103 lines
4.2 KiB
HTML
103 lines
4.2 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
|
|
|
<title>Verification Header Handler</title>
|
|
</head>
|
|
|
|
<BODY>
|
|
<!-- Java sync-link -->
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
|
|
|
<h6><A NAME="wsspscvh">Verification Header Handler</A></h6>
|
|
|
|
<p>The Verification Header Handler (VHH) validates a digital signature header in a SOAP envelope. You
|
|
can customize its configuration by using a configuration file where you specify:</p>
|
|
|
|
<ul>
|
|
<li>A verification policy</li>
|
|
<li>The certificate path</li>
|
|
<li>Logging files to record verified messages</li>
|
|
</ul>
|
|
|
|
<p>There are two signature configuration files:</p>
|
|
|
|
<ul>
|
|
<li>/QIBM/UserData/WebASE/ASE5/<em>instance_name</em>/installedApps/<em>node_name</em>/<br>
|
|
<em>ear_file_name</em>/soapsec.war/conf/sv-ver-config.xml</li>
|
|
<li> /QIBM/UserData/WebASE/ASE5/<em>instance_name</em>/installedApps/<em>node_name</em>/<br>
|
|
<em>ear_file_name</em>/soapsec.war/conf/cl-ver-config.xml</li>
|
|
</ul>
|
|
|
|
<p>where <em>instance_name</em> is the name of the root directory for your instance of WebSphere
|
|
Application Server.</p>
|
|
|
|
<p>Here is an explanation of each configuration element in the Verification Header:</p>
|
|
|
|
<ul>
|
|
<li><strong>AllowedAlgorithms</strong><br>
|
|
All the algorithms supported by this Verification Header Handler must be listed in this element.
|
|
Algorithms other than these cannot be used in SOAP-SEC:Signature header. The current implementation
|
|
supports all required algorithms in the XML Signature specification, except for SHA1-MAC.</li>
|
|
|
|
<li><strong>RequiredAuthenticatedParts</strong><br>
|
|
This section specifies what parts of SOAP message need to be authenticated through the
|
|
SOAP-SEC:Signature header. Currently two values are supported for the part attribute:
|
|
<ul>
|
|
<li>When part="root", the whole envelope must be signed through the
|
|
enveloped-signature transform.</li>
|
|
<li>When part="body", the SOAP-ENV:Body element in the SOAP envelope must be
|
|
referenced by one of the reference elements in the signature.</li>
|
|
</ul>
|
|
|
|
In the future, part="" allows an attachment to be specified. If the specified parts are
|
|
not authenticated through the signature header entry, verification fails.
|
|
</li>
|
|
|
|
|
|
|
|
<li><strong>DefaultVerificationKeys</strong><br>
|
|
When KeyInfo is missing in the signature, the content of this element is used as a part of the
|
|
signature. When communicating parties know the identity of each other, the default KeyInfo can be used
|
|
to reduce the communication data volume.</li>
|
|
|
|
|
|
|
|
<li><strong>Log</strong><br>
|
|
Specifies the logging behavior. These versions of logging exist:
|
|
<ul>
|
|
<li>When target="all", all verification attempts are logged.</li>
|
|
<li>When target="success", only successful verification are logged.</li>
|
|
<li>When target="fail", only unsuccessful verification are logged.</li>
|
|
</ul>
|
|
|
|
<p><strong>Note:</strong> You can specify multiple LogFile elements.</p>
|
|
|
|
<p>This example illustrates how to specify logging:</p>
|
|
|
|
<pre>
|
|
<Log>
|
|
<SOAPDSigLogger class=<com.ibm.xml.soap.security.dsig.SOAPDSigLoggerImpl">
|
|
<LogFile target="all" path="SOAPVHH-all.log" append="yes"/>
|
|
</SOAPDSigLogger>
|
|
<SOAPDSigLogger class="com.ibm.xml.soap.security.dsig.SOAPDSigLoggerImpl">
|
|
<LogFile target="fail" path="SOAPVHH-fail.log" append="yes"/>
|
|
</SOAPDSigLogger>
|
|
</Log>
|
|
</pre>
|
|
</li>
|
|
|
|
<li><strong>PKIXParameters</strong><br>
|
|
Currently, the Verification Header Handler supports X.509/PKIX certificates only (no HMAC, no PGP,
|
|
and so forth). The policies for PKIX certificate verification are specified in this element. This is a
|
|
straightforward mapping of the Java<sup>(TM)</sup> CertPath API. Not all of the entries are meaningful
|
|
in this initial release. The current implementation only allows the use of keystore as the means of
|
|
specifying trusted root.</li>
|
|
</ul>
|
|
|
|
<p><strong>Note: </strong>Examples may be wrapped for display purposes.</p>
|
|
</body>
|
|
</html>
|