You can secure the integrity of your web service, protecting
your information against unauthorized alteration, by adding a digital
signature to your web services.
Before you begin
Prerequisite: Create or import a project containing
a web service.
About this task
Both the client and server can be protected using an XML
digital signature. In order for an XML digital signature to be accepted
for a transmission between a client and server, the signature information
must be set for both. To add an XML digital signature to a web service:
Procedure
- Change to the Java™ EE
perspective.
- Click .
- Select Java EE
from the list and click OK.
- Expand the Web Services tab in the
Project Explorer view.
- Expand the Services tab.
- Right-click your service and select .
- In the Integrity Message Parts section, there is one Message
Part added by default. You can modify the existing default by modifying
the Dialect or Key word. You may also add more Message Parts. There is a menu of available message parts settings. The default
setting is recommended, however, if you would like more information
regarding message parts settings, you may reference message parts settings
- To accept the rest of the defaults and continue to the
Token Consumer page, click Next.
Note: The
other available menu allows you to select your preferred signature
method algorithm. A signature method is the algorithm that is used
to convert the canonicalized <SignedInfo> element in the binding
file into the <SignatureValue> element. The algorithm that is specified
for the consumer, which is either the request consumer or the response
consumer configuration, must match the algorithm specified for the
generator, which is either the request generator or response generator
configuration.
WebSphere® Application
Server supports the following pre-configured algorithms:
- http://www.w3.org/2000/09/xmldsig#rsa-sha1
- http://www.w3.org/2000/09/xmldsig#hmac-sha1
- http://www.w3.org/2000/09/xmldsig#dsa-sha1
- Choose the type of the Token Consumer used from the drop-down
list.
- Select Only trust Certificates with the following
reference. If the Trust any certificate option
is selected, a client with any XML digital signature certificate will
have access to your server. Without the additional protection of this
certificate reference, your server's security will still be at risk.
- Fill out the required information within the Certificate
Information group.
- In the Key store path field,
browse to the digital signature key.
- In the Key store storepass field,
enter the password corresponding to the selected key.
- To specify a specific X509 certificate, select the Use
a certificate check box. If this check box is not selected,
a client request with any X509 certificate will be accepted.
- Accept the rest of the defaults and select OK to
continue to the Server Side Response Generator Digital Signature window.
- In the Integrity Message Parts section, there is one Message
Part added by default. You can modify the existing default by modifying
the Dialect or Key word. You may also add more Message Parts.
- To accept the rest of the defaults and continue to the
Token Generator page, click Next .
- Choose the type of the Token Generator from the drop-down
list.
- Fill out the required information within the Key Store
Information section.
- In the Key store Path field,
type or browse, to the path in which the digital signature key is
located.
- In the Key Store Password field,
type the password corresponding to the selected signature key.
The Use a key check box can be used to
add additional security to your XML digital signature. With this option
selected, you can choose an alias and password for your XML digital
signature to further protect your web service. To specify a specific
X509 certificate, select the Use a certificate check
box.
- Click Finish. An
XML digital signature now secures your server.
- In order for the client to access the server, you must
create a corresponding XML digital signature for the client using
one of the following methods:
- To create a corresponding digital signature using the XML
digital signature wizard:
- Right-click on the client and select
- Follow steps 5 - 14 above, using the same client information as
was used to secure the server.
- If you have finished setting up all types of security for
your server you can create a corresponding digital signature for the
client using the Based on a Secured Web Service wizard:
- Right-click on the client and select .
- Verify that the corresponding server is selected from the drop-down
menu, click Next.
- Fill out the required information within the Client Side Request
Generator:
- In the Key store Path field, type or browse,
to the path in which the digital signature key is located.
- In the Key Store Password field, type the
password corresponding to the selected signature key.
- Click Next.
- Fill out the required information within the Client Side Response
Consumer:
- Select Only trust Certificates with the following reference.
If the Trust any certificate option is selected,
a client with any XML digital signature certificate will have access
to your server.
- Click Finish.
What to do next
XML digital signature security will now protect your web
service against integrity threatening attacks. You can see the changes
in your XML source by switching to the Resource perspective and opening
your web service .xmi file. To open this file, click , select Resource, and click
OK.
Then find the corresponding .xmi file under the
yourProjectName/WebContent/WEB-INF/ directory.