Configure a policy set and bindings for XML Digital Signature with client and provider application specific bindings
We can create a custom policy set and application specific bindings for using XML Digital Signature to sign the body of the request and response SOAP messages.
This task assumes that the service provider and client that we are configuring are in the JaxWSServicesSamples application. Refer to the topic Access Samples for more information on how to obtain and install this application.
Use the following trace specification on the server. These specifications allow us to debug any future configuration problems that might occur.
*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all: com.ibm.ws.wssecurity.*=all: com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all: com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:
This procedure explains the actions we need to complete to configure WS-Security policy set to use only the XML-Digital Signature WS-Security constraint. This procedure also explains the actions we need to complete to configure XML Digital Signature application specific custom bindings for a client and provider.
The keystores used in this procedure are provided with WebSphere Application Server and are installed in every profile created. We can use the ${USER_INSTALL_ROOT} variable directly in the configuration to conveniently point to the keystore locations without using a fully-qualified path. ${USER_INSTALL_ROOT} resolves to a path such as c:/WebSphere/AppServer/profiles/AppSrv01.
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ksBecause of the nature of JaxWSServicesSamples, to apply the policy set and bindings to this application, in the console click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples. When using our own applications, we can use the following paths as an alternative way to access the provider and client for attachment of the policy set and bindings:
* Services > Service Providers > (AppName) * Services > Service clients > (AppName)Avoid trouble: Pay close attention to the names of the token consumers and generators in the console. The Initiator and recipient might not be what you think they should be for the tokens. The usage column in the table specifies whether a token is a consumer token or a generator token.gotcha
- Create the custom policy set.
- In the console, click Services > Policy sets > Application Policy sets.
- Click New.
- Specify Name=AsignPolicy.
- Click Apply.
- Under Policies, click Add > WS-Security.
- Edit the custom policy set to remove encryption and timestamp.
- In the console, click WS-Security > Main Policy.
- Under Message level protection, click Request message part protection.
- Click app_encparts.
- Click Delete.
- Click Done.
- Click Response message part protection.
- Click app_encparts.
- Click Delete.
- Click Done.
- Unselect Include timestamp in security header.
- Click Apply.
- Save the configuration.
- Configure the client to use the AsignPolicy policy set.
- In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
- Select the web services client resource (JaxWSServicesSamples).
- Click Attach Policy Set.
- Select AsignPolicy.
- Create a custom binding for the client.
- Select the web services resource again.
- Click Assign Binding.
- Click New Application Specific Binding to create an application-specific binding.
- Specify the bindings configuration name.
name: clientBinding
- Click Add > WS-Security.
- If the Main Message Security Policy Bindings' panel does not display, select WS-Security.
- Configure the client's custom bindings.
- Configure a Certificate Store.
- Click Keys and Certificates.
- Under Certificate store, click New Inbound... .
- Specify name=clientCertStore.
- Specify Intermediate X.509 certificate=${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer.
- Click OK.
- Configure a Trust Anchor.
- Under Trust anchor, click New...
- Specify name=clientTrustAnchor.
- Click External Keystore .
- Specify Full path=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks.
- Specify Password=client.
- Click OK.
- Click WS-Security in the navigation for this page.
- Configure the Signature Generator.
- Click Authentication and protection > AsymmetricBindingInitiatorSignatureToken0 (signature generator), and then click Apply.
- Click Callback handler
- Specify Keystore=custom.
- Click Custom keystore configuration, and then specify
- Full path==${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
- Keystore password=client
- Name=client
- Alias=soaprequester
- Password=client
- Click OK, OK, and OK.
- Configure the Signature Consumer.
- Click AsymmetricBindingRecipientSignatureToken0 (signature consumer), and then click Apply.
- Click Callback handler.
- Under Certificates, click the Certificate store radial button, and specify:
- Certificate store=clientCertStore
- Trusted anchor store=clientTrustAnchor
- Click OK, and OK.
- Configure the request Signing Information.
- Click request:app_signparts, and specify Name=clientReqSignInfo.
- Under Signing key information, click New, and then specify:
- Name=clientReqSignKeyInfo
- Type=Security Token reference
- Token generator or consumer name=AsymmetricBindingInitiatorSignatureToken0
- Click Ok, and then click Apply.
- Under Message part reference, select request:app_signparts .
- Click Edit.
- Under Transform algorithms, click New
- Specify URL=http://www.w3.org/2001/10/xml-exc-c14n#.
- Click OK, OK, and OK.
- Configure the response Signing Information.
- Click response:app_signparts, and specify Name=clientRespSignInfo.
- Click Apply.
- Under Signing key information, click New, and then specify:
- Name=clientRspSignKeyInfo
- Token generator or consumer name=AsymmetricBindingRecipientSignatureToken0
- Click Ok.
- Under Signing key information, click clientRspSignKeyinfo, and then click Add.
- Under Message part reference, select response:app_signparts .
- Click Edit.
- Under Transform algorithms, click New
- Specify URL=http://www.w3.org/2001/10/xml-exc-c14n#.
- Click OK, OK, and OK.
- Configure the provider to use the AsignPolicy policy set.
- In the console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings.
- Select the web services provider resource (JaxWSServicesSamples).
- Click Attach Policy Set.
- Select AsignPolicy.
- Create a custom binding for the provider.
- Select the web services provider resource again.
- Click Assign Binding.
- Click New Application Specific Binding to create an application-specific binding.
- Specify Bindings configuration name:providerBinding.
- Click Add > WS-Security.
- If the Main Message Security Policy Bindings' panel does not display, select WS-Security.
- Configure the custom bindings for the provider.
- Configure a Certificate Store.
- Click Keys and Certificates.
- Under Certificate store, click New Inbound....
- Specify:
- Name=providerCertStore
- Intermediate X.509 certificate=${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer
- Click OK.
- Configure a Trust Anchor.
- Under Trust anchor, click New...
- Specify, Name=providerTrustAnchor.
- Click External Keystore, and specify:
- Full path=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
- Password=server
- Click OK, and then click WS-Security in the navigation for this page.
- Configure the Signature Generator.
- Click Authentication and protection > AsymmetricBindingRecipientSignatureToken0 (signature generator), and then clickApply.
- Click Callback handler
- Specify Keystore=custom.
- Click Custom keystore configuration, and then specify
- Full path=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
- Keystore password=server
- Name=server
- Alias=soapprovider
- Password=server
- Click OK, OK, and OK.
- Configure the Signature Consumer.
- Click AsymmetricBindingInitiatorSignatureToken0 (signature consumer), and then click Apply.
- Click Callback handler.
- Under Certificates, click the Certificate store radial button, and specify:
- Certificate store=providerCertStore
- Trusted anchor store=providerTrustAnchor
- Click OK.
- Click Authentication and protection in the navigation for this page.
- Configure the request Signing Information.
- Click request:app_signparts, and specify Name=reqSignInf.
- Click Apply.
- Under Signing key information, click New, and then specify:
- Name=reqSignKeyInfo
- Token generator or consumer name=AsymmetricBindingInitiatorSignatureToken0
- Click Ok.
- Under Signing key information, click reqSignKeyinfo, and then click Add.
- Under Message part reference, click request:app_signparts.
- Click Edit.
- Under Transform algorithms, click New, and then specify URL=http://www.w3.org/2001/10/xml-exc-c14n#.
- Click OK, OK, and OK.
- Configure the response Signing Information.
- Click response:app_signparts, and specify Name=rspSignInfo.
- Click Apply.
- Under Signing key information, click New, and then specify:
- Name=rspSignKeyInfo
- Type=Security Token reference
- Token generator or consumer name=AsymmetricBindingRecipientSignatureToken0
- Click Ok, and then click Apply.
- Under Message part reference, select response:app_signparts .
- Click Edit.
- Under Transform algorithms, click New.
- Specify URL=http://www.w3.org/2001/10/xml-exc-c14n#.
- Click OK, OK, and OK.
- Click Save to save the configuration changes.
- Restart the client and provider.
- Stop the client and the provider.
- Restart the client and the provider.
- Test the Service.
The sample application should reply with JAXWS==>Message.
- Point the web browser at the JaxWSServicesSamples:
http://localhost:9080/wssamplesei/demo
Avoid trouble: Make sure we provide the correct hostname and port if the profile is not on the same machine, or the port is not 9080.gotcha
- Select Message Type Synchronous Echo.
- Make sure Use SOAP 1.2 is not selected.
- Enter a message and click Send Message.
Results
The JaxWSServicesSamples web services application is configured to use XML Digital Signature to sign the body for both the SOAP request and response.
Related concepts
Access the samples
Related tasks
Secure web services using policy sets