Configure the Web services server for response signing

This task provides the steps needed configure the server for response signing. Use these steps to modify the extensions to indicate which parts of the response that you want to sign. Also, use the steps to configure the bindings to indicate how the parts of the response are to be signed.

Perform the following steps in the WebSphere Development Studio Client for iSeries to configure the security extensions for the parts of the Simple Object Access Protocol (SOAP) message that you want to digitally sign:

1. Open the webservices.xml deployment descriptor for your Web services application in the Web Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see Configure your Web services application.

2. Click the Security Extensions tab.

3. Expand Response Sender Service Configuration Details --> Integrity. Integrity refers to digital signature while confidentiality refers to encryption. Integrity decreases the risk of data modification while the data is transmitted across the Internet. For more information on digitally signing SOAP messages, see XML digital signature.

4. Select the parts of the message in which to sign by clicking Add and selecting one of the following message parts:

   • Body
     This is the user data portion of the message.

   • Timestamp
     You can choose this if Add Created Time Stamp is selected and configured.

   • Securitytoken
     If security token is selected, the authentication information is added to the message.

5. Expand the Add Created Time Stamp section. Select this if you want a time stamp added to the message. Also, you can specify an expiration time for the time stamp, which helps defend against replay attacks.

   The lexical representation for duration is the ISO 8601 extended format PnYnMnDTnHnMnS, where the following values apply:

   • nY represents the number of years.
   • nM is the number of months.
   • nD is the number of days.
   • T is the date and time separator.
   • nH is the number of hours.
   • nM is the number of minutes.
   • nS is the number of seconds. The number of seconds can include decimal digits to arbitrary precision.

   For example, to indicate a duration of 1 year, 2 months, 3 days, 10 hours, and 30 minutes, set the expiration time to P1Y2M3DT10H30M. Typically, you configure a message timestamp for about 10 to 30 minutes. For an expiration of 10 minutes, specify P0Y0M0DT0H10M0S.

6. Repeat these steps for the response receiver configuration section. The client response receiver validates the parts of the response signed by the server. Because the response receiver must validate the message signed by the server, the Response Receiver Configuration section requires that you configure integrity. Refer to Configure the client for response digital signature verification for more information.

7. (Optional) If you have configured the client and server signing information correctly, but you receive a "Soap body not signed" error when you run the client, you may need to configure the actor in the following locations on the client in the Web Services Client Editor:

   • Click Security Extensions --> Client Service Configuration Details and indicate the actor information in the ActorURI field.
   • Click Security Extensions --> Request Sender Configuration --> Details and indicate the actor information in the Actor field.

   Also, configure the same actor strings for the Web service on the server, which processes the request and sends the response back. You can do this from the following location in the Web Services Editor:

   • Click Security Extensions --> Server Service Configuration. Make sure that the Actor URI field contains the same actor string that is indicated on the client side.
   • Click Security Extensions --> Response Sender Service Configuration Details --> Details and indicate the actor information in the Actor field.

   The actor information on both the client and server must refer to the same exact string. When the actor fields on the client and server match, then the request or response is acted upon instead of being forwarded downstream. The actor fields might be different when you have Web services acting as a gateway to other Web services. However, in all other cases, make sure that the actor information matches on the client and server.

   When Web services are acting as a gateway and they do not have the same actor configured as the request passing through the gateway, Web services do not process the message from a client. Instead, these Web services send the request downstream. The downstream process that contains the correct actor string processes the request. The same situation occurs for the response. Therefore, it is important that you verify that the appropriate client and server actor fields are synchronized.

8. Save the file.

Next, perform the following steps in the Web Services Editor to configure the bindings that are needed to sign the response parts:

1. Click the Binding Configurations tab.

2. Expand Response Sender Binding Configuration Details --> Signing Information.

3. Click Edit to view the signing information. The signing information dialog displays.

4. Select or enter the information that is described in the following table. Some of these definitions are based on the XML-Signature Syntax and Processing specification (http://www.w3.org/TR/xmldsig-core).

   Name	Purpose
   Canonicalization method algorithm	The canonicalization method algorithm is used to canonicalize the <SignedInfo> element before it is digested as part of the signature operation. The same algorithm used here should also be used on the client response receiver. The algorithm selected for the server response sender configuration must match the algorithm selected in the client response receiver configuration.
   Digest method algorithm	The digest method algorithm is the algorithm applied to the data after transforms are applied, if specified, to yield the <DigestValue>. The signing of the DigestValue binds resource content to the signer key. The algorithm selected for the server response sender configuration must match the algorithm selected in the client response receiver configuration.
   Signature method algorithm	The signature method is the algorithm that is used to convert the canonicalized <SignedInfo> into the <SignatureValue>. The algorithm selected for the server response sender configuration must match the algorithm selected in the client response receiver configuration.
   Signing key name	The signing key name represents the key entry associated with the signing key locator. The key entry refers to an alias of the key (which is found in the key store or wherever the certificates are stored based upon the key locator implementation) that is used to sign the request.
   Signing key locator	The signing key locator represents a reference to a key locator implementation that locates the correct key store where the alias and certificate reside. For more information on configuring key locators, see Configuring key locators.

5. Save the file.