Securing Web services using XML digital signature

WAS provides several different methods to secure your Web services; Extensible Markup Language (XML) digital signature is one of these methods. You might secure your Web services using any of the following methods...

• XML digital signature

• XML encryption

• Basicauth authentication

• Identity assertion authentication

• Signature authentication

• Pluggable token

XML digital signature provides both message integrity and authentication capabilities when it is used with SOAP messages. A message receiver can verify that attackers or accidents have not altered parts of the message after the message was signed by a key. If a message has a digital certificate issued by a certificate authority (CA) and a signature in the message is validated successfully by a public key in the certificate, it is proof that the signer has the corresponding private key. To use XML digital signature to secure Web services, complete the following steps...

1. Define the security constraints or extensions.To configure the security constraints, use the Application Server Toolkit, which is available at the following Web site...

   http://www.ibm.com/support/docview.wss?rs=180&context=SSEQTP
   &q=ASTK&uid=swg24005125&loc=en_US&cs=utf-8&lang=en+en
   
   

   1. Configure the client to digitally sign a message request. To configure the client, complete the following steps to specify which parts of the SOAP message to digitally sign and define the method used to digitally sign the message. The client in these steps is the request sender.

      1. Specify the message parts by following the steps found in Configuring the client for request signing: digitally signing message parts.

      2. Select the method used to digitally sign the request message. You can select the digital signature method by following the steps in Configuring the client for request signing: choosing the digital signature method.

   2. Configure the server to verify the digital signature that is used in the message request.To configure the server, specify which parts of the SOAP message, sent by the request sender, contain digitally signed information and which method was used to digitally sign the message. The settings chosen for the request receiver, or the server in this step, must match the settings chosen for the request sender in the previous step.

      1. Define the message parts by following the steps found in Configuring the server for request digital signature verification... verifying message parts.

      2. Select the same method used by the request sender to digitally sign the message. You can select the digital signature method by following the steps in Configuring the server for request digital signature verification: choosing the verification method

   3. Configure the server to digitally sign a message response. To configure the server, complete the following steps to specify which parts of the SOAP message to digitally sign and define the method used to digitally sign the message. The sender in these steps is the response sender.

      1. Specify which message parts to digitally sign by following the steps found in Configuring the server for response signing: digitally signing message parts.

      2. Select the method used to digitally sign the response message. You can select the digital signature method by following the steps in Configuring the server for response signing: choosing the digital signature method

   4. Configure the client to verify the digital signature that is used in the message response.To configure the client, specify which parts of the SOAP message sent by the response sender contain digitally signed information and which method was used to digitally sign the message. The settings chosen for the response receiver, or client in this step, must match the settings chosen for the response sender in the previous step.

      1. Define the message parts by following the steps found in Configuring the client for response digital signature verification... verifying message parts

      2. Select the same method used by the response sender to digitally sign the message. You can select the digital signature method by following the steps in Configuring the client for response digital signature verification: choosing the verification method

2. Define the client security bindings.To configure the client security bindings, complete the steps in either of the following topics...

   • Configuring the client security bindings using the Application Server Toolkit

   • Configuring the client security bindings using the administrative console

3. Define the server security bindings.To configure the server security bindings, complete the steps in either of the following topics...

   • Configuring the server security bindings using the Application Server Toolkit

   • Configuring the server security bindings using the administrative console

After completing these steps, you have secured your Web services using XML digital signature.

 

See Also

Transport level security
HTTP basic authentication
Trust anchors
Collection certificate store
Key locator
Keys
Trusted ID evaluator
Login mappings
Securing Web services based on WS-Security
Default configuration for WAS
Web services security service provider programming interfaces
WAS V5.0.2 Application Server Toolkit

 

---