ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wsseccfadigcl.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Configure the Web services client for signature authentication</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h6><a name="wsseccfadigcl"></a>Configure the Web services client for signature authentication</h6>

<p>This task is used to configure signature authentication. A signature refers to the use of an X509 
certificate to login on the target server. For more information on signature authentication, see <a href="wssecsignauth.htm">Digital signature authentication method</a>.</p>


<p>Perform the folowing steps in the WebSphere Development Studio Client for iSeries to specify 
signature authentication for your Web service client:</p>

<ol>
<li><p>Open the webservicesclient.xml file in the Web Services Client Editor of the WebSphere 
Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web 
services application</a>.</p></li>

<li><p>Click the <strong>Security Extensions</strong> tab.</p></li>

<li><p>Expand the <strong>Request Sender Configuration --&gt; Login Config</strong> settings. Select 
<strong>Signature</strong> to authenticate the client using the certificate used to digitally sign the 
request.</p></li>

<li><p>Save the file.</p></li>
</ol>

<p>Next, perform the following steps in the Web Services Client Editor to specify how the signature 
authentication information is collected:</p>

<ol>
<li><p>Click the <strong>Port Binding</strong> tab.</p></li>

<li><p>Expand <strong>Security Request Sender Binding Configuration --&gt; Signing Information</strong> 
and click <strong>Edit</strong> to display and modify the signing key name and signing key locator.</p>

<p>To create new signing information, click <strong>Enable</strong>. The certificate that is sent to 
login at the server is the one configured in the Signing Information panel. For more information about 
how the signing key name maps to a key within the key locator entry, see <a href="wsseccfkeyloc.htm">Configure key locators</a>.</p>

<p>The following table describes the purpose of this information. Some of these definitions are based 
on the <a href="http://www.w3.org/TR/xmldsig-core" target="_">XML-Signature Syntax and Processing 
specification</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center"> 
(http://www.w3.org/TR/xmldsig-core).</p>

<table border="1" cellpadding="3" cellspacing="0">
<tr valign="top">
<th>Name</th>
<th>Purpose</th>
</tr>

<tr valign="top">
<td><strong>Canonicalization method algorithm</strong></td>
<td>The canonicalization method algorithm is used to canonicalize the SignedInfo element before it is 
digested as part of the signature operation.</td>
</tr>

<tr valign="top">
<td><strong>Digest method algorithm</strong></td>
<td>The digest method algorithm is the algorithm applied to the data after transforms are applied, if 
specified, to yield the &lt;DigestValue&gt;. The signing of the DigestValue binds resource content to 
the signer key. The algorithm that is selected for the client request sender configuration must match 
the algorithm that is selected in the server request receiver configuration.</td>
</tr>

<tr valign="top">
<td><strong>Signature method algorithm</strong></td>
<td>The signature method is the algorithm that is used to convert the canonicalized &lt;SignedInfo&gt; 
into the &lt;SignatureValue&gt;. The algorithm that is selected for the client request sender 
configuration must match the algorithm that is selected in the server request receiver 
configuration.</td>
</tr>

<tr valign="top">
<td><strong>Signing key name</strong></td>
<td>The signing key name represents the key entry associated with the signing key locator. The key 
entry refers to an alias of the key, which is used to sign the request.</td>
</tr>

<tr valign="top">
<td><strong>Signing key locator</strong></td>
<td>The signing key locator represents a reference to a key locator implementation. For more 
information on configuring key locators, see <a href="wsseccfkeyloc.htm">Configure key 
locators</a>.</td>
</tr>
</table><p></p></li>

<li><p>Expand the <strong>Security Request Sender Binding Configuration --&gt; Login Binding</strong> 
settings.</p></li>

<li><p>Click <strong>Edit</strong> to view the Login Binding information. The login binding information 
is displayed.</p></li>

<li><p>Select or enter the following information:</p>

<table border="1" cellpadding="3" cellspacing="0">
  
<tr valign="top">
<th>Name</th>
<th>Purpose</th>
</tr>

<tr valign="top">
<td><strong>Authentication method</strong></td>
<td>The authentication method specifies the type of authentication that occurs. Select 
<strong>Signature</strong> to use signature authentication.</td>
</tr>

<tr valign="top">
<td><strong>Token value type URI</strong> and <strong>Token value type URI </strong><strong>local 
name</strong></td>
<td>When you select <strong>Signature</strong>, you cannot edit the <strong>Token value type 
URI</strong> and <strong>Local name</strong> values. These values are specifically for custom 
authentication types. For signature authentication, you do not need to enter any information.</td>
</tr>

<tr valign="top">
<td><strong>Callback handler</strong></td>
<td>The callback handler specifies the Java Authentication and Authorization Server (JAAS) callback 
handler implementation for collecting signature information. Enter the following callback handler for 
signature authentication: <tt>com.ibm.wsspi.wssecurity.auth.callback.<br>NonPromptCallbackHandler</tt>. This 
callback handler is used because signature does not require user interaction.</td>
</tr>

<tr valign="top">
<td><strong>Basic authentication User ID</strong> and <strong>Basic authentication 
Password</strong></td>
<td>Do not enter anything in the BasicAuth fields when Signature authentication is desired.</td>
</tr>

<tr valign="top">
<td><strong>Property Name</strong> and <strong>Property Value</strong></td>
<td>This field enables you to enter properties and name and value pairs for use by custom callback 
handlers. For signature authentication, you do not need to enter any information.</td>
</tr>
</table><p></p></li>

<li><p>(Optional) There is a basic authentication entry in the Port Qualified Name Binding Details
section. This entry is used for HTTP transport authentication, which may be required if the router 
servlet is protected.</p>

<p>Information that is specified in the Web services security signature authentication section 
overrides the basic authentication information that is specified in the Port Qualified Name Binding 
Details section for authorizing the Web service.</p>

<p>If you want the signature identity of this client to flow downstream, configure the first Web 
service client to use ID assertion or Lightweight Third Party Authentication (LTPA) authentication 
instead.</p></li>
</ol>
<p><strong>Note: </strong>Examples may be wrapped for display purposes.</p>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">`
			`<html>`
			`<head>`
			`<META http-equiv="Content-Type" content="text/html; charset=utf-8">`
			`<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">`

			`<title>Configure the Web services client for signature authentication</title>`
			`</head>`

			`<BODY>`
			`<!-- Java sync-link -->`
			`<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>`

			`<h6><a name="wsseccfadigcl"></a>Configure the Web services client for signature authentication</h6>`

			`<p>This task is used to configure signature authentication. A signature refers to the use of an X509`
			`certificate to login on the target server. For more information on signature authentication, see <a href="wssecsignauth.htm">Digital signature authentication method</a>.</p>`


			`<p>Perform the folowing steps in the WebSphere Development Studio Client for iSeries to specify`
			`signature authentication for your Web service client:</p>`

			`<ol>`
			`<li><p>Open the webservicesclient.xml file in the Web Services Client Editor of the WebSphere`
			`Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web`
			`services application</a>.</p></li>`

			`<li><p>Click the <strong>Security Extensions</strong> tab.</p></li>`

			`<li><p>Expand the <strong>Request Sender Configuration --> Login Config</strong> settings. Select`
			`<strong>Signature</strong> to authenticate the client using the certificate used to digitally sign the`
			`request.</p></li>`

			`<li><p>Save the file.</p></li>`
			`</ol>`

			`<p>Next, perform the following steps in the Web Services Client Editor to specify how the signature`
			`authentication information is collected:</p>`

			`<ol>`
			`<li><p>Click the <strong>Port Binding</strong> tab.</p></li>`

			`<li><p>Expand <strong>Security Request Sender Binding Configuration --> Signing Information</strong>`
			`and click <strong>Edit</strong> to display and modify the signing key name and signing key locator.</p>`

			`<p>To create new signing information, click <strong>Enable</strong>. The certificate that is sent to`
			`login at the server is the one configured in the Signing Information panel. For more information about`
			`how the signing key name maps to a key within the key locator entry, see <a href="wsseccfkeyloc.htm">Configure key locators</a>.</p>`

			`<p>The following table describes the purpose of this information. Some of these definitions are based`
			`on the <a href="http://www.w3.org/TR/xmldsig-core" target="_">XML-Signature Syntax and Processing`
			`specification</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center">`
			`(http://www.w3.org/TR/xmldsig-core).</p>`

			`<table border="1" cellpadding="3" cellspacing="0">`
			`<tr valign="top">`
			`<th>Name</th>`
			`<th>Purpose</th>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Canonicalization method algorithm</strong></td>`
			`<td>The canonicalization method algorithm is used to canonicalize the SignedInfo element before it is`
			`digested as part of the signature operation.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Digest method algorithm</strong></td>`
			`<td>The digest method algorithm is the algorithm applied to the data after transforms are applied, if`
			`specified, to yield the <DigestValue>. The signing of the DigestValue binds resource content to`
			`the signer key. The algorithm that is selected for the client request sender configuration must match`
			`the algorithm that is selected in the server request receiver configuration.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Signature method algorithm</strong></td>`
			`<td>The signature method is the algorithm that is used to convert the canonicalized <SignedInfo>`
			`into the <SignatureValue>. The algorithm that is selected for the client request sender`
			`configuration must match the algorithm that is selected in the server request receiver`
			`configuration.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Signing key name</strong></td>`
			`<td>The signing key name represents the key entry associated with the signing key locator. The key`
			`entry refers to an alias of the key, which is used to sign the request.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Signing key locator</strong></td>`
			`<td>The signing key locator represents a reference to a key locator implementation. For more`
			`information on configuring key locators, see <a href="wsseccfkeyloc.htm">Configure key`
			`locators</a>.</td>`
			`</tr>`
			`</table><p></p></li>`

			`<li><p>Expand the <strong>Security Request Sender Binding Configuration --> Login Binding</strong>`
			`settings.</p></li>`

			`<li><p>Click <strong>Edit</strong> to view the Login Binding information. The login binding information`
			`is displayed.</p></li>`

			`<li><p>Select or enter the following information:</p>`

			`<table border="1" cellpadding="3" cellspacing="0">`

			`<tr valign="top">`
			`<th>Name</th>`
			`<th>Purpose</th>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Authentication method</strong></td>`
			`<td>The authentication method specifies the type of authentication that occurs. Select`
			`<strong>Signature</strong> to use signature authentication.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Token value type URI</strong> and <strong>Token value type URI </strong><strong>local`
			`name</strong></td>`
			`<td>When you select <strong>Signature</strong>, you cannot edit the <strong>Token value type`
			`URI</strong> and <strong>Local name</strong> values. These values are specifically for custom`
			`authentication types. For signature authentication, you do not need to enter any information.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Callback handler</strong></td>`
			`<td>The callback handler specifies the Java Authentication and Authorization Server (JAAS) callback`
			`handler implementation for collecting signature information. Enter the following callback handler for`
			`signature authentication: <tt>com.ibm.wsspi.wssecurity.auth.callback.<br>NonPromptCallbackHandler</tt>. This`
			`callback handler is used because signature does not require user interaction.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Basic authentication User ID</strong> and <strong>Basic authentication`
			`Password</strong></td>`
			`<td>Do not enter anything in the BasicAuth fields when Signature authentication is desired.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Property Name</strong> and <strong>Property Value</strong></td>`
			`<td>This field enables you to enter properties and name and value pairs for use by custom callback`
			`handlers. For signature authentication, you do not need to enter any information.</td>`
			`</tr>`
			`</table><p></p></li>`

			`<li><p>(Optional) There is a basic authentication entry in the Port Qualified Name Binding Details`
			`section. This entry is used for HTTP transport authentication, which may be required if the router`
			`servlet is protected.</p>`

			`<p>Information that is specified in the Web services security signature authentication section`
			`overrides the basic authentication information that is specified in the Port Qualified Name Binding`
			`Details section for authorizing the Web service.</p>`

			`<p>If you want the signature identity of this client to flow downstream, configure the first Web`
			`service client to use ID assertion or Lightweight Third Party Authentication (LTPA) authentication`
			`instead.</p></li>`
			`</ol>`
			`<p><strong>Note: </strong>Examples may be wrapped for display purposes.</p>`
			`</body>`
			`</html>`