+

Search Tips   |   Advanced Search

 

Configure the client for signature authentication: collecting the authentication information

 

Signature authentication refers to an X.509 certificate that is sent by the client to the server. The certificate is used to authenticate to the user registry that is configured at the server. The client collects the authentication information for signature authentication.

 

Overview

There is an important distinction between V5.x and V6.0.x and later applications. The information in this article supports V5.x applications only that are used with WAS V6.0.x and later. The information does not apply to V6.0.x and later applications.

You can configure signature authentication. A signature refers to the use of an X.509 certificate to login on the target server.

Complete the following steps to specify how the client collects the authentication information for signature authentication:

 

Procedure

  1. Launch an assembly tool. For more information on the assembly tools, see Assembly tools.

  2. Switch to the J2EE perspective. Click Window > Open Perspective > J2EE.

  3. Click Application Client Projects > application > appClientModule > META-INF.

  4. Right-click the application-client.xml file, select Open with > Deployment descriptor editor.

  5. Click the WS Binding tab, which is located at the bottom of the deployment descriptor editor within the assembly tool.

  6. Expand the Security request sender binding configuration > Signing information and click Edit to modify the signing key name and signing key locator. To create new signing information, click Enable. The certificate that is sent to log in at the server is the one configured in the Signing Information section. Review the key locator information to understand how the signing key name maps to a key within the key locator entry. The following list describes the purpose of this information. Some of these definitions are based on the XML-Signature specification, which is located at the following Web address: http://www.w3.org/TR/xmldsig-core

    Canonicalization method algorithm

    Canonicalizes the SignedInfo element before it is digested as part of the signature operation.

    Digest mehod algorithm

    Represents the algorithm that is applied to the data after transforms are applied, if specified, to yield the DigestValue element. The signing of the DigestValue element binds the resource content to the signer key. The algorithm selected for the client request sender configuration must match the algorithm selected in the server request receiver configuration.

    Signature method algorithm

    Represents the algorithm that is used to convert the canonicalized <SignedInfo> value into the <SignatureValue> value. The algorithm selected for the client request sender configuration must match the algorithm selected in the server request receiver configuration.

    Signing key name

    Represents the key entry that is associated with the signing key locator. The key entry refers to an alias of the key, which is used to sign the request.

    Signing key locator

    Represents a reference to a key locator implementation.

  7. Expand the Security request sender binding configuration > Login binding section.

  8. Click Edit to view the login binding information. Select or enter the following information:

    Authentication method

    Timeype of authentication that occurs. Select Signature to use signature authentication.

    Token value type URI and Token value type URI local name

    When you select Signature, you cannot edit token value type Uniform Resource Identifier (URI) and local name values. Specifies custom authentication types. For signature authentication, leave these fields blank.

    Callback handler

    Specifies the Java Authentication and Authorization Server (JAAS) callback handler implementation for collecting signature information. Enter the following callback handler for signature authentication: com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler

    This callback handler is used because the signature method does not require user interaction.

    Basic authentication user ID and Basic authentication password

    Leave the BasicAuth fields blank when signature authentication is used.

    Property name and property value

    This field enables you to enter properties and name and value pairs for use by custom callback handlers. For signature authentication, do not enter any information.

 

What to do next

Other customization entries: There is a basic authentication entry in the Port Qualified Name Binding Details section. This entry is used for HTTP transport authentication, which might be required if the router servlet is protected.

Information specified in the Web services security signature authentication section overrides the basic authentication information specified in the Port Qualified Name Binding Details section for authorizing the Web service.

To use the signature authentication method, specify the authentication method in the Login configuration section of an assembly tool.

 

Related concepts


Key locator
Signature authentication method

 

Related tasks


Configure the client for signature authentication: specifying the method
Configure the client security bindings using an assembly tool
Securing Web services for version 5.x applications using signature authentication

 

Related information


XML-Signature Syntax and Processing W3C Recommendation 12 February 2002