Configure the server for Web service signature authentication

This task is used to configure signature authentication at the server. Signature refers to the an X.509 certificate sent by the client to the server. The certificate is used to authenticate to the user registry configured at the server. After a request is received by the server that contains certificate, the server needs to log in to form a credential. The credential is used for authorization. If the certificate supplied cannot be mapped to an entry in the user registry, an exception is thrown and the request ends without invoking the resource. For more information, see Digital signature authentication method.

Perform the following steps in the WebSphere Development Studio Client for iSeries to configure the server for Web services signature authentication:

1. Open the webservices.xml deployment descriptor for your Web services application in the Web Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see Configure your Web services application.

2. Click the Security Extensions tab.

3. Expand the Request Receiver Service Configuration Details --> Login Config settings. Select Signature to authenticate the client using an X509 certificate.

   The certificate that is sent from the client is the certificate used for signing the message. You must be able to map this certificate to the configured user registry. For Local OS, the common name (cn) of the distinguished name (DN) is mapped to a user ID in the registry. For LDAP, you can configure multiple mapping modes:

   • EXACT_DN
     This default mode directly maps the DN of the certificate to an entry in the LDAP server.

   • CERTIFICATE_FILTER
     With this mode, the LDAP advanced configuration has a place to specify a filter that maps specific attributes of the certificate to specific attributes of the LDAP server.

4. Save the file.

Next, perform the following steps in the Web Services Editor to specify how the signature authentication information is validated:

1. Click the Binding Configurations tab.

2. Expand the Request Receiver Binding Configuration Details --> Login Mapping settings.

3. Click Edit to view the login mapping information or click Add to add new login mapping information. The login mapping dialog is displayed.

4. Select or enter the following information:

   Name	Purpose
   Authentication method	The authentication method specifies the type of authentication that will occur. Select Signature to use signature authentication.
   Configuration name	This specifies the Java Authentication and Authorization Service (JAAS) login configuration name. For the signature authentication method, enter system.wssecurity.Signature for the JAAS login configuration name. This specification logs in with the com.ibm.wsspi.wssecurity.auth. module.SignatureLoginModule JAAS login module.
   Use Token value type	This determines if you want to specify a custom token type. For the default authentication method selections, you do not need to specify a value.
   URI and Local name	When you select Signature, you cannot edit the token value type URI and local name values. These values are specifically for custom authentication types. For signature authentication, you do not need to enter any information.
   Callback Handler factory class name	This class name creates a JAAS CallbackHandler implementation that understands the following callback handlers: javax.security.auth.callback. NameCallback javax.security.auth.callback. PasswordCallback com.ibm.wsspi.wssecurity.auth.callback. BinaryTokenCallback com.ibm.wsspi.wssecurity.auth.callback. XMLTokenReceiverCallback com.ibm.wsspi.wssecurity.auth.callback. PropertyCallback For any of the default Authentication methods (BasicAuth, IDAssertion, Signature), use the callback handler factory default implementation. Enter the following class name for any of the default authentication methods including signature: com.ibm.wsspi.wssecurity.auth.callback. WSCallbackHandlerFactoryImpl. This implementation creates the correct callback handler for the default implementations.
   Callback handler factory property name and Callback handler factory property value	This field is used to specify callback handler properties for custom callback handler factory implementations. You do not need to specify any properties for the default callback handler factory implementation. For signature, you do not need to enter any properties for this field.
   Login mapping property name and Login mapping property value	This field is used to specify properties for a custom login mapping to use. For the default implementations including signature, you do not need to enter any properties for this field.

5. Save the file.

Note: Examples may be wrapped for display purposes.