ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/webserv/wsseccfadigcl.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Configure the Web services client for signature authentication</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h6><a name="wsseccfadigcl"></a>Configure the Web services client for signature authentication</h6>

<p>This task is used to configure signature authentication. A signature refers to the use of an X509 certificate to login on the target server. For more information on signature authentication, see <a href="wssecsignauth.htm">Digital signature authentication method</a>.</p>


<p>Perform the folowing steps in the WebSphere Development Studio Client for iSeries to specify signature authentication for your Web service client:</p>

<ol>
<li><p>Open the webservicesclient.xml file in the Web Services Client Editor of the WebSphere Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>

<li><p>Click the <strong>Security Extensions</strong> tab.</p></li>

<li><p>Expand the <strong>Request Sender Configuration --&gt; Login Config</strong> settings. Select <strong>Signature</strong> to authenticate the client using the certificate used to digitally sign the request.</p></li>

<li><p>Save the file.</p></li>
</ol>

<p>Next, perform the following steps in the Web Services Client Editor to specify how the signature authentication information is collected:</p>

<ol>
<li><p>Click the <strong>Port Binding</strong> tab.</p></li>

<li><p>Expand <strong>Security Request Sender Binding Configuration --&gt; Signing Information</strong> and click <strong>Edit</strong> to display and modify the signing key name and signing key locator.</p>

<p>To create new signing information, click <strong>Enable</strong>. The certificate that is sent to login at the server is the one configured in the Signing Information panel. For more information about how the signing key name maps to a key within the key locator entry, see <a href="wsseccfkeyloc.htm">Configure key locators</a>.</p>

<p>The following table describes the purpose of this information. Some of these definitions are based on the <a href="http://www.w3.org/TR/xmldsig-core" target="_">XML-Signature Syntax and Processing specification</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center"> (http://www.w3.org/TR/xmldsig-core).</p>

<table border="1" cellpadding="3" cellspacing="0">
<tr valign="top">
<th>Name</th>
<th>Purpose</th>
</tr>

<tr valign="top">
<td><strong>Canonicalization method algorithm</strong></td>
<td>The canonicalization method algorithm is used to canonicalize the SignedInfo element before it is digested as part of the signature operation.</td>
</tr>

<tr valign="top">
<td><strong>Digest method algorithm</strong></td>
<td>The digest method algorithm is the algorithm applied to the data after transforms are applied, if specified, to yield the &lt;DigestValue&gt;. The signing of the DigestValue binds resource content to the signer key. The algorithm that is selected for the client request sender configuration must match the algorithm that is selected in the server request receiver configuration.</td>
</tr>

<tr valign="top">
<td><strong>Signature method algorithm</strong></td>
<td>The signature method is the algorithm that is used to convert the canonicalized &lt;SignedInfo&gt; into the &lt;SignatureValue&gt;. The algorithm that is selected for the client request sender configuration must match the algorithm that is selected in the server request receiver configuration.</td>
</tr>

<tr valign="top">
<td><strong>Signing key name</strong></td>
<td>The signing key name represents the key entry associated with the signing key locator. The key entry refers to an alias of the key, which is used to sign the request.</td>
</tr>

<tr valign="top">
<td><strong>Signing key locator</strong></td>
<td>The signing key locator represents a reference to a key locator implementation. For more information on configuring key locators, see <a href="wsseccfkeyloc.htm">Configure key locators</a>.</td>
</tr>
</table><p></p></li>

<li><p>Expand the <strong>Security Request Sender Binding Configuration --&gt; Login Binding</strong> settings.</p></li>

<li><p>Click <strong>Edit</strong> to view the Login Binding information. The login binding information is displayed.</p></li>

<li><p>Select or enter the following information:</p>

<table border="1" cellpadding="3" cellspacing="0">
  
<tr valign="top">
<th>Name</th>
<th>Purpose</th>
</tr>

<tr valign="top">
<td><strong>Authentication method</strong></td>
<td>The authentication method specifies the type of authentication that occurs. Select <strong>Signature</strong> to use signature authentication.</td>
</tr>

<tr valign="top">
<td><strong>Token value type URI</strong> and <strong>Token value type URI </strong><strong>local name</strong></td>
<td>When you select <strong>Signature</strong>, you cannot edit the <strong>Token value type URI</strong> and <strong>Local name</strong> values. These values are specifically for custom authentication types. For signature authentication, you do not need to enter any information.</td>
</tr>

<tr valign="top">
<td><strong>Callback handler</strong></td>
<td>The callback handler specifies the Java Authentication and Authorization Server (JAAS) callback 
handler implementation for collecting signature information. Enter the following callback handler for 
signature authentication: com.ibm.wsspi.wssecurity.auth.callback.
NonPromptCallbackHandler. This callback handler is used because signature does not require user 
interaction.</td>
</tr>

<tr valign="top">
<td><strong>Basic authentication User ID</strong> and <strong>Basic authentication Password</strong></td>
<td>Do not enter anything in the BasicAuth fields when Signature authentication is desired.</td>
</tr>

<tr valign="top">
<td><strong>Property Name</strong> and <strong>Property Value</strong></td>
<td>This field enables you to enter properties and name and value pairs for use by custom callback handlers. For signature authentication, you do not need to enter any information.</td>
</tr>
</table><p></p></li>

<li><p>(Optional) There is a basic authentication entry in the Port Qualified Name Binding Details
section. This entry is used for HTTP transport authentication, which may be required if the router servlet is protected.</p>

<p>Information that is specified in the Web services security signature authentication section overrides the basic authentication information that is specified in the Port Qualified Name Binding Details section for authorizing the Web service.</p>

<p>If you want the signature identity of this client to flow downstream, configure the first Web service client to use ID assertion or Lightweight Third Party Authentication (LTPA) authentication instead.</p></li>
</ol>

</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">`
			`<html>`
			`<head>`
			`<META http-equiv="Content-Type" content="text/html; charset=utf-8">`
			`<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">`

			`<title>Configure the Web services client for signature authentication</title>`
			`</head>`

			`<BODY>`
			`<!-- Java sync-link -->`
			`<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>`

			`<h6><a name="wsseccfadigcl"></a>Configure the Web services client for signature authentication</h6>`

			`<p>This task is used to configure signature authentication. A signature refers to the use of an X509 certificate to login on the target server. For more information on signature authentication, see <a href="wssecsignauth.htm">Digital signature authentication method</a>.</p>`


			`<p>Perform the folowing steps in the WebSphere Development Studio Client for iSeries to specify signature authentication for your Web service client:</p>`

			`<ol>`
			`<li><p>Open the webservicesclient.xml file in the Web Services Client Editor of the WebSphere Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>`

			`<li><p>Click the <strong>Security Extensions</strong> tab.</p></li>`

			`<li><p>Expand the <strong>Request Sender Configuration --> Login Config</strong> settings. Select <strong>Signature</strong> to authenticate the client using the certificate used to digitally sign the request.</p></li>`

			`<li><p>Save the file.</p></li>`
			`</ol>`

			`<p>Next, perform the following steps in the Web Services Client Editor to specify how the signature authentication information is collected:</p>`

			`<ol>`
			`<li><p>Click the <strong>Port Binding</strong> tab.</p></li>`

			`<li><p>Expand <strong>Security Request Sender Binding Configuration --> Signing Information</strong> and click <strong>Edit</strong> to display and modify the signing key name and signing key locator.</p>`

			`<p>To create new signing information, click <strong>Enable</strong>. The certificate that is sent to login at the server is the one configured in the Signing Information panel. For more information about how the signing key name maps to a key within the key locator entry, see <a href="wsseccfkeyloc.htm">Configure key locators</a>.</p>`

			`<p>The following table describes the purpose of this information. Some of these definitions are based on the <a href="http://www.w3.org/TR/xmldsig-core" target="_">XML-Signature Syntax and Processing specification</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center"> (http://www.w3.org/TR/xmldsig-core).</p>`

			`<table border="1" cellpadding="3" cellspacing="0">`
			`<tr valign="top">`
			`<th>Name</th>`
			`<th>Purpose</th>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Canonicalization method algorithm</strong></td>`
			`<td>The canonicalization method algorithm is used to canonicalize the SignedInfo element before it is digested as part of the signature operation.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Digest method algorithm</strong></td>`
			`<td>The digest method algorithm is the algorithm applied to the data after transforms are applied, if specified, to yield the <DigestValue>. The signing of the DigestValue binds resource content to the signer key. The algorithm that is selected for the client request sender configuration must match the algorithm that is selected in the server request receiver configuration.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Signature method algorithm</strong></td>`
			`<td>The signature method is the algorithm that is used to convert the canonicalized <SignedInfo> into the <SignatureValue>. The algorithm that is selected for the client request sender configuration must match the algorithm that is selected in the server request receiver configuration.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Signing key name</strong></td>`
			`<td>The signing key name represents the key entry associated with the signing key locator. The key entry refers to an alias of the key, which is used to sign the request.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Signing key locator</strong></td>`
			`<td>The signing key locator represents a reference to a key locator implementation. For more information on configuring key locators, see <a href="wsseccfkeyloc.htm">Configure key locators</a>.</td>`
			`</tr>`
			`</table><p></p></li>`

			`<li><p>Expand the <strong>Security Request Sender Binding Configuration --> Login Binding</strong> settings.</p></li>`

			`<li><p>Click <strong>Edit</strong> to view the Login Binding information. The login binding information is displayed.</p></li>`

			`<li><p>Select or enter the following information:</p>`

			`<table border="1" cellpadding="3" cellspacing="0">`

			`<tr valign="top">`
			`<th>Name</th>`
			`<th>Purpose</th>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Authentication method</strong></td>`
			`<td>The authentication method specifies the type of authentication that occurs. Select <strong>Signature</strong> to use signature authentication.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Token value type URI</strong> and <strong>Token value type URI </strong><strong>local name</strong></td>`
			`<td>When you select <strong>Signature</strong>, you cannot edit the <strong>Token value type URI</strong> and <strong>Local name</strong> values. These values are specifically for custom authentication types. For signature authentication, you do not need to enter any information.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Callback handler</strong></td>`
			`<td>The callback handler specifies the Java Authentication and Authorization Server (JAAS) callback`
			`handler implementation for collecting signature information. Enter the following callback handler for`
			`signature authentication: com.ibm.wsspi.wssecurity.auth.callback.`
			`NonPromptCallbackHandler. This callback handler is used because signature does not require user`
			`interaction.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Basic authentication User ID</strong> and <strong>Basic authentication Password</strong></td>`
			`<td>Do not enter anything in the BasicAuth fields when Signature authentication is desired.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Property Name</strong> and <strong>Property Value</strong></td>`
			`<td>This field enables you to enter properties and name and value pairs for use by custom callback handlers. For signature authentication, you do not need to enter any information.</td>`
			`</tr>`
			`</table><p></p></li>`

			`<li><p>(Optional) There is a basic authentication entry in the Port Qualified Name Binding Details`
			`section. This entry is used for HTTP transport authentication, which may be required if the router servlet is protected.</p>`

			`<p>Information that is specified in the Web services security signature authentication section overrides the basic authentication information that is specified in the Port Qualified Name Binding Details section for authorizing the Web service.</p>`

			`<p>If you want the signature identity of this client to flow downstream, configure the first Web service client to use ID assertion or Lightweight Third Party Authentication (LTPA) authentication instead.</p></li>`
			`</ol>`

			`</body>`
			`</html>`