Signing information configuration settings

 

Signing information configuration settings

Use this page to configure new signing parameters.

The specifications that are listed on this page for the signature method, digest method, and canonicalization method are located in the World Wide Web Consortium (W3C) document entitled, XML Signature Syntax and Specification: W3C Recommendation 12 Feb 2002. To view this administrative console page on the cell level for signing information, complete the following steps:

  1. Click Security > Web services .

  2. Under Default generator bindings or Default consumer bindings, click Signing information .

  3. Click New to create a signing parameter or click the name of an existing configuration to modify its settings.
To view this administrative console page on the server level for signing information, complete the following steps:

  1. Click Servers > Application Servers > server_name.

  2. Under Security, click Web services: Default bindings for Web services security .

  3. Under Default generator bindings or Default consumer bindings, click Signing information .

  4. Click New to create a signing parameter or click the name of an existing configuration to modify its settings.
To view this administrative console page on the application level for signing information, complete the following steps:

  1. Click Applications > Enterprise applications > application_name.

  2. Under Related items, click EJB modules or Web modules > URI_name.

  3. [Version 6 only]Under Additional properties, you can access the signing information for the following bindings:

    • For the Request generator (sender) binding, click Web services: Client
      security bindings       . Under Request generator (sender) binding, click Edit custom .

    • For Response consumer (receiver) binding, click Web services: Client
      security bindings       . Under Response consumer (receiver) binding, click Edit custom .

    • For the Request consumer (receiver) binding, click Web services: Server
      security bindings       . Under Request consumer (receiver) binding, click Edit custom .

    • For the Response generator (sender) binding, click Web services: Server
      security bindings       . Under Response generator (sender) binding, click Edit custom .

  4. [Version 6 only]Under Required properties, click Signing information .

  5. [Version 5 only]Under Additional properties, you can access the signing information for the following bindings:

    • For the Request receiver binding, click Web services: Server security bindings . Under Request receiver binding, click Edit.

    • For the Response receiver binding, click Web services: Client security bindings . Under Response receiver binding, click Edit.

  6. [Version 5 only]Under Additional properties, click Signing information .

  7. Click New to create a signing parameter or click the name of an existing configuration to modify its settings.

Signing information name

The name that is assigned to the signing configuration.

Signature method

The algorithm Uniform Resource Identifiers (URI) of the signature method. The following pre-configured algorithms are supported:

For Version 6.x applications, you can specify additional signature methods on the Algorithm URI panel. To access the Algorithm URI panel, complete the following steps:

  1. Click Security > Web services .

  2. Under Additional properties, click Algorithm mappings > algorithm_factory_engine_class_name > Algorithm URI > New .

When you specify the Algorithm URI, you also must specify an algorithm type. To have the algorithm display as a selection in the Signature method field on the Signing information panel, select Signature as the algorithm type.

This field is available for Version 6.x applications and for the request receiver and response receiver bindings for Version 5.x applications.

Digest method

The algorithm URI of the digest method.

The http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/Overview.html#sha1 algorithm is supported.

This field is available for the request receiver and response receiver bindings for Version 5.x applications.

Canonicalization method

The algorithm URI of the canonicalization method. The following pre-configured algorithms are supported:

This field is for Version 6.x applications and for the request receiver and response receiver bindings for Version 5.x applications.

Key information signature type

Specifies how to sign a KeyInfo element if dsigkey or enckey is specified for the signing part in the deployment descriptor. WebSphere Application Server supports the following keywords:

keyinfo (default)

That the entire KeyInfo element is signed.

keyinfochildelements

That the child elements of the KeyInfo element is signed.
If you do not specify a keyword, WebSphere Application Server uses the keyinfo value, by default.

The Key information signature type field is available for the token consumer binding.

[Version 6 only]For Version 6.x applications, the field is also available for the default consumer, request consumer, and response consumer bindings.

Signing key information

Specifies a reference to the key information that WebSphere Application Server uses to generate the digital signature.

You can specify one signing key only for the default generator, request generator, and response generator bindings on the cell level and the server level. However, you can specify multiple signing keys for the default consumer, request consumer, and response consumer bindings. The signing keys for the default consumer, request consumer, and response consumer bindings are specified using the Key Information references link under Additional properties on the Signing information panel.

You can specify one signing key only for the default generator binding on the server level. However, you can specify multiple signing keys for the default consumer bindings. The signing keys for the default consumer bindings are specified using the Key Information references link under Additional properties on the Signing information panel.

On the application level, you can specify only one signing key for the request generator and the response generator. You can specify multiple signing keys for the request consumer and response generator. The signing keys for the request consumer and the response consumer are specified using the Key information references link under Additional properties. You can specify a signing key configuration for the following bindings on the following levels:

Binding name Cell level, server level, or application level Path
Default generator binding Cell level

  1. Click Security > Web services .

  2. Under Default generator binding, click Key information .
Default consumer binding Cell level

  1. Click Security > Web services .

  2. Under Default consumer binding, click Key information .
Default generator binding Server level

  1. Click Servers > Application Servers > server_name.

  2. Under Security, click Web services: Default bindings for Web services
    security     .

  3. Under Default generator binding, click Key information .
Default consumer binding Server level

  1. Click Servers > Application Servers > server_name.

  2. Under Security, click Web services: Default bindings for Web services
    security     .

  3. Under Default consumer binding, click Key information .

Certificate path

The settings for the certificate path validation. When you select Trust any , this validation is skipped and all incoming certificates are trusted.

The certificate path options are available on the application level.

Trust anchor

WebSphere Application Server searches for trust anchor configurations on the application and server levels and lists the configurations in this menu.

In a Network Deployment environment, WebSphere Application Server also searches the cell level for trust anchor configurations.

[Version 5 only]You can specify trust anchors as an additional property for the response receiver binding and the request receiver binding. You can specify a trust anchor configuration for the following bindings on the following levels:

Binding name Cell level, server level, or application level Path
Default generator binding Cell level

  1. Click Security > Web services .

  2. Under Additional properties, click Trust anchors .
Default consumer binding Cell level

  1. Click Security > Web services .

  2. Under Additional properties, click Trust anchors .
Default generator binding Server level

  1. Click Servers > Application servers > server_name.

  2. Under Security, click Web services: Default bindings for Web services security .

  3. Under Additional properties, click Trust anchors > New .
Default consumer binding Server level

  1. Click Servers > Application servers > server_name.

  2. Under Security, click Web services: Default bindings for Web services security .

  3. Under Additional properties, click Trust anchors > New .
Response receiver Application level for Version 5.x applications

  1. Click Applications > Enterprise applications > application_name.

  2. Under Related items, click Web modules or EJB modules > URI_name.

  3. Click Web services: Client security bindings .

  4. Under the Response receiver binding, click Edit .

  5. Under Additional properties, click Trust anchors > New .
Request receiver Application level for Version 5.x applications

  1. Click Applications > Enterprise applications > application_name.

  2. Under Related items, click Web modules or EJB modules > URI_name.

  3. Click Web services: Server security bindings .

  4. Under the Request receiver binding, click Edit .

  5. Under Additional properties, click Trust anchors > New .

For an explanation of the fields on the trust anchor panel, see Trust anchor configuration settings.

Certificate store

WebSphere Application Server searches for certificate store configurations on the application and server levels and lists the configurations in this menu.

In a Network Deployment environment, WebSphere Application Server also searches the cell level for certificate store configurations. You can specify a certificate store configuration for the following bindings on the following levels:

Binding name Cell level, server level, or application level Path
Default generator binding Cell level

  1. Click Security > Web services .

  2. Under Additional properties, click Collection certificate store > New .
Default consumer binding Cell level

  1. Click Security > Web services .

  2. Under Additional properties, click Collection certificate store > New .
Default generator binding Server level

  1. Click Servers > Application servers > server_name.

  2. Under Security, click Web services: Default bindings for Web services security .

  3. Under Additional properties, click Collection certificate store > New .
Default consumer binding Server level

  1. Click Servers > Application servers > server_name.

  2. Under Security, click Web services: Default bindings for Web services security .

  3. Under Additional properties, click Collection certificate store > New .
Response receiver Application level for Version 5.x applications

  1. Click Applications > Enterprise applications > application_name.

  2. Under Related items, click Web modules or EJB modules > URI_name.

  3. Click Web services: Client security bindings .

  4. Under the Response receiver binding, click Edit .

  5. Under Additional properties, click Collection certificate store > New .
Request receiver Application level for Version 5.x applications

  1. Click Applications > Enterprise applications > application_name.

  2. Under Related items, click Web modules or EJB modules > URI_name.

  3. Click Web services: Server security bindings .

  4. Under the Request receiver binding, click Edit .

  5. Under Additional properties, click Collection certificate store > New .

For an explanation of the fields on the collection certificate store panel, see Collection certificate store configuration settings.



Related reference
Signing information collection
Trust anchor configuration settings
Collection certificate store configuration settings


Searchable topic ID: uwbs_signinfon