ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/webserv/wsseccfadigsv.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Configure the server for Web service signature authentication</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h6><a name="wsseccfadigsv"></a>Configure the server for Web service signature authentication</h6>

<p>This task is used to configure signature authentication at the server. <em>Signature</em> refers
to the an X.509 certificate sent by the client to the server. The certificate is used to authenticate to the user registry configured at the server. After a request is received by the server that contains certificate, the server needs to log in to form a credential. The credential is used for authorization.
If the certificate supplied cannot be mapped to an entry in the user registry, an exception is thrown and the request ends without invoking the resource. For more information, see <a href="wssecsignauth.htm">Digital signature authentication method</a>.</p>

<p>Perform the following steps in the WebSphere Development Studio Client for iSeries to configure the server for Web services signature authentication:</p>

<ol>
<li><p>Open the webservices.xml deployment descriptor for your Web services application in the Web Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>

<li><p>Click the <strong>Security Extensions</strong> tab.</p></li>

<li><p>Expand the <strong>Request Receiver Service Configuration Details --&gt; Login Config</strong> settings. Select <strong>Signature</strong> to authenticate the client using an X509 certificate.</p>

<p>The certificate that is sent from the client is the certificate used for signing the message. You must be able to map this certificate to the configured user registry. For Local OS, the common name (cn) of the distinguished name (DN) is mapped to a user ID in the registry. For LDAP, you can configure multiple mapping modes:</p>
    <ul>
    <li><p><strong>EXACT_DN</strong>
    <br>This default mode directly maps the DN of the certificate to an entry in the LDAP server.</p></li>
    <li><p><strong>CERTIFICATE_FILTER</strong>
    <br>With this mode, the LDAP advanced configuration has a place to specify a filter that maps specific attributes of the certificate to specific attributes of the LDAP server.</p></li>
    </ul></li>

<li><p>Save the file.</p></li>
</ol>

<p>Next, perform the following steps in the Web Services Editor to specify how the signature authentication information is validated:</p>

<ol><li><p>Click the <strong>Binding Configurations</strong> tab.</p></li>

<li><p>Expand the <strong>Request Receiver Binding Configuration Details --&gt; Login Mapping</strong>
settings.</p></li>

<li><p>Click <strong>Edit</strong> to view the login mapping information or click <strong>Add</strong> to add new login mapping information. The login mapping dialog is displayed.</p></li>

<li><p>Select or enter the following information:</p>

<table border="1" cellpadding="3" cellspacing="0">
<tr valign="top">
<th>Name</th>
<th>Purpose</th>
</tr>

<tr valign="top">
<td><strong>Authentication method</strong></td>
<td>The authentication method specifies the type of authentication that occurs. Select <strong> Signature</strong> to use signature authentication.</td>
</tr>

<tr valign="top">
<td><strong>Configuration name</strong></td>
<td>This specifies the Java Authentication and Authorization Service (JAAS) login configuration name. 
For the signature authentication method, enter <tt>system.wssecurity.Signature</tt> for the JAAS login 
configuration name. This specification logs in with the com.ibm.wsspi.wssecurity.auth.module.
SignatureLoginModule JAAS login module.</td>
</tr>

<tr valign="top">
<td><strong>Use Token value type</strong></td>
<td>This determines if you want to specify a custom token type. For the default authentication method selections, you do not need to specify a value.</td>
</tr>

<tr valign="top">
<td><strong>URI</strong> and <strong>Local name</strong></td>
<td>When you select <strong>Signature</strong>, you cannot edit the token value type URI and local name values. These values are specifically for custom authentication types. For signature authentication, you do not need to enter any information.</td>
</tr>

<tr valign="top">
<td><strong>Callback Handler factory class name</strong></td>
<td>This class name creates a JAAS CallbackHandler implementation that understands the following callback handlers:
    <ul>
    <li>javax.security.auth.callback.NameCallback</li>
    <li>javax.security.auth.callback.PasswordCallback</li>
    <li>com.ibm.wsspi.wssecurity.auth.callback.
	BinaryTokenCallback</li>
    <li>com.ibm.wsspi.wssecurity.auth.callback.
	XMLTokenReceiverCallback</li>
    <li>com.ibm.wsspi.wssecurity.auth.callback.
	PropertyCallback</li>
    </ul>

<p>For any of the default Authentication methods (BasicAuth, IDAssertion, Signature), use the callback 
handler factory default implementation. Enter the following class name for any of the default 
authentication methods including signature: <tt>com.ibm.wsspi.wssecurity.auth.callback.
WSCallbackHandlerFactoryImpl</tt>. This implementation creates the correct callback handler for the 
default implementations.</p></td>
</tr>

<tr valign="top">
<td><strong>Callback handler factory property name</strong> and <strong>Callback handler factory property value</strong></td>
<td>This field is used to specify callback handler properties for custom callback handler factory implementations. You do not need to specify any properties for the default callback handler factory implementation. For signature, you do not need to enter any properties for this field.</td>
</tr>

<tr valign="top">
<td><strong>Login mapping property name</strong> and <strong>Login mapping property value</strong></td>
<td>This field is used to specify properties for a custom login mapping to use. For the default implementations including signature, you do not need to enter any properties for this field.</td>
</tr>
</table><p></p></li>

<li><p>Save the file.</p></li>
</ol>

</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">`
			`<html>`
			`<head>`
			`<META http-equiv="Content-Type" content="text/html; charset=utf-8">`
			`<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">`

			`<title>Configure the server for Web service signature authentication</title>`
			`</head>`

			`<BODY>`
			`<!-- Java sync-link -->`
			`<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>`

			`<h6><a name="wsseccfadigsv"></a>Configure the server for Web service signature authentication</h6>`

			`<p>This task is used to configure signature authentication at the server. <em>Signature</em> refers`
			`to the an X.509 certificate sent by the client to the server. The certificate is used to authenticate to the user registry configured at the server. After a request is received by the server that contains certificate, the server needs to log in to form a credential. The credential is used for authorization.`
			`If the certificate supplied cannot be mapped to an entry in the user registry, an exception is thrown and the request ends without invoking the resource. For more information, see <a href="wssecsignauth.htm">Digital signature authentication method</a>.</p>`

			`<p>Perform the following steps in the WebSphere Development Studio Client for iSeries to configure the server for Web services signature authentication:</p>`

			`<ol>`
			`<li><p>Open the webservices.xml deployment descriptor for your Web services application in the Web Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>`

			`<li><p>Click the <strong>Security Extensions</strong> tab.</p></li>`

			`<li><p>Expand the <strong>Request Receiver Service Configuration Details --> Login Config</strong> settings. Select <strong>Signature</strong> to authenticate the client using an X509 certificate.</p>`

			`<p>The certificate that is sent from the client is the certificate used for signing the message. You must be able to map this certificate to the configured user registry. For Local OS, the common name (cn) of the distinguished name (DN) is mapped to a user ID in the registry. For LDAP, you can configure multiple mapping modes:</p>`
			`<ul>`
			`<li><p><strong>EXACT_DN</strong>`
			`<br>This default mode directly maps the DN of the certificate to an entry in the LDAP server.</p></li>`
			`<li><p><strong>CERTIFICATE_FILTER</strong>`
			`<br>With this mode, the LDAP advanced configuration has a place to specify a filter that maps specific attributes of the certificate to specific attributes of the LDAP server.</p></li>`
			`</ul></li>`

			`<li><p>Save the file.</p></li>`
			`</ol>`

			`<p>Next, perform the following steps in the Web Services Editor to specify how the signature authentication information is validated:</p>`

			`<ol><li><p>Click the <strong>Binding Configurations</strong> tab.</p></li>`

			`<li><p>Expand the <strong>Request Receiver Binding Configuration Details --> Login Mapping</strong>`
			`settings.</p></li>`

			`<li><p>Click <strong>Edit</strong> to view the login mapping information or click <strong>Add</strong> to add new login mapping information. The login mapping dialog is displayed.</p></li>`

			`<li><p>Select or enter the following information:</p>`

			`<table border="1" cellpadding="3" cellspacing="0">`
			`<tr valign="top">`
			`<th>Name</th>`
			`<th>Purpose</th>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Authentication method</strong></td>`
			`<td>The authentication method specifies the type of authentication that occurs. Select <strong> Signature</strong> to use signature authentication.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Configuration name</strong></td>`
			`<td>This specifies the Java Authentication and Authorization Service (JAAS) login configuration name.`
			`For the signature authentication method, enter <tt>system.wssecurity.Signature</tt> for the JAAS login`
			`configuration name. This specification logs in with the com.ibm.wsspi.wssecurity.auth.module.`
			`SignatureLoginModule JAAS login module.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Use Token value type</strong></td>`
			`<td>This determines if you want to specify a custom token type. For the default authentication method selections, you do not need to specify a value.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>URI</strong> and <strong>Local name</strong></td>`
			`<td>When you select <strong>Signature</strong>, you cannot edit the token value type URI and local name values. These values are specifically for custom authentication types. For signature authentication, you do not need to enter any information.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Callback Handler factory class name</strong></td>`
			`<td>This class name creates a JAAS CallbackHandler implementation that understands the following callback handlers:`
			`<ul>`
			`<li>javax.security.auth.callback.NameCallback</li>`
			`<li>javax.security.auth.callback.PasswordCallback</li>`
			`<li>com.ibm.wsspi.wssecurity.auth.callback.`
			`BinaryTokenCallback</li>`
			`<li>com.ibm.wsspi.wssecurity.auth.callback.`
			`XMLTokenReceiverCallback</li>`
			`<li>com.ibm.wsspi.wssecurity.auth.callback.`
			`PropertyCallback</li>`
			`</ul>`

			`<p>For any of the default Authentication methods (BasicAuth, IDAssertion, Signature), use the callback`
			`handler factory default implementation. Enter the following class name for any of the default`
			`authentication methods including signature: <tt>com.ibm.wsspi.wssecurity.auth.callback.`
			`WSCallbackHandlerFactoryImpl</tt>. This implementation creates the correct callback handler for the`
			`default implementations.</p></td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Callback handler factory property name</strong> and <strong>Callback handler factory property value</strong></td>`
			`<td>This field is used to specify callback handler properties for custom callback handler factory implementations. You do not need to specify any properties for the default callback handler factory implementation. For signature, you do not need to enter any properties for this field.</td>`
			`</tr>`

			`<tr valign="top">`
			`<td><strong>Login mapping property name</strong> and <strong>Login mapping property value</strong></td>`
			`<td>This field is used to specify properties for a custom login mapping to use. For the default implementations including signature, you do not need to enter any properties for this field.</td>`
			`</tr>`
			`</table><p></p></li>`

			`<li><p>Save the file.</p></li>`
			`</ol>`

			`</body>`
			`</html>`