This task is used to configure signature authentication. A signature refers to the use of an X509 certificate to login on the target server. For more information on signature authentication, see Digital signature authentication method.
Perform the folowing steps in the WebSphere Development Studio Client for iSeries to specify signature authentication for your Web service client:
Open the webservicesclient.xml file in the Web Services Client Editor of the WebSphere Development Studio Client for iSeries. For more information, see Configure your Web services application.
Click the Security Extensions tab.
Expand the Request Sender Configuration --> Login Config settings. Select Signature to authenticate the client using the certificate used to digitally sign the request.
Save the file.
Next, perform the following steps in the Web Services Client Editor to specify how the signature authentication information is collected:
Click the Port Binding tab.
Expand Security Request Sender Binding Configuration --> Signing Information and click Edit to display and modify the signing key name and signing key locator.
To create new signing information, click Enable. The certificate that is sent to login at the server is the one configured in the Signing Information panel. For more information about how the signing key name maps to a key within the key locator entry, see Configure key locators.
The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature Syntax and Processing specification (http://www.w3.org/TR/xmldsig-core).
Name | Purpose |
---|---|
Canonicalization method algorithm | The canonicalization method algorithm is used to canonicalize the SignedInfo element before it is digested as part of the signature operation. |
Digest method algorithm | The digest method algorithm is the algorithm applied to the data after transforms are applied, if specified, to yield the <DigestValue>. The signing of the DigestValue binds resource content to the signer key. The algorithm that is selected for the client request sender configuration must match the algorithm that is selected in the server request receiver configuration. |
Signature method algorithm | The signature method is the algorithm that is used to convert the canonicalized <SignedInfo> into the <SignatureValue>. The algorithm that is selected for the client request sender configuration must match the algorithm that is selected in the server request receiver configuration. |
Signing key name | The signing key name represents the key entry associated with the signing key locator. The key entry refers to an alias of the key, which is used to sign the request. |
Signing key locator | The signing key locator represents a reference to a key locator implementation. For more information on configuring key locators, see Configure key locators. |
Expand the Security Request Sender Binding Configuration --> Login Binding settings.
Click Edit to view the Login Binding information. The login binding information is displayed.
Select or enter the following information:
Name | Purpose |
---|---|
Authentication method | The authentication method specifies the type of authentication that occurs. Select Signature to use signature authentication. |
Token value type URI and Token value type URI local name | When you select Signature, you cannot edit the Token value type URI and Local name values. These values are specifically for custom authentication types. For signature authentication, you do not need to enter any information. |
Callback handler | The callback handler specifies the Java Authentication and Authorization Server (JAAS) callback
handler implementation for collecting signature information. Enter the following callback handler for
signature authentication: com.ibm.wsspi.wssecurity.auth.callback. NonPromptCallbackHandler. This callback handler is used because signature does not require user interaction. |
Basic authentication User ID and Basic authentication Password | Do not enter anything in the BasicAuth fields when Signature authentication is desired. |
Property Name and Property Value | This field enables you to enter properties and name and value pairs for use by custom callback handlers. For signature authentication, you do not need to enter any information. |
(Optional) There is a basic authentication entry in the Port Qualified Name Binding Details section. This entry is used for HTTP transport authentication, which may be required if the router servlet is protected.
Information that is specified in the Web services security signature authentication section overrides the basic authentication information that is specified in the Port Qualified Name Binding Details section for authorizing the Web service.
If you want the signature identity of this client to flow downstream, configure the first Web service client to use ID assertion or Lightweight Third Party Authentication (LTPA) authentication instead.
Note: Examples may be wrapped for display purposes.