Configuring signing information for the generator binding with an assembly tool

We can configure the signing information for the server-side and client-side generator bindings by using an assembly tool. The request generator is configured for the client and the response generator is configured for the server.

 

Before you begin

Prior to completing this task, complete the following steps:

1. Import your application into an assembly tool.

   For information on how to import your application, see Import enterprise applications.

2. Specify which message parts to digitally sign. For more information, see Signing message elements in generator security constraints with keywords or Signing message elements in generator security constraints with an XPath expression .
3. Configure the key information that is referenced by the Key information element within the Signing information dialog window. For more information, see Configuring key information for the generator binding with an assembly tool .

 

About this task

Complete the following steps. You must configure either the client-side bindings in step 2 or the server-side bindings in step 3.

 

Procedure

1. Start the assembly tool.
2. Switch to the J2EE perspective. Click Window > Open Perspective > J2EE.
3. Optional: Locate the client-side bindings using the Project Explorer window. The Client Deployment Descriptor window is displayed. This Web service contains the bindings that configure.
   1. Expand the Web Services > Client section and double-click the name of the Web service.
   2. Click the WS Binding tab and expand the Security Request Generator Binding Configuration section.
4. Optional: Locate the server-side bindings using the Project Explorer window. The Web Services Editor window is displayed. This Web service contains the bindings that configure.
   1. Expand the Web Services > Services section and double-click the name of the Web service.
   2. Click the Binding Configurations tab and expand the Response Generator Binding Configuration Details section.
5. Expand the Signing Information section and click Add to add a new entry or select an existing entry and click Edit. The Signing Information dialog window is displayed.

   1. Specify a name for the signing information configuration in the Signing information name field. For example, you might specify gen_signinfo.
   2. Select a canonicalization method from the Canonicalization method algorithm field. The canonicalization method algorithm is used to canonicalize the signing information before it is digested as part of the signature operation. The following pre-configured algorithms are supported:
      • http://www.w3.org/2001/10/xml-exc-c14n#
      • http://www.w3.org/2001/10/xml-exc-c14n#WithComments
      • http://www.w3.org/TR/2001/REC-xml-c14n-20010315
      • http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

      You must specify the same canonicalization algorithm for both the generator and the consumer. For more information on configuring the signing information for the consumer, see Configuring signing information for the consumer binding with an assembly tool .

   3. Optional: Select Show only FIPS Compliant Algorithms if you want only the FIPS compliant algorithms to show in the encryption method algorithm drop-down lists. Use this option if you expect this application to run on a WAS that has set the Use the Federal Information Processing Standard (FIPS) option in the Global security panel of the administrative console for WebSphere Application Server.
   4. Select a signature method algorithm from the Signature method algorithm field. The following pre-configured algorithms are supported:
      • http://www.w3.org/2000/09/xmldsig#rsa-sha1
      • http://www.w3.org/2000/09/xmldsig#hmac-sha1
      • http://www.w3.org/2000/09/xmldsig#dsa-sha1

      You must specify the same canonicalization algorithm for both the generator and the consumer. For more information on configuring the signing information for the consumer, see Configuring signing information for the consumer binding with an assembly tool .

6. Click Add in the Signing Key Information section to add a new key information entry or click Remove to delete a selected entry. Complete the following substeps if you are adding a new key information entry.

   1. Specify a name in the Key information name field. For example, you might specify gen_skeyinfo.
   2. Select a key information reference from the list under the Key information element field. The value in this field references the key information configuration that you specified previously. If you have a key information configuration called gen_signkeyinfo that you want to use with this signing information configuration, specify gen_signkeyinfo in the Key information element field. For more information, see Configuring key information for the generator binding with an assembly tool .
   3. Optional: Select the Use key information signature option if you want to sign the key information within the SOAP message.
   4. Optional: Select a key information signature type from the Type field if you select the Use key information signature option. Select the keyinfo value to specify that the entire KeyInfo element must be signed within the SOAP message. Select the keyinfochildelements value to specify that the child elements within the KeyInfo element must be signed, but the KeyInfo element itself does not need to be signed.
7. Optional: Determine whether to disable the Inclusive namespace prefix list. The Exclusive XML Canonicalization Version 1.0 specification recommends that you include all of the namespace declarations that correspond to the namespace prefix in the canonicalization form. For security reasons, WebSphere Application Server, by default, includes the prefix in the digital signature for Web services security. However, some implementations of Web services security cannot handle this prefix list. WebSphere Application Server can handle digitally signed messages that either contain or do not contain the prefix list. If you experience a signature validation failure when a signed SOAP message is sent and you are using another vendor in your environment, it is highly recommended that you check with their Web site for a possible fix to their implementation before you disable this property. To disable this property, complete the following steps:
   1. Under Properties, click Add.
   2. In the Name field, enter the com.ibm.wsspi.wssecurity.dsig.inclusiveNamespaces property.
   3. In the Value field, enter the false value.
   4. Click OK.
8. Click OK to save your signing information configuration.
9. Expand the Part References subsection and select the signing information configuration from the Signing Information section.
10. Click Add in the Part References subsection to add a new entry or select an existing entry and click Edit. The Part References dialog window is displayed.

    1. Specify a name for the part reference configuration in the Part reference name field.
    2. Select a integrity part configuration in the Integrity part field. For more information on how to configure the integrity part, see Signing message elements in generator security constraints with keywords or Signing message elements in generator security constraints with an XPath expression .
    3. Optional: Select Show only FIPS Compliant Algorithms if you want only the FIPS compliant algorithms to show in the encryption method algorithm drop-down lists. Use this option if you expect this application to run on a WAS that has set the Use the Federal Information Processing Standard (FIPS) option in the Global security panel of the administrative console for WebSphere Application Server.
    4. Select the http://www.w3.org/2000/09/xmldsig#sha1 digest method algorithm in the Digest method algorithm field. This digest method algorithm is used to create the digest for each message part that is specified by this part reference.
    5. Expand the Transforms subsection and the part reference configuration from the Part reference subsection.
    6. Click Add in the Transforms subsection to add a new entry or select an existing entry and click Edit. The Transform dialog window is displayed.
    7. Specify a transform name in the Name field. For example, you might specify reqint_body_transform1.
    8. Select a transform algorithm from the Algorithm field. The following transform algorithms are supported:

       http://www.w3.org/2001/10/xml-exc-c14n#

       This algorithm specifies the World Wide Web Consortium (W3C) Exclusive Canonicalization recommendation.

       http://www.w3.org/TR/1999/REC-xpath-19991116

       This algorithm specifies the W3C XML path language recommendation. If you specify this algorithm, specify the property name and value by clicking Properties, which is displayed under Additional properties. For example, you might specify the following information:

       Property

       com.ibm.wsspi.wssecurity.dsig.XPathExpression

       Value

       not(ancestor-or-self::*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#' and local-name()='Signature'])

       http://www.w3.org/2002/06/xmldsig-filter2

       This algorithm specifies the XML-Signature XPath Filter Version 2.0 proposed recommendation.

       When you use this algorithm, specify a set of properties in the Transform property fields. We can use multiple property sets for the XPath Filter Version 2. Thus, it is recommended that your property names end with the number of the property set, which is denoted by an asterisk in the following examples:

       • To specify an XPath expression for the XPath filter2, you might use:

         name com.ibm.wsspi.wssecurity.dsig.XPath2Expression_*

       • To specify a filter type for each XPath, you might use:

         name com.ibm.wsspi.wssecurity.dsig.XPath2Filter_*

         Following this expression, we can have a value, [intersect], [subtract], or [union].
       • To specify the processing order for each XPath, you might use:

         name com.ibm.wsspi.wssecurity.dsig.XPath2Order_*

         Following this expression, indicate the processing order of the XPath.

       The following is a list of complete examples:

       com.ibm.wsspi.wssecurity.dsign.XPath2Filter_1 = [intersect]
       com.ibm.wsspi.wssecurity.dsign.XPath2Order_1 = [1]
       com.ibm.wsspi.wssecurity.dsign.XPath2Expression_2 = [XPath expression#2]
       com.ibm.wsspi.wssecurity.dsign.XPath2Filter_2 = [subtract]
       com.ibm.wsspi.wssecurity.dsign.XPath2Filter_2 = [1]

       http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform

       http://www.w3.org/2002/07/decrypt#XML

       This algorithm specifies the W3C decryption transform for XML Signature recommendation.

       http://www.w3.org/2000/09/xmldsig#enveloped-signature

       This algorithm specifies the W3C recommendation for XML digital signatures.

       The transform algorithm that you select for the generator must match the transform algorithm for the consumer.

11. Click OK.

 

What to do next

After you complete this task for the generator binding, configure the signing information for consumer binding.

Related tasks
Signing message elements in generator security constraints with keywords Signing message elements in generator security constraints with an XPath expression Configuring key information for the generator binding with an assembly tool Configuring signing information for the consumer binding with an assembly tool Configuring Web services security while assembling Web services applications

 

---