Important distinction between Version 5.x and Version 6 applications
Note: The information in this article supports version 5.x applications only that are used with WebSphere Application Server Version 6. The information does not apply to version 6 applications.
WebSphere Application Server provides the following sample key stores for sample configurations. These sample key stores are for testing and sample purposes only. Do not use them a in production environment.
Default binding (cell and server level)
WebSphere Application Server provides the following default binding information:
TRIPLEDES). However, to use it for asymmetric encryption (RSA), add the private key CN=Bob, O=IBM, C=US, alias name bob, and key password keypass.
A sample configuration
The following examples demonstrate what IBM deployment descriptor extensions and bindings can do. The unnecessary information was removed from the examples to improve clarity. Do not copy and paste these examples into your application deployment descriptors or bindings. These examples serve as reference only and are not representative of the recommended configuration. Use the following tools to create or edit IBM deployment descriptor extensions and bindings:
The following example illustrates a scenario that:
For the response, the SOAP body and time stamp are signed, the body content is encrypted, and the SOAP message freshness is checked using the time stamp. The freshness of the message indicates whether the message complies with predefined time constraints. The request sender and the request receiver are a pair. Similarly, the response sender and the response receiver are a pair.
Tip: IBM recommends that you use the WebSphere Application Server variables for specifying the path to the key stores. In the administrative console, click Environment > Manage WebSphere Variables . These variables often help with platform differences such as file system naming conventions. In the following examples, ${USER_INSTALL_ROOT} is used for specifying the path to the key stores.
Client-side IBM deployment descriptor extension
The client-side IBM deployment descriptor extension describes the following constraints: Request Sender
Response Receiver
Example 1: Sample client IBM deployment descriptor extension The xmi:id statements are removed for readability. These statements must be added for this example to work.
Important: In the following code sample, lines 2 through 4 were split into three lines due to the width of the printed page.
<?xml version="1.0" encoding="UTF-8"?> <com.ibm.etools.webservice.wscext:WsClientExtension xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wscext= http://www.ibm.com/websphere/appserver/schemas/5.0.2/wscext.xmi"> <serviceRefs serviceRefLink="service/myServ"> <portQnameBindings portQnameLocalNameLink="Port1"> <clientServiceConfig actorURI="myActorURI"> <securityRequestSenderServiceConfig actor="myActorURI"> <integrity> <references part="body"/> <references part="timestamp"/> <references part="securitytoken"/> </integrity> <confidentiality> <confidentialParts part="bodycontent"/> <confidentialParts part="usernametoken"/> </confidentiality> <loginConfig authMethod="BasicAuth"/> <addCreatedTimeStamp flag="true" expires="PT3M"/> </securityRequestSenderServiceConfig> <securityResponseReceiverServiceConfig> <requiredIntegrity> <references part="body"/> <references part="timestamp"/> </requiredIntegrity> <requiredConfidentiality> <confidentialParts part="bodycontent"/> </requiredConfidentiality> <addReceivedTimeStamp flag="true"/> </securityResponseReceiverServiceConfig> </clientServiceConfig> </portQnameBindings> </serviceRefs> </com.ibm.etools.webservice.wscext:WsClientExtension>
Client-side IBM extension bindings
Example 2 shows the client-side IBM extension binding for the security constraints described previously in the discussion on client-side IBM deployment descriptor extensions.
The signer key and encryption (decryption) key for the message can be obtained from the keystore key locator implementation (com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator). The signer key is used for encrypting the response. The sample is configured to use the Java Certification Path API to validate the certificate path of the signer of the digital signature. The user name token (basic authentication) data is collected from the standard in (stdin) prompts using one of the default Java Authentication and Authorization Service (JAAS) implementations :javax.security.auth.callback.CallbackHandler implementation (com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler).
Example 2: Sample client IBM extension binding
Important: In the following code sample, several lines were split into multiple lines due to the width of the printed page. See the close bracket for an indication of where each line of code ends.
<?xml version="1.0" encoding="UTF-8"?> <com.ibm.etools.webservice.wscbnd:ClientBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wscbnd= "http://www.ibm.com/websphere/appserver/schemas/5.0.2/wscbnd.xmi"> <serviceRefs serviceRefLink="service/MyServ"> <portQnameBindings portQnameLocalNameLink="Port1"> <securityRequestSenderBindingConfig> <signingInfo> <signatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <signingKey name="clientsignerkey" locatorRef="SampleClientSignerKey"/> <canonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <digestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </signingInfo> <keyLocators name="SampleClientSignerKey" classname= "com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator"> <keyStore storepass="{xor}PDM2OjEr" path= "${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks" type="JKS"/> <keys alias="soaprequester" keypass="{xor}PDM2OjEr" name="clientsignerkey"/> </keyLocators> <encryptionInfo name="EncInfo1"> <encryptionKey name="CN=Bob, O=IBM, C=US" locatorRef= "SampleSenderEncryptionKeyLocator"/> <encryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <keyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> </encryptionInfo> <keyLocators name="SampleSenderEncryptionKeyLocator" classname= "com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator"> <keyStore storepass="{xor}LCswLTovPiws" path= "${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks" type="JCEKS"/> <keys alias="Group1" keypass="{xor}NDomLz4sLA==" name="CN=Group1"/> </keyLocators> <loginBinding authMethod="BasicAuth" callbackHandler= "com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler"/> </securityRequestSenderBindingConfig> <securityResponseReceiverBindingConfig> <signingInfos> <signatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <certPathSettings> <trustAnchorRef ref="SampleClientTrustAnchor"/> <certStoreRef ref="SampleCollectionCertStore"/> </certPathSettings> <canonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <digestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </signingInfos> <trustAnchors name="SampleClientTrustAnchor"> <keyStore storepass="{xor}PDM2OjEr" path= "${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks" type="JKS"/> </trustAnchors> <certStoreList> <collectionCertStores provider="IBMCertPath" name="SampleCollectionCertStore"> <x509Certificates path="${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer"/> </collectionCertStores> </certStoreList> <encryptionInfos name="EncInfo2"> <encryptionKey locatorRef="SampleReceiverEncryptionKeyLocator"/> <encryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <keyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> </encryptionInfos> <keyLocators name="SampleReceiverEncryptionKeyLocator" classname= "com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator"> <keyStore storepass="{xor}PDM2OjEr" path= "${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks" type="JKS"/> <keys alias="soaprequester" keypass="{xor}PDM2OjEr" name="clientsignerkey"/> </keyLocators> </securityResponseReceiverBindingConfig> </portQnameBindings> </serviceRefs> </com.ibm.etools.webservice.wscbnd:ClientBinding>
Server-side IBM deployment descriptor extension
The client-side IBM deployment descriptor extension describes the following constraints: Request Receiver (ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi)
Response Sender (ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi)
Example 3: Sample server IBM deployment descriptor extension
Important: In the following code sample, several lines were split into multiple lines due to the width of the printed page. See the close bracket for an indication of where each line of code ends.
<?xml version="1.0" encoding="UTF-8"?> <com.ibm.etools.webservice.wsext:WsExtension xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wsext= http://www.ibm.com/websphere/appserver/schemas/5.0.2/wsext.xmi"> <wsDescExt wsDescNameLink="MyServ"> <pcBinding pcNameLink="Port1"> <serverServiceConfig actorURI="myActorURI"> <securityRequestReceiverServiceConfig> <requiredIntegrity> <references part="body"/> <references part="timestamp"/> <references part="securitytoken"/> </requiredIntegrity> <requiredConfidentiality"> <confidentialParts part="bodycontent"/> <confidentialParts part="usernametoken"/> </requiredConfidentiality> <loginConfig> <authMethods text="BasicAuth"/> </loginConfig> <addReceivedTimestamp flag="true"/> </securityRequestReceiverServiceConfig> <securityResponseSenderServiceConfig actor="myActorURI"> <integrity> <references part="body"/> <references part="timestamp"/> </integrity> <confidentiality> <confidentialParts part="bodycontent"/> </confidentiality> <addCreatedTimestamp flag="true" expires="PT3M"/> </securityResponseSenderServiceConfig> </serverServiceConfig> </pcBinding> </wsDescExt> </com.ibm.etools.webservice.wsext:WsExtension>
Server-side IBM extension bindings
The following binding information reuses some of the default binding information defined either at the server level or the cell level, which depends upon the installation. For example, request receiver is referencing the SampleCollectionCertStore certification store and the SampleServerTrustAnchor trust store is defined in the default binding. However, the encryption information in the request receiver is referencing a SampleReceiverEncryptionKeyLocator key locator defined in the application-level binding (the same ibm-webservices-bnd.xmi file). The response sender is configured to use the signer key of the digital signature of the request to encrypt the response using one of the default key locator (com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator) implementations.
Example 4: Sample server IBM extension binding
<?xml version="1.0" encoding="UTF-8"?> <com.ibm.etools.webservice.wsbnd:WSBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.etools.webservice.wsbnd= http://www.ibm.com/websphere/appserver/schemas/5.0.2/wsbnd.xmi"> <wsdescBindings wsDescNameLink="MyServ"> <pcBindings pcNameLink="Port1" scope="Session"> <securityRequestReceiverBindingConfig> <signingInfos> <signatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <certPathSettings> <trustAnchorRef ref="SampleServerTrustAnchor"/> <certStoreRef ref="SampleCollectionCertStore"/> </certPathSettings> <canonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <digestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </signingInfos> <encryptionInfos name="EncInfo1"> <encryptionKey locatorRef="SampleReceiverEncryptionKeyLocator"/> <encryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <keyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> </encryptionInfos> <keyLocators name="SampleReceiverEncryptionKeyLocator" classname= "com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator"> <keyStore storepass="{xor}LCswLTovPiws" path="${USER_INSTALL_ROOT}/ etc/ws-security/samples/enc-receiver.jceks" type="JCEKS"/> <keys alias="Group1" keypass="{xor}NDomLz4sLA==" name="CN=Group1"/> <keys alias="bob" keypass="{xor}NDomLz4sLA==" name="CN=Bob, O=IBM, C=US"/> </keyLocators> </securityRequestReceiverBindingConfig> <securityResponseSenderBindingConfig> <signingInfo> <signatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <signingKey name="serversignerkey" locatorRef="SampleServerSignerKey"/> <canonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <digestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </signingInfo> <encryptionInfo name="EncInfo2"> <encryptionKey locatorRef="SignerKeyLocator"/> <encryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <keyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> </encryptionInfo> <keyLocators name="SignerKeyLocator" classname= "com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator"/> </securityResponseSenderBindingConfig> </pcBindings> </wsdescBindings> <routerModules transport="http" name="StockQuote.war"/> </com.ibm.etools.webservice.wsbnd:WSBinding>
Related concepts
Trust anchors
Collection certificate store
Key locator
Trusted ID evaluator
Request sender
Request receiver
Response sender
Response receiver