ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wsseccfadigcl.htm

163 lines
7.1 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure the Web services client for signature authentication</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="wsseccfadigcl"></a>Configure the Web services client for signature authentication</h6>
<p>This task is used to configure signature authentication. A signature refers to the use of an X509
certificate to login on the target server. For more information on signature authentication, see <a href="wssecsignauth.htm">Digital signature authentication method</a>.</p>
<p>Perform the folowing steps in the WebSphere Development Studio Client for iSeries to specify
signature authentication for your Web service client:</p>
<ol>
<li><p>Open the webservicesclient.xml file in the Web Services Client Editor of the WebSphere
Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web
services application</a>.</p></li>
<li><p>Click the <strong>Security Extensions</strong> tab.</p></li>
<li><p>Expand the <strong>Request Sender Configuration --&gt; Login Config</strong> settings. Select
<strong>Signature</strong> to authenticate the client using the certificate used to digitally sign the
request.</p></li>
<li><p>Save the file.</p></li>
</ol>
<p>Next, perform the following steps in the Web Services Client Editor to specify how the signature
authentication information is collected:</p>
<ol>
<li><p>Click the <strong>Port Binding</strong> tab.</p></li>
<li><p>Expand <strong>Security Request Sender Binding Configuration --&gt; Signing Information</strong>
and click <strong>Edit</strong> to display and modify the signing key name and signing key locator.</p>
<p>To create new signing information, click <strong>Enable</strong>. The certificate that is sent to
login at the server is the one configured in the Signing Information panel. For more information about
how the signing key name maps to a key within the key locator entry, see <a href="wsseccfkeyloc.htm">Configure key locators</a>.</p>
<p>The following table describes the purpose of this information. Some of these definitions are based
on the <a href="http://www.w3.org/TR/xmldsig-core" target="_">XML-Signature Syntax and Processing
specification</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center">
(http://www.w3.org/TR/xmldsig-core).</p>
<table border="1" cellpadding="3" cellspacing="0">
<tr valign="top">
<th>Name</th>
<th>Purpose</th>
</tr>
<tr valign="top">
<td><strong>Canonicalization method algorithm</strong></td>
<td>The canonicalization method algorithm is used to canonicalize the SignedInfo element before it is
digested as part of the signature operation.</td>
</tr>
<tr valign="top">
<td><strong>Digest method algorithm</strong></td>
<td>The digest method algorithm is the algorithm applied to the data after transforms are applied, if
specified, to yield the &lt;DigestValue&gt;. The signing of the DigestValue binds resource content to
the signer key. The algorithm that is selected for the client request sender configuration must match
the algorithm that is selected in the server request receiver configuration.</td>
</tr>
<tr valign="top">
<td><strong>Signature method algorithm</strong></td>
<td>The signature method is the algorithm that is used to convert the canonicalized &lt;SignedInfo&gt;
into the &lt;SignatureValue&gt;. The algorithm that is selected for the client request sender
configuration must match the algorithm that is selected in the server request receiver
configuration.</td>
</tr>
<tr valign="top">
<td><strong>Signing key name</strong></td>
<td>The signing key name represents the key entry associated with the signing key locator. The key
entry refers to an alias of the key, which is used to sign the request.</td>
</tr>
<tr valign="top">
<td><strong>Signing key locator</strong></td>
<td>The signing key locator represents a reference to a key locator implementation. For more
information on configuring key locators, see <a href="wsseccfkeyloc.htm">Configure key
locators</a>.</td>
</tr>
</table><p></p></li>
<li><p>Expand the <strong>Security Request Sender Binding Configuration --&gt; Login Binding</strong>
settings.</p></li>
<li><p>Click <strong>Edit</strong> to view the Login Binding information. The login binding information
is displayed.</p></li>
<li><p>Select or enter the following information:</p>
<table border="1" cellpadding="3" cellspacing="0">
<tr valign="top">
<th>Name</th>
<th>Purpose</th>
</tr>
<tr valign="top">
<td><strong>Authentication method</strong></td>
<td>The authentication method specifies the type of authentication that occurs. Select
<strong>Signature</strong> to use signature authentication.</td>
</tr>
<tr valign="top">
<td><strong>Token value type URI</strong> and <strong>Token value type URI </strong><strong>local
name</strong></td>
<td>When you select <strong>Signature</strong>, you cannot edit the <strong>Token value type
URI</strong> and <strong>Local name</strong> values. These values are specifically for custom
authentication types. For signature authentication, you do not need to enter any information.</td>
</tr>
<tr valign="top">
<td><strong>Callback handler</strong></td>
<td>The callback handler specifies the Java Authentication and Authorization Server (JAAS) callback
handler implementation for collecting signature information. Enter the following callback handler for
signature authentication: <tt>com.ibm.wsspi.wssecurity.auth.callback.<br>NonPromptCallbackHandler</tt>. This
callback handler is used because signature does not require user interaction.</td>
</tr>
<tr valign="top">
<td><strong>Basic authentication User ID</strong> and <strong>Basic authentication
Password</strong></td>
<td>Do not enter anything in the BasicAuth fields when Signature authentication is desired.</td>
</tr>
<tr valign="top">
<td><strong>Property Name</strong> and <strong>Property Value</strong></td>
<td>This field enables you to enter properties and name and value pairs for use by custom callback
handlers. For signature authentication, you do not need to enter any information.</td>
</tr>
</table><p></p></li>
<li><p>(Optional) There is a basic authentication entry in the Port Qualified Name Binding Details
section. This entry is used for HTTP transport authentication, which may be required if the router
servlet is protected.</p>
<p>Information that is specified in the Web services security signature authentication section
overrides the basic authentication information that is specified in the Port Qualified Name Binding
Details section for authorizing the Web service.</p>
<p>If you want the signature identity of this client to flow downstream, configure the first Web
service client to use ID assertion or Lightweight Third Party Authentication (LTPA) authentication
instead.</p></li>
</ol>
<p><strong>Note: </strong>Examples may be wrapped for display purposes.</p>
</body>
</html>