Set the signing information using JAX-RPC for the consumer binding on the server or cell level

Configure the signing information for the client-side request generator and server-side response generator bindings at the server or cell level.

For transitioning users: For WAS version 6.x or earlier only, in the server-side extensions file (ibm-webservices-ext.xmi) and the client-side deployment descriptor extensions file (ibm-webservicesclient-ext.xmi), specify which parts of the message are signed. Also, we need to configure the key information that is referenced by the key information references on the signing information panel within the admin console.trns

This task explains the steps that are needed for you to configure the signing information for the client-side request generator and server-side response generator bindings at the server or cell level. WAS uses the signing information for the default generator to sign parts of the message including the body, time stamp, and user name token, if these bindings are not defined at the application level. The Application Server provides default values for bindings. However, an administrator must modify the defaults for a production environment.

We can configure the signing information for the consumer binding on the server level and the cell level. In the following steps, use the first step to access the server-level default bindings and use the second step to access the cell-level bindings.

 

1. Access the default bindings for the server level.

   1. Click Servers > Server Types > WebSphere application servers > server_name.

   2. Under Security, click JAX-WS and JAX-RPC security runtime.

      In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security

2. Click Security > Web services to access the default bindings on the cell level.

3. Under Default consumer bindings, click Signing information.

4. Click New to create a signing information configuration, click Delete to delete an existing configuration, or click the name of an existing signing information configuration to edit the settings.

   If creating a new configuration, enter a unique name for the signing configuration in the Signing information name field. For example, we might specify gen_signinfo.

5. Select a signature method algorithm from the Signature method field.

   The algorithm specified for the default consumer must match the algorithm specified for the default generator. WAS supports the following pre-configured algorithms:

   • http://www.w3.org/2000/09/xmldsig#rsa-sha1
   • http://www.w3.org/2000/09/xmldsig#hmac-sha1
   • http://www.w3.org/2000/09/xmldsig#dsa-sha1

     Do not use this algorithm if we want the configured application to be compliant with the Basic Security Profile (BSP). Any ds:SignatureMethod/@Algorithm element in a SIGNATURE based on a symmetric key must have a value of http://www.w3.org/2000/09/xmldsig#rsa-sha1 or http://www.w3.org/2000/09/xmldsig#hmac-sha1.

6. Select a canonicalization method from the Canonicalization method field. The canonicalization algorithm specified for the generator must match the algorithm for the consumer. WAS supports the following pre-configured canonical XML and exclusive XML canonicalization algorithms:

   • http://www.w3.org/2001/10/xml-exc-c14n#

   • http://www.w3.org/2001/10/xml-exc-c14n#WithComments

   • http://www.w3.org/TR/2001/REC-xml-c14n-20010315

   • http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments

7. Select a key information signature type from the Key information signature type field. The key information signature type determines how to digitally sign the key. WAS supports the following signature types:

   None

   The KeyInfo element is not signed.

   Keyinfo

   The entire KeyInfo element is signed.

   Keyinfochildelements

   The child elements of the KeyInfo element are signed.

   The key information signature type for the consumer must match the signature type for the generator. We might encounter the following situations:

   • If we do not specify one of the previous signature types, WAS uses keyinfo, by default.

   • If we select Keyinfo or Keyinfochildelements and you select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform as the transform algorithm in a subsequent step, WAS also signs the referenced token.

8. Click OK to save the configuration.

9. Click the name of the new signing information configuration.

   This configuration is the one specified in the previous steps.

10. Specify the key information reference, part reference, digest algorithm, and transform algorithm.

    1. Under Additional properties, click Key information references > New to create a new reference, click Key information references > Delete to delete an existing reference, or click a reference name to edit an existing key information reference.

    2. Enter a name for the configuration in the Name field.

       For example, enter con_skeyinfo.

    3. Select a key information reference from the Key information reference field. The key Information reference points to the key that WAS uses for digital signing. In the binding files, the reference is specified within the <signingKeyInfo> element. The key used for signing is specified by the Key information element, which is defined at the same level as the signing information.

       See Set the key information for the consumer binding on the application level.

    4. Click OK and Save to save the configuration.

    5. Under Additional Properties, click Part references > New to create a new part reference, click Part references > Delete to delete an existing part reference, or click a part name to edit an existing part reference. The part reference specifies which parts of the message to digitally sign. The part attribute refers to the name of the <RequiredIntegrity> element in the deployment descriptor when <PartReference> is specified for the digital signature. WAS enables you to specify multiple <PartReference> elements for the <SigningInfo> element. The <PartReference> element has two child elements: <DigestMethod> and <Transform>

    6. Specify a unique part name for this part reference. For example, we might specify reqint.

       You do not need to specify a value for the Part Reference field like you specify on the application level because the part reference on the application level points to a particular part of the message that is signed. Because the default bindings for the server and cell levels are applicable to all of the services defined on a particular server, we cannot specify this value.

    7. Select a digest method algorithm in the Digest method algorithm field.

       The digest method algorithm specified within the <DigestMethod> element used in the <SigningInfo> element. WAS supports the following algorithms:

       • http://www.w3.org/2000/09/xmldsig#sha1

       • http://www.w3.org/2001/04/xmlenc#sha256

       • http://www.w3.org/2001/04/xmlenc#sha512

    8. Click OK and Save to save the configuration.

    9. Click the name of the new part reference configuration.

       This configuration is the one specified in the previous steps.

    10. Under Additional properties, click Transforms > New to create a new transform, click Transforms > Delete to delete a transform, or click a transform name to edit an existing transform. If we create a new transform configuration, specify a unique name. For example, we might specify reqint_body_transform1.

    11. Select a transform algorithm from the menu. The transform algorithm is specified within the <Transform> element. It specifies the transform algorithm for the signature. WAS supports the following algorithms:

        • http://www.w3.org/2001/10/xml-exc-c14n#

        • http://www.w3.org/TR/1999/REC-xpath-19991116 Restriction: Do not use this transform algorithm if we want the configured application to be compliant with the Basic Security Profile (BSP). Instead use http://www.w3.org/2002/06/xmldsig-filter2 to ensure compliance.

        • http://www.w3.org/2002/06/xmldsig-filter2

        • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform

        • http://www.w3.org/2002/07/decrypt#XML

        • http://www.w3.org/2000/09/xmldsig#enveloped-signature

        The transform algorithm that you select for the consumer must match the transform algorithm that you select for the generator.

        If both of the following conditions are true, WAS signs the referenced token:

        • You previously selected the Keyinfo or the Keyinfochildelements option from the Key information signature type field on the signing information panel.

        • You select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform as the transform algorithm.

11. Click OK.

12. Click Save at the top of the panel to save the configuration.

 

Results

After completing these steps, we have configured the signing information for the consumer on the server or cell level.

 

Next steps

Specify a similar signing information configuration for the generator.

 

Related concepts

Basic Security Profile compliance tips

 

Related tasks

Set the signing information using JAX-RPC for the generator binding on the server or cell level
Set consumer signing using JAX-RPC to protect message integrity