+

Search Tips   |   Advanced Search

 

Use of digital signatures with the UDDI registry

 

In UDDI V3, publishers can digitally sign UDDI elements while they are publishing. The UDDI V3 schema supports the signing of businessEntity, businessServices, bindingTemplate, tModel, and publisherAssertion elements.

You can validate UDDI elements that are digitally signed to prove that they have not been modified or tampered with, and that their integrity is intact.

For full details about signing UDDI entities and verifying signatures, see Appendix I: Support for XML Digital Signatures in the UDDI V3.0.2. specification.

The UDDI registry does not validate signatures at the time that signed elements are published. When the signed elements are retrieved, it is the responsibility of the retrieving client to validate the signature and to provide a mechanism to ensure that the signer certificate is signed by a Certificate Authority (CA) that the client approves and trusts. If a signature is decrypted successfully by using the signer public key, it indicates that only the owner of the corresponding private key could have signed and published this element.

Generating a signature

The attributes of an element are included in the generation of an element signature. Therefore, all entity keys must be available when the signature is generated. Publishers can generate publisher-assigned keys for all the keys of an element before signing. Alternatively, publishers can publish the element without keys; this approach causes the registry node to generate the required entity keys and then retrieve, sign, and republish the signed element.

Validating a signature

The signature element to validate is in the top-level element that a call to the getXXDetails method returns. The client is responsible for the validation. The client must have previously imported the X509.3 certificate of the publisher, and validated that certificate based on the CA it trusts. In this way, the client has access to the public validation key of the publisher that corresponds to the private signing key that the publisher used to sign the entity before publishing it.

You can use the UDDI V3 Client to construct Java API for XML-based RPC (JAX-RPC) objects and to invoke the UDDI V3 WebService. As part of this client, you can use a helper class, com.ibm.uddi.v3.client.apilayer.xmldig.SignatureUtilities, to create and validate digital signatures on the UDDI V3 entities that support them. See the API documentation page for details of APIs in this class and the SignatureUtilitiesException exception.

For an example of how to use this class, see UDDIv3ClientSignedBusinessSample.java. inSamples for WAS .

For UDDI, digital signatures are used to sign the data. They are not used to authenticate the SOAP message.


 

Related tasks


UDDI registry client programming