Verification Header Handler

The Verification Header Handler (VHH) validates a digital signature header in a SOAP envelope. You can customize its configuration by using a configuration file where you specify:

• A verification policy
• The certificate path
• Logging files to record verified messages

There are two signature configuration files:

• /QIBM/UserData/WebASE/ASE5/instance_name/installedApps/node_name/
  ear_file_name/soapsec.war/conf/sv-ver-config.xml
• /QIBM/UserData/WebASE/ASE5/instance_name/installedApps/node_name/
  ear_file_name/soapsec.war/conf/cl-ver-config.xml

where instance_name is the name of the root directory for your instance of WebSphere Application Server.

Here is an explanation of each configuration element in the Verification Header:

• AllowedAlgorithms
  All the algorithms supported by this Verification Header Handler must be listed in this element. Algorithms other than these cannot be used in SOAP-SEC:Signature header. The current implementation supports all required algorithms in the XML Signature specification, except for SHA1-MAC.
• RequiredAuthenticatedParts
  This section specifies what parts of SOAP message need to be authenticated through the SOAP-SEC:Signature header. Currently two values are supported for the part attribute:
  • When part="root", the whole envelope must be signed through the enveloped-signature transform.
  • When part="body", the SOAP-ENV:Body element in the SOAP envelope must be referenced by one of the reference elements in the signature.
  In the future, part="" allows an attachment to be specified. If the specified parts are not authenticated through the signature header entry, verification fails.
• DefaultVerificationKeys
  When KeyInfo is missing in the signature, the content of this element is used as a part of the signature. When communicating parties know the identity of each other, the default KeyInfo can be used to reduce the communication data volume.
• Log
  Specifies the logging behavior. These versions of logging exist:
  • When target="all", all verification attempts are logged.
  • When target="success", only successful verification are logged.
  • When target="fail", only unsuccessful verification are logged.

  Note: You can specify multiple LogFile elements.

  This example illustrates how to specify logging:

  <Log>
     <SOAPDSigLogger class=<com.ibm.xml.soap.security.dsig.SOAPDSigLoggerImpl">
        <LogFile target="all" path="SOAPVHH-all.log" append="yes"/>
     </SOAPDSigLogger>
     <SOAPDSigLogger class="com.ibm.xml.soap.security.dsig.SOAPDSigLoggerImpl">
        <LogFile target="fail" path="SOAPVHH-fail.log" append="yes"/>
     </SOAPDSigLogger>
  </Log>
  		

• PKIXParameters
  Currently, the Verification Header Handler supports X.509/PKIX certificates only (no HMAC, no PGP, and so forth). The policies for PKIX certificate verification are specified in this element. This is a straightforward mapping of the Java^(TM) CertPath API. Not all of the entries are meaningful in this initial release. The current implementation only allows the use of keystore as the means of specifying trusted root.

Note: Examples may be wrapped for display purposes.