumer name=AsymmetricBindingRecipientEncryptionToken0
- Click OK.
- Under Key Information, select clientRspEncKeyInfo.
- Click Add, and then click OK.
- Configure the provider to use the AsignEncPolicy policy set.
- In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings.
- Select the web services provider resource (JaxWSServicesSamples).
- Click Attach Policy Set.
- Select AsignEncPolicy.
- Create a custom binding for the provider.
- Select the web services provider resource again.
- Click Assign Binding.
- Click New Application Specific Binding to create an application-specific binding.
- Specify Bindings configuration name: signEncProviderBinding.
- Click Add > WS-Security.
- If the Main Message Security Policy Bindings panel does not display, select WS-Security.
- Configure the custom bindings for the provider.
- Configure a Certificate Store.
- Click Keys and Certificates.
- Under Certificate store, click New Inbound....
- Specify:
- Name=providerCertStore
- Intermediate X.509 certificate=${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer
- Click OK.
- Configure a Trust Anchor.
- Under Trust anchor, click New...
- Specify, Name=providerTrustAnchor.
- Click External Keystore, and specify:
- Full path=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
- Password=server
- Click OK, and then click WS-Security in the navigation for this page, and then click Authentication and protection.
- Optional: If Signing the request message...
- Configure the Signature consumer.
- Click AsymmetricBindingInitiatorSignatureToken0 (signature consumer), and then click Apply.
- Click Callback handler.
- Under Certificates, click the Certificate store radio button, and specify:
- Certificate store=providerCertStore
- Trusted anchor store=providerTrustAnchor
- Click OK.
- Click Authentication and protection in the navigation for this page.
- Configure the request Signing Information.
- Click request:app_signparts, and specify Name=reqSignInfo.
- Click Apply.
- Under Signing Key Information, click New, and specify:
- Name=reqSignKeyInfo
- Token generator or consumer
- name=AsymmetricBindingInitiatorSignatureToken0
- Click OK.
- Under Signing Key Information, click reqSignKeyinfo, and then click Add.
- Under Message part reference, select request:app_signparts.
- Click Edit.
- Under Transform algorithms, click New, and then specify URL=http://www.w3.org/2001/10/xml-exc-c14n#.
- Click OK, OK, and OK.
- Optional: If Signing the response message...
- Configure the Signature Generator.
- Click AsymmetricBindingRecipientSignatureToken0 (signature generator), and then click Apply.
- Click Callback handler > Custom keystore configuration, and specify:
- Full path=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
- Keystore password=server
- Name=server
- Alias=soapprovider
- Password=server
- Click OK, OK, and OK.
- Configure the response Signing Information.
- Click response:app_signparts, and specify Name=rspSignInfo.
- Under Signing Key Information, click New, and specify:
- Name=rspSignKeyInfo
- Type=Security Token reference
- Token generator or consumer
- name=AsymmetricBindingRecipientSignatureToken0
- Click OK, and then click Apply.
- Under Message part reference, select response:app_signparts.
- Click Edit.
- Under Transform algorithms, click New, and then specify URL=http://www.w3.org/2001/10/xml-exc-c14n#.
- Click OK, OK, and OK.
- Optional: If Encrypting the request message...
- Configure the Encryption Consumer.
- Click AsymmetricBindingRecipientEncryptionToken0 (encryption consumer), and then click Apply.
- Click Callback handler, and specify Keystore=custom
- Click Custom keystore configuration, and specify:
- Full path==${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks
- Type=JCEKS
- Keystore password=storepass
- Key Name=bob
- Key Alias=bob
- Key password=keypass
- Click OK, OK, and OK.
- Configure the request Encryption Information.
The setting for Usage of key information references must be set to Key encryption, which is the default value. Data encryption is used for Symmetric encryption. gotcha
- Click request:app_encparts, and specify Name=reqEncInfo.
- Click APPLY
- Under Key Information, click New, and specify:
- Name=reqEncKeyInfo
- Type=Key identifier
- Token generator or consumer
- name=AsymmetricBindingRecipientEncryptionToken0
- Click OK.
- Under Key Information, select reqEncKeyInfo.
- Click Add, and then click OK.
- Optional: If Encrypting the response message...
- Configure the Encryption Generator.
- Click AsymmetricBindingInitiatorEncryptionToken0 (encryption generator), and then click Apply.
- Click Callback handler, and specify Keystore=custom
- Click Custom keystore configuration, and specify:
- Full path==${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks
- Type=JCEKS
- Keystore password=storepass
- Key Name=alice
- Key Alias=alicee
- Click OK, OK, and OK.
- Configure the request Encryption Information.
The setting for Usage of key information references must be set to Key encryption, which is the default value. Data encryption is used for Symmetric encryption. gotcha
- Click response:app_encparts, and specify Name=rspEncInfo.
- Click APPLY
- Under Key Information, click New, and specify:
- Name=rspEncKeyInfo
- Token generator or consumer
- name=AsymmetricBindingInitiatorEncryptionToken0
- Click OK.
- Under Key Information, select rspEncKeyInfo.
- Click OK.
- Click Save to save the configuration changes.
- Restart the client and provider.
- Stop the client and the provider.
- Restart the client and the provider.
- Test the Service.
The sample application should reply with JAXWS==>Message.
- Point the web browser at the JaxWSServicesSamples: http://localhost:9080/wssamplesei/demo
Avoid trouble: Make sure we provide the correct hostname and port if the profile is not on the same machine, or the port is not 9080.gotcha
- Select Message Type Synchronous Echo.
- Make sure Use SOAP 1.2 is not selected.
- Enter a message and click Send Message.
Results
The JaxWSServicesSamples web services application is configured to use asymmetrical XML Digital Signature and Encryption to protect your SOAP requests and responses.
Related concepts
Access the samples
Related tasks
Secure web services using policy sets Build XPath expressions for WS-Security