Verification Header Handler
The Verification Header Handler (VHH) validates a digital signature header in a SOAP envelope. You can customize its configuration by using a configuration file where you specify:
- A verification policy
- The certificate path
- Logging files to record verified messages
There are two signature configuration files:
- /QIBM/UserData/WebAS5/Base/instance_name/installedApps/ear_file_name/soapsec.war/conf/sv-ver-config.xml
- /QIBM/UserData/WebAS5/Base/instance_name/installedApps/ear_file_name/soapsec.war/conf/cl-ver-config.xml
where instance_name is the name of the root directory for your instance of WAS.
Here is an explanation of each configuration element in the Verification Header:
- AllowedAlgorithms
All the algorithms supported by this Verification Header Handler must be listed in this element. Algorithms other than these cannot be used in SOAP-SEC:Signature header. The current implementation supports all required algorithms in the XML Signature specification, except for SHA1-MAC.- RequiredAuthenticatedParts
This section specifies what parts of SOAP message need to be authenticated through the SOAP-SEC:Signature header. Currently two values are supported for the part attribute:
- When part="root", the whole envelope must be signed through the enveloped-signature transform.
- When part="body", the SOAP-ENV:Body element in the SOAP envelope must be referenced by one of the reference elements in the signature.
In the future, part="" allows an attachment to be specified. If the specified parts are not authenticated through the signature header entry, verification fails.
- DefaultVerificationKeys
When KeyInfo is missing in the signature, the content of this element is used as a part of the signature. When communicating parties know the identity of each other, the default KeyInfo can be used to reduce the communication data volume.- Log
Specifies the logging behavior. These versions of logging exist:
- When target="all", all verification attempts are logged.
- When target="success", only successful verification are logged.
- When target="fail", only unsuccessful verification are logged.
Note: You can specify multiple LogFile elements.
This example illustrates how to specify logging:
<Log> <SOAPDSigLogger class=<com.ibm.xml.soap.security.dsig.SOAPDSigLoggerImpl"> <LogFile target="all" path="SOAPVHH-all.log" append="yes"/> </SOAPDSigLogger> <SOAPDSigLogger class="com.ibm.xml.soap.security.dsig.SOAPDSigLoggerImpl"> <LogFile target="fail" path="SOAPVHH-fail.log" append="yes"/> </SOAPDSigLogger> </Log>- PKIXParameters
Currently, the Verification Header Handler supports X.509/PKIX certificates only (no HMAC, no PGP, and so forth). The policies for PKIX certificate verification are specified in this element. This is a straightforward mapping of the Java(TM) CertPath API. Not all of the entries are meaningful in this initial release. The current implementation only allows the use of keystore as the means of specifying trusted root.