Configure request signing methods for the client

Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop web services - Security (WS-Security) > Develop applications that use Web Services Security > Develop message-level security for JAX-WS web services > Secure web services applications using the WSS APIs at the message level > Secure messages at the request generator using WSS APIs > Secure messages at the request generator using WSS APIs > Configure generator signing information to protect message integrity using the WSS APIs

Configure request signing methods for the client

Use the WSSSignature and WSSSignPart APIs to choose the signing methods. The request signing methods include the signature, canonicalization, digest, and transform methods.
First, have specified which parts of the message sent by the client must be digitally signed using the WSS APIs or configuring policy sets using the admin console.
The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature specification, which is located at the following website http://www.w3.org/TR/xmldsig-core.

Signing methods. Use the signing methods to secure messages.

Name of method Description
Canonicalization algorithm Canonicalizes the <SignedInfo> element before the information is digested as part of the signature operation.
Signature algorithm Calculates the signature value of the canonicalized <SignedInfo> element. The algorithm selected for the client request sender configuration must match the algorithm selected in the server request receiver configuration.
Transform method Transforms the parts to be signed before the information is digested as part of the signature operation.
Digest method Calculates the digest value of the transformed parts. The algorithm selected for the client request sender configuration must match the algorithms selected in the server request receiver configuration.

We can use the WSS APIs or configure policy sets using the admin console to configure the signing algorithm methods. If using the WSS APIs, use the WSSSignature and WSSSignPart APIs to specify which message parts to digitally sign when configuring the client for request signing.
The WSSSignature and WSSSignPart APIs complete the following steps to configure the signature and signed part algorithm methods:

Procedure

For the generator binding, the WSSSignature API specifies the signature method. WAS supports the following pre-configured signature methods:

WSSSignature.RSA_SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#rsa-sha1
WSSSignature.HMAC_SHA1: http://www.w3.org/2000/09/xmldsig#hmac-sha1

For the WSS APIs, WAS does not support the DSA-SHA1 digital signature method, http://www.w3.org/2000/09/xmldsig#dsa-sha1.
For the generator binding, the WSSSignature API specifies the canonicalization method. WAS supports the following pre-configured canonicalization algorithms:

WSSSignature.EXC_C14N (the default value): The exclusive canonicalization algorithm, http://www.w3.org/2001/10/xml-exc-c14n#
WSSSignature.C14N: The inclusive canonicalization algorithm, http://www.w3.org/2001/10/xml-c14n#

For the generator binding, the WSSSignPart API specifies the digest method. WAS supports the following pre-configured digest methods:

WSSSignPart.SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#sha1
WSSSignPart.SHA256: http://www.w3.org/2001/04/xmlenc#sha256
WSSSignPart.SHA512: http://www.w3.org/2001/04/xmlenc#sha512

For the generator binding, the WSSSignPart API specifies the transform method. WAS supports the following pre-configured transform algorithms:

WSSSignPart.TRANSFORM_EXC_C14N (the default value): http://www.w3.org/2001/10/xml-exc-c14n#
WSSSignPart.TRANSFORM_XPATH2_FILTER: http://www.w3.org/2002/06/xmldsig-filter2
WSSSignPart.TRANSFORM_STRT10: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
WSSSignPart.TRANSFORM_ENVELOPED_SIGNATURE: http://www.w3.org/2000/09/xmldsig#enveloped-signature

For the WSS APIs, WAS does not support the following transform algorithms:

http://www.w3.org/TR/1999/REC-xpath-19991116
http://www.w3.org/2002/07/decrypt#XML

Results
Use the WSS APIs, we have specified which algorithm methods are used to digitally sign a message when the client sends a message to a server.

Example

The following example is sample code for specifying the signature information, HMAC_SHA1 as signature method, C14N as a canonicalizaion method, SHA256 as a digest method, and EXC_C14N and TRANSFORM_STRT10 as the transform methods:
   //get the message context    Object msgcontext = getMessageContext();

   //generate WSSFactory instance
   WSSFactory factory = WSSFactory.getInstance();

   //generate WSSGenerationContext instance
   WSSGenerationContext gencont = factory.newWSSGenerationContext();

   //generate callback handler
   X509GenerateCallbackHandler callbackHandler = new X509GenerateCallbackHandler(
     "",      "dsig-sender.ks",      "jks",
     "client".toCharArray(),
     "soaprequester",
     "client".toCharArray(),
     "CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP",
     null);

   //generate the security token used to the signature
   SecurityToken token = factory.newSecurityToken(X509Token.class, callbackHandler);

   //generate WSSSignature instance
   WSSSignature sig = factory.newWSSSignature(token);

   //set the canonicalization method    // DEFAULT: WSSSignature.EXC_C14N
   sig.setCanonicalizationMethod(WSSSignature.C14N);

   //set the signature method    // DEFAULT: WSSSignature.RSA_SHA1
   sig.setSignatureMethod(WSSSignature.HMAC_SHA1);

   //set the part specified by WSSSignPart
   WSSSignPart sigPart = factory.newWSSSignPart();

   //set the digest method
    // DEFAULT: WSSSignPart.SHA1
   sigPart.setDigestMethod(WSSSignPart.SHA256);

   //add the transform method    // DEFAULT: WSSSignPart.TRANSFORM_EXC_C14N
   sigPart.addTransformMethod(WSSSignPart.TRANSFORM_EXC_C14N);
   sigPart.addTransformMethod(WSSSignPart.TRANSFORM_STRT10);

    // add the WSSSignPart to the WSSSignature
    sig.addSignPart(sigPart);

   //add the WSSSignature to the WSSGenerationContext
   gencont.add(sig);

   //generate the WS-Security header    gencont.process(msgcontext);
What to do next

After you configure the client to digitally sign the message and to choose the algorithm methods, configure the server to verify the digital signature for request signing and to choose the algorithm methods.
Configure policy sets using the administrative console to configure the signature verification information and methods on the server.
Configure response signature verification methods for the client
Configure generator signing information to protect message integrity using the WSS APIs

+
Search Tips | Advanced Search

Name of method	Description
Canonicalization algorithm	Canonicalizes the <SignedInfo> element before the information is digested as part of the signature operation.
Signature algorithm	Calculates the signature value of the canonicalized <SignedInfo> element. The algorithm selected for the client request sender configuration must match the algorithm selected in the server request receiver configuration.
Transform method	Transforms the parts to be signed before the information is digested as part of the signature operation.
Digest method	Calculates the digest value of the transformed parts. The algorithm selected for the client request sender configuration must match the algorithms selected in the server request receiver configuration.