ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wsseccfsamp.htm

406 lines
25 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Sample Web services security configurations</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h5><a name="wsseccfsamp"></a>Sample Web services security configurations</h5>
<p>WebSphere Application Server - Express provides the following sample key stores for sample configurations.</p>
<p>The following files are the sample key stores, which are located in the etc/ws-security/samples subdirectory of your instance, /QIBM/UserData/WebASE/ASE5/<em>instance</em>/etc/ws-security/samples/ (where <em>instance</em> is the name of your instance):</p>
<ul>
<li><strong>dsig-sender.ks</strong> (key store password is <tt>client</tt>)
<ul>
<li>Trusted certificate with alias name <tt>soapca</tt></li>
<li>Personal certificate with alias name <tt>soaprequester</tt> and key password <tt>client</tt>, issued by intermediatory Int CA2 (which is in turn issued by <tt>soapca</tt>)</li>
</ul><p></p></li>
<li><strong>dsig-receiver.ks</strong> (key store password is <tt>server</tt>)
<ul>
<li>Trusted certificate with alias name <tt>soapca</tt></li>
<li>Personal certificate with alias name <tt>soapprovider</tt> and key password <tt>server</tt>, issued by intermediatory Int CA2 (which is in turn issued by <tt>soapca</tt>)</li>
</ul><p></p></li>
<li><strong>enc-sender.jceks</strong> (key store password storepass)
<ul>
<li>Secret key CN=Group1, alias name <tt>Group1</tt> and key password <tt>keypass</tt></li>
<li>Public key CN=Bob, O=IBM, C=US, alias name <tt>bob</tt> and key password <tt>keypass</tt></li>
<li>Private key CN=Alice, O=IBM, C=US, alias name <tt>alice</tt> and key password <tt>keypass</tt></li>
</ul><p></p></li>
<li><strong>enc-receiver.jceks</strong> (key store password is <tt>storepass</tt>)
<ul>
<li>Secret key CN=Group1, alias name <tt>Group1</tt> and key password <tt>keypass</tt></li>
<li>Private key CN=Bob, O=IBM, C=US, alias name <tt>bob</tt> and key password <tt>keypass</tt></li>
<li>Public key CN=Alice, O=IBM, C=US, alias name <tt>alice</tt> and key password <tt>keypass</tt></li>
</ul><p></p></li>
<li><strong>intca2.cer</strong>, the intermediatory Int CA2.</li>
</ul>
<p><strong>Note:</strong> These sample key stores are for testing and sample purpose only. Do not use them in production environment.</p>
<p><strong>Default binding</strong></p>
<p>WebSphere Application Server - Express provides the following default binding information:</p>
<ul>
<li><p><strong>Trust Anchors</strong>
<br>Used to validate the trust of the signer certificate.</p>
<ul>
<li><p><strong>SampleClientTrustAnchor</strong>
<br>Used by response receiver to validate the signer certificate.</p></li>
<li><p><strong>SampleServerTrustAnchor</strong>
<br>Used by request receiver to validate the signers certificate.</p></li>
</ul></li>
<li><p><strong>Collection Certificate Store</strong>
<br>Used to validate the certificate path.</p>
<ul>
<li><p><strong>SampleCollectionCertStore</strong>
<br>Used by response receiver and request receiver to validate the signers certificate path.</p></li>
</ul></li>
<li><p><strong>Key Locators</strong>
<br>Used to locating key for signature, encryption and decryption.</p>
<ul>
<li><p><strong>SampleClientSignerKey</strong>
<br>Used by requesting sender to sign the SOAP message. The signing key name is clientsignerkey, which can be referenced in the signing information as the signing key name.</p></li>
<li><p><strong>SampleServerSignerKey</strong>
<br>Used by the responding sender to sign the SOAP message. The signing key name is serversignerkey, which can be referenced in the signing information as the signing key name.</p></li>
<li><p><strong>SampleSenderEncryptionKeyLocator</strong>
<br>Used by the sender to encrypt the SOAP message. It is configured to use the enc-sender.jceks key store and the com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator key store key locator.</p></li>
<li><p><strong>SampleReceiverEncryptionKeyLocator</strong>
<br>Used by the receiver to decrypt the encrypted SOAP message. It is configured to use the enc-receiver.jceks key store and the com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator key store key locator. It is configured for symmetric encryption (DES or TRIPLEDES). However, to use it for asymmetric encryption (RSA), you must add the private key CN=Bob, O=IBM, C=US, alias name <tt>bob</tt>, and key password <tt>keypass</tt>.</p></li>
<li><p><strong>SampleResponseSenderEncryptionKeyLocator</strong>
<br>Used by response sender to encrypt the SOAP response message. It is configured to use the enc-receiver.jceks key store and the com.ibm.wsspi.wssecurity.config.WSIdKeyStoreMapKeyLocator key locator. This key locator maps an authenticated identity (of the current thread of execution) to a public key for encryption. By default was is configured to map to public key alice, and you must change was to the appropriate user. SampleResponseSenderEncryptionKeyLocator also has the capability to set a default key for encryption (by default it is configured to use public key alice as the default).</p></li>
</ul></li>
<li><p><strong>Trusted ID Evaluator</strong>
<br>Used to establish trust before asserting to the identity in identity assertion.</p>
<ul>
<li><p><strong>SampleTrustedIDEvaluator</strong>
<br>Is configured to use com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl. The default implementation of com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator contains a list of trusted identities. The list is defined as properties with <tt>trustedId_*</tt> as the key and the value as the trusted identity. This can be defined in the WebSphere administration console in <strong>Servers --&gt; Application Servers --&gt; <em>server</em> --&gt; Web Services: Default bindings for Web Services Security --&gt; Trusted ID Evaluators --&gt; SampleTrustedIDEvaluator</strong> for the server level (where <em>server</em> is the name of your application server) or <strong>Security --&gt; Web Services --&gt; Trusted ID Evaluators --&gt; SampleTrustedIDEvaluator</strong> for the cell-level (Network Deployment only).</p></li>
</ul></li>
<li><p><strong>Login Mapping</strong>
<br>Used to authenticate incoming security token in the Web services security SOAP header of a SOAP message.</p>
<ul>
<li><p><strong>BasicAuth authentication method</strong>
<br>This method is used to authenticate user name security token (username and password).</p></li>
<li><p><strong>Signature authentication method</strong>
<br>This method is used to map a distinguished name (DN) into a WebSphere Application Server - Express Java Authentication and Authorization Server (JAAS) Subject.</p></li>
<li><p><strong>IDAssertion authentication method</strong>
<br>This method is used to map a trusted identity into a WebSphere ApplicationSserver JAAS Subject for identity assertion.</p></li>
<li><p><strong>LTPA authentication method</strong>
<br>This method is used to validate a Lightweight Third-party Authentication (LTPA) security token.</p></li>
</ul></li>
</ul>
<p><strong>Note:</strong> These default bindings for trust anchors, collection certificate stores, and key locators are for testing or sample purpose only. Do not use it for production.</p>
<p><strong>A sample configuration</strong></p>
<p>The following examples demonstrate what IBM deployment descriptor extensions and bindings can do. The unnecessary information has been removed from the examples to improve clarity. Do not copy and paste these examples into your application's deployment descriptors or bindings. These examples serve as reference only and are not representative of the recommended configuration.</p>
<p>It is recommended that you use the following tools to create or edit IBM deployment descriptor extensions and bindings:</p>
<ul>
<li>Use WebSphere Development Studio for iSeries to create or edit the IBM deployment descriptor extensions.</li>
<li>Use WebSphere Development Studio for iSeries or the WebSphere administrative console to create or edit the bindings file.</li>
</ul>
<p>The following is an example of a scenario that performs the following actions:</p>
<ul>
<li>Signs the SOAP body, time stamp, and security token.</li>
<li>Encrypts the body content and user name token.</li>
<li>Sends the user name token (basic authentication data).</li>
<li>Generates the time stamp for the request.</li>
</ul>
<p>For the response, the SOAP body and time stamp are signed, the body content is encrypted, and the SOAP message freshness is checked using the time stamp.</p>
<p><strong>Note:</strong> The request sender and request receiver are a pair. Similarly, the response sender and response receiver is a pair.</p>
<p><strong>Note:</strong> It is recommended that you use the WebSphere Application Server - Express variables for specifying the path to key stores. In the WebSphere administrative console, click <strong>Environment --&gt; Manage WebSphere Variables</strong>. This often ameliorates platform differences such as file-system naming conventions. The samples below use the <tt>${USER_INSTALL_ROOT}</tt> variable to replace /QIBM/UserData/WebASE/ASE5/<em>instance</em> (where <em>instance</em> is the name of your instance). For more information about setting the variables, see <a href="../admin/acvar.htm">Manage substitution variables with the administrative console</a> in the <em>Administration</em> topic.</p>
<p><strong>Client-side IBM deployment descriptor extension</strong></p>
<p>The client-side IBM deployment descriptor extension describes the following constraints:</p>
<ul>
<li><strong>Request Sender</strong>
<ul>
<li>Signs the SOAP body, time stamp and security token</li>
<li>Encrypts the body content and user name token</li>
<li>Sends the basic authentication token (user name and password)</li>
<li>Generates the time stamp to be expired in 3 minutes</li>
</ul><p></p></li>
<li><strong>Response Receiver</strong>
<ul>
<li>Verifies that the SOAP body and time stamp are signed</li>
<li>Verifies that the SOAP body content is encrypted</li>
<li>Verifies that the time stamp is present (also check for message freshness)</li>
</ul></li>
</ul>
<p><strong>Example 1: Sample client IBM deployment descriptor extension.</strong></p>
<p><strong>Note</strong>: The xmi:id xmi:id statements have been removed for readability. They must be added in order for this example to work.</p>
<pre>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;com.ibm.etools.webservice.wscext:WsClientExtension xmi:version=&quot;2.0&quot;
xmlns:xmi=&quot;http://www.omg.org/XMI&quot; xmlns:com.ibm.etools.webservice.wscext=
&quot;http://www.ibm.com/websphere/appserver/schemas/5.0.2/wscext.xmi&quot;&gt;
&lt;serviceRefs serviceRefLink=&quot;service/myServ&quot;&gt;
&lt;portQnameBindings portQnameLocalNameLink=&quot;Port1&quot;&gt;
&lt;clientServiceConfig actorURI=&quot;myActorURI&quot;&gt;
&lt;securityRequestSenderServiceConfig actor=&quot;myActorURI&quot;&gt;
&lt;integrity&gt;
&lt;references part=&quot;body&quot;/&gt;
&lt;references part=&quot;timestamp&quot;/&gt;
&lt;references part=&quot;securitytoken&quot;/&gt;
&lt;/integrity&gt;
&lt;confidentiality&gt;
&lt;confidentialParts part=&quot;bodycontent&quot;/&gt;
&lt;confidentialParts part=&quot;usernametoken&quot;/&gt;
&lt;/confidentiality&gt;
&lt;loginConfig authMethod=&quot;BasicAuth&quot;/&gt;
&lt;addCreatedTimeStamp flag=&quot;true&quot; expires=&quot;PT3M&quot;/&gt;
&lt;/securityRequestSenderServiceConfig&gt;
&lt;securityResponseReceiverServiceConfig&gt;
&lt;requiredIntegrity&gt;
&lt;references part=&quot;body&quot;/&gt;
&lt;references part=&quot;timestamp&quot;/&gt;
&lt;/requiredIntegrity&gt;
&lt;requiredConfidentiality&gt;
&lt;confidentialParts part=&quot;bodycontent&quot;/&gt;
&lt;/requiredConfidentiality&gt;
&lt;addReceivedTimeStamp flag=&quot;true&quot;/&gt;
&lt;/securityResponseReceiverServiceConfig&gt;
&lt;/clientServiceConfig&gt;
&lt;/portQnameBindings&gt;
&lt;/serviceRefs&gt;
&lt;/com.ibm.etools.webservice.wscext:WsClientExtension&gt;</pre>
<p><strong>Client-side IBM extension bindings</strong></p>
<p>The following is the client-side IBM extension bindings for the security constraints described previously in the discussion on client-side IBM deployment descriptor extensions.</p>
<p>The signer key and encryption (decryption) key for the message can be obtained from the key store key locator implementation (com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator). The signer key is used for encrypting the response. The sample is configured to use Java Certification Path API to validate the certificate path of the signer of the digital signature. The user name token (basic
authentication) data is collected from the stdin using one of the default JAAS implementations:javax.security.auth.callback.CallbackHandler implementation (com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler).</p>
<p><strong>Example 2: Sample client IBM extension binding</strong></p>
<pre>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;com.ibm.etools.webservice.wscbnd:ClientBinding xmi:version=&quot;2.0&quot;
xmlns:xmi=&quot;http://www.omg.org/XMI&quot;
xmlns:com.ibm.etools.webservice.wscbnd=
&quot;http://www.ibm.com/websphere/appserver/schemas/5.0.2/wscbnd.xmi&quot;&gt;
&lt;serviceRefs serviceRefLink=&quot;service/MyServ&quot;&gt;
&lt;portQnameBindings portQnameLocalNameLink=&quot;Port1&quot;&gt;
&lt;securityRequestSenderBindingConfig&gt;
&lt;signingInfo&gt;
&lt;signatureMethod algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/&gt;
&lt;signingKey name=&quot;clientsignerkey&quot; locatorRef=&quot;SampleClientSignerKey&quot;/&gt;
&lt;canonicalizationMethod algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;/&gt;
&lt;digestMethod algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/&gt;
&lt;/signingInfo&gt;
&lt;keyLocators name=&quot;SampleClientSignerKey&quot;
classname=&quot;com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator&quot;&gt;
&lt;keyStore storepass=&quot;{xor}PDM2OjEr&quot;
path=&quot;$/{USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks&quot;
type=&quot;JKS&quot;/&gt;
&lt;keys alias=&quot;soaprequester&quot; keypass=&quot;{xor}PDM2OjEr&quot; name=&quot;clientsignerkey&quot;/&gt;
&lt;/keyLocators&gt;
&lt;encryptionInfo name=&quot;EncInfo1&quot;&gt;
&lt;encryptionKey name=&quot;CN=Bob, O=IBM, C=US&quot;
locatorRef=&quot;SampleSenderEncryptionKeyLocator&quot;/&gt;
&lt;encryptionMethod algorithm=&quot;http://www.w3.org/2001/04/xmlenc#tripledes-cbc&quot;/&gt;
&lt;keyEncryptionMethod algorithm=&quot;http://www.w3.org/2001/04/xmlenc#rsa-1_5&quot;/&gt;
&lt;/encryptionInfo&gt;
&lt;keyLocators name=&quot;SampleSenderEncryptionKeyLocator&quot;
classname=&quot;com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator&quot;&gt;
&lt;keyStore storepass=&quot;{xor}LCswLTovPiws&quot;
path=&quot;${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks&quot;
type=&quot;JCEKS&quot;/&gt;
&lt;keys alias=&quot;Group1&quot; keypass=&quot;{xor}NDomLz4sLA==&quot; name=&quot;CN=Group1&quot;/&gt;
&lt;/keyLocators&gt;
&lt;loginBinding authMethod=&quot;BasicAuth&quot; callbackHandler=
&quot;com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler&quot;/&gt;
&lt;/securityRequestSenderBindingConfig&gt;
&lt;securityResponseReceiverBindingConfig&gt;
&lt;signingInfos&gt;
&lt;signatureMethod algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/&gt;
&lt;certPathSettings&gt;
&lt;trustAnchorRef ref=&quot;SampleClientTrustAnchor&quot;/&gt;
&lt;certStoreRef ref=&quot;SampleCollectionCertStore&quot;/&gt;
&lt;/certPathSettings&gt;
&lt;canonicalizationMethod algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;/&gt;
&lt;digestMethod algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/&gt;
&lt;/signingInfos&gt;
&lt;trustAnchors name=&quot;SampleClientTrustAnchor&quot;&gt;
&lt;keyStore storepass=&quot;{xor}PDM2OjEr&quot;
path=&quot;${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks&quot;
type=&quot;JKS&quot;/&gt;
&lt;/trustAnchors&gt;
&lt;certStoreList&gt;
&lt;collectionCertStores provider=&quot;IBMCertPath&quot; name=&quot;SampleCollectionCertStore&quot;&gt;
&lt;x509Certificates
path=&quot;${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer&quot;/&gt;
&lt;/collectionCertStores&gt;
&lt;/certStoreList&gt;
&lt;encryptionInfos name=&quot;EncInfo2&quot;&gt;
&lt;encryptionKey locatorRef=&quot;SampleReceiverEncryptionKeyLocator&quot;/&gt;
&lt;encryptionMethod algorithm=&quot;http://www.w3.org/2001/04/xmlenc#tripledes-cbc&quot;/&gt;
&lt;keyEncryptionMethod algorithm=&quot;http://www.w3.org/2001/04/xmlenc#rsa-1_5&quot;/&gt;
&lt;/encryptionInfos&gt;
&lt;keyLocators name=&quot;SampleReceiverEncryptionKeyLocator&quot;
classname=&quot;com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator&quot;&gt;
&lt;keyStore storepass=&quot;{xor}PDM2OjEr&quot;
path=&quot;${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks&quot;
type=&quot;JKS&quot;/&gt;
&lt;keys alias=&quot;soaprequester&quot; keypass=&quot;{xor}PDM2OjEr&quot; name=&quot;clientsignerkey&quot;/&gt;
&lt;/keyLocators&gt;
&lt;/securityResponseReceiverBindingConfig&gt;
&lt;/portQnameBindings&gt;
&lt;/serviceRefs&gt;
&lt;/com.ibm.etools.webservice.wscbnd:ClientBinding&gt;</pre>
<p><strong>Server side IBM deployment descriptor extension</strong></p>
<p>The server-side IBM deployment descriptor extension describes the following constraints:</p>
<ul>
<li><strong>Request Receiver</strong> (ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi)
<ul>
<li>Verifies that the SOAP body, time stamp, and security token are signed</li>
<li>Verifies that the SOAP body content and user name token are encrypted</li>
<li>Verifies that the basic authentication token (user name and password) is in the Web services security SOAP header</li>
<li>Verifies that the time stamp is present (also check for message freshness)</li>
</ul><p></p></li>
<li><strong>Response Sender</strong> (ibm-webservices-ext.xmi and ibm-webservices-bnd.xmi)
<ul>
<li>Signs the SOAP body and time stamp</li>
<li>Encrypts the SOAP body content</li>
<li>Generates the time stamp to expire in 3 minutes</li>
</ul></li>
</ul>
<p><strong>Example 3: Sample server IBM deployment descriptor extension</strong></p>
<pre>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;com.ibm.etools.webservice.wsext:WsExtension xmi:version=&quot;2.0&quot;
xmlns:xmi=&quot;http://www.omg.org/XMI&quot; xmlns:com.ibm.etools.webservice.wsext=
&quot;http://www.ibm.com/websphere/appserver/schemas/5.0.2/wsext.xmi&quot;&gt;
&lt;wsDescExt wsDescNameLink=&quot;MyServ&quot;&gt;
&lt;pcBinding pcNameLink=&quot;Port1&quot;&gt;
&lt;serverServiceConfig actorURI=&quot;myActorURI&quot;&gt;
&lt;securityRequestReceiverServiceConfig&gt;
&lt;requiredIntegrity&gt;
&lt;references part=&quot;body&quot;/&gt;
&lt;references part=&quot;timestamp&quot;/&gt;
&lt;references part=&quot;securitytoken&quot;/&gt;
&lt;/requiredIntegrity&gt;
&lt;requiredConfidentiality&quot;&gt;
&lt;confidentialParts part=&quot;bodycontent&quot;/&gt;
&lt;confidentialParts part=&quot;usernametoken&quot;/&gt;
&lt;/requiredConfidentiality&gt;
&lt;loginConfig&gt;
&lt;authMethods text=&quot;BasicAuth&quot;/&gt;
&lt;/loginConfig&gt;
&lt;addReceivedTimestamp flag=&quot;true&quot;/&gt;
&lt;/securityRequestReceiverServiceConfig&gt;
&lt;securityResponseSenderServiceConfig actor=&quot;myActorURI&quot;&gt;
&lt;integrity&gt;
&lt;references part=&quot;body&quot;/&gt;
&lt;references part=&quot;timestamp&quot;/&gt;
&lt;/integrity&gt;
&lt;confidentiality&gt;
&lt;confidentialParts part=&quot;bodycontent&quot;/&gt;
&lt;/confidentiality&gt;
&lt;addCreatedTimestamp flag=&quot;true&quot; expires=&quot;PT3M&quot;/&gt;
&lt;/securityResponseSenderServiceConfig&gt;
&lt;/serverServiceConfig&gt;
&lt;/pcBinding&gt;
&lt;/wsDescExt&gt;
&lt;/com.ibm.etools.webservice.wsext:WsExtension&gt;</pre>
<p><strong>Server-side IBM extension bindings</strong></p>
<p>The following binding information is reusing some of the default binding information defined either at the server level or the cell level, which depends upon the installation. For example, request receiver is referencing the SampleCollectionCertStore certificate store and the SampleServerTrustAnchor trust store is defined in the default binding. However, the encryption information in the request receiver is references a SampleReceiverEncryptionKeyLocator key locator that is defined in the application-level binding (the same ibm-webservices-bnd.xmi file). The response sender is configured to use the signer key of the digital signature of the request to encrypt the response using one of the default key locator (com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator) implementations.</p>
<p><strong>Example 4: Sample server IBM extension binding</strong></p>
<pre>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;com.ibm.etools.webservice.wsbnd:WSBinding xmi:version=&quot;2.0&quot;
xmlns:xmi=&quot;http://www.omg.org/XMI&quot; xmlns:com.ibm.etools.webservice.wsbnd=
&quot;http://www.ibm.com/websphere/appserver/schemas/5.0.2/wsbnd.xmi&quot;&gt;
&lt;wsdescBindings wsDescNameLink=&quot;MyServ&quot;&gt;
&lt;pcBindings pcNameLink=&quot;Port1&quot; scope=&quot;Session&quot;&gt;
&lt;securityRequestReceiverBindingConfig&gt;
&lt;signingInfos&gt;
&lt;signatureMethod algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/&gt;
&lt;certPathSettings&gt;
&lt;trustAnchorRef ref=&quot;SampleServerTrustAnchor&quot;/&gt;
&lt;certStoreRef ref=&quot;SampleCollectionCertStore&quot;/&gt;
&lt;/certPathSettings&gt;
&lt;canonicalizationMethod algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;/&gt;
&lt;digestMethod algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/&gt;
&lt;/signingInfos&gt;
&lt;encryptionInfos name=&quot;EncInfo1&quot;&gt;
&lt;encryptionKey locatorRef=&quot;SampleReceiverEncryptionKeyLocator&quot;/&gt;
&lt;encryptionMethod algorithm=&quot;http://www.w3.org/2001/04/xmlenc#tripledes-cbc&quot;/&gt;
&lt;keyEncryptionMethod algorithm=&quot;http://www.w3.org/2001/04/xmlenc#rsa-1_5&quot;/&gt;
&lt;/encryptionInfos&gt;
&lt;keyLocators name=&quot;SampleReceiverEncryptionKeyLocator&quot;
classname=&quot;com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator&quot;&gt;
&lt;keyStore storepass=&quot;{xor}LCswLTovPiws&quot;
path=&quot;${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks&quot;
type=&quot;JCEKS&quot;/&gt;
&lt;keys alias=&quot;Group1&quot; keypass=&quot;{xor}NDomLz4sLA==&quot; name=&quot;CN=Group1&quot;/&gt;
&lt;keys alias=&quot;bob&quot; keypass=&quot;{xor}NDomLz4sLA==&quot; name=&quot;CN=Bob, O=IBM, C=US&quot;/&gt;
&lt;/keyLocators&gt;
&lt;/securityRequestReceiverBindingConfig&gt;
&lt;securityResponseSenderBindingConfig&gt;
&lt;signingInfo&gt;
&lt;signatureMethod algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/&gt;
&lt;signingKey name=&quot;serversignerkey&quot; locatorRef=&quot;SampleServerSignerKey&quot;/&gt;
&lt;canonicalizationMethod algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;/&gt;
&lt;digestMethod algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/&gt;
&lt;/signingInfo&gt;
&lt;encryptionInfo name=&quot;EncInfo2&quot;&gt;
&lt;encryptionKey locatorRef=&quot;SignerKeyLocator&quot;/&gt;
&lt;encryptionMethod algorithm=&quot;http://www.w3.org/2001/04/xmlenc#tripledes-cbc&quot;/&gt;
&lt;keyEncryptionMethod algorithm=&quot;http://www.w3.org/2001/04/xmlenc#rsa-1_5&quot;/&gt;
&lt;/encryptionInfo&gt;
&lt;keyLocators name=&quot;SignerKeyLocator&quot;
classname=&quot;com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator&quot;/&gt;
&lt;/securityResponseSenderBindingConfig&gt;
&lt;/pcBindings&gt;
&lt;/wsdescBindings&gt;
&lt;routerModules transport=&quot;http&quot; name=&quot;StockQuote.war&quot;/&gt;
&lt;/com.ibm.etools.webservice.wsbnd:WSBinding&gt;</pre>
</body>
</html>