Configure Web Services Security with WebSphere: Part 2, Digital Signatures and Encryption

In Part 1 of this two-part tutorial, we learned how to use IBM WebSphere Studio Application Developer V5.1.2 (hereafter called Application Developer) to secure a Web service using transport-level security (HTTPS), and how to access it from Java™2 Extended Edition (J2EE), Java 2 Standard Edition (J2SE) and .Net clients. We then added a UsernameToken. In Part 2, we'll configure diigital signatures and encryption in a Web services security header and invoke them from a J2EE client.

Tony Cowan (ttcowan@us.ibm.com), Senior IT Specialist, IBM

Tony Cowan photoTony Cowan is a senior certified IT specialist with the IBM Software Services for WebSphere (ISSW) team. He has been consulting in distributed system development for over 12 years and has lead IBM teams on many projects with Fortune 1000 companies. Tony currently focuses on teaching Web services and Web services security to IBM consultants and customers. A frequent speaker at technical events, one of Tony's primary objectives at IBM is to bring real customer requirements to the IBM development teams to assist in aligning IBM's products with real world needs.



13 April 2005

Overview

Part 2 of this tutorial assumes that you have completed Configure Web Services Security with WebSphere, Part 1: HTTPS, .NET, and UsernameToken, which contains information on the following:

  • A description of the sample scenario used in this tutorial.
  • A description of the set-up required for the tutorial.
  • Mapping out your key requirements and creating key stores.
  • Configuring transport-level security.
  • Configuring SSL for Application Server and non-Application Server based clients.
  • Configuring a .NET client.
  • Configuring security to pass a UserNameToken.

Part 1 also contains a link to a downloadable file containing the sample .NET client, scripts, and project file used in this tutorial.


Configure digital signatures

This section describes the steps required to configure the Web services security (WSS) infrastructure to sign parts of a SOAP message. We'll describe the steps required in Application Developer, but these steps are almost identical to the steps required if you use the ATK supplied with the WebSphere Application Server runtime. We'Il describe how to configure the EchoService client and service to sign and validate a UsernameToken in the Web Services Security header and the message body. Note that the security is being applied only to the traffic from the client to the service. The return traffic is not protected. The process of protecting the return traffic is simply the reverse of the steps shown here. To secure the request traffic, we'll work in the Request Sender section of the client deployment descriptor and the Request Receiver section of the service deployment descriptor. To secure the reply traffic, we would work in the Response Sender section of the service deployment descriptor and the Response Receiver section of the client deployment descriptor.

Configure the service side

Follow these steps to configure the service side:

  1. In the Web perspective, open the Web services deployment descriptor (webservices.xml), by selecting: EchoServiceEJB => ejbModule => META-INF => webservices.xml.
  2. Switch to the Security Extensions tab.
    Figure 1. Required integrity
    Figure 1. Required integrity
  3. In the Required Integrity section, click Add to add body and securitytoken. Note that this requires two add steps.
    Figure 2. Add reference part dialog
    Figure 2. Add reference part dialog
  4. Switch to the Binding Configurations tab.
  5. In the Trust Anchor section, click Add to add a trust anchor.
    Figure 3. Trust anchor
    Figure 3. Trust anchor
  6. In the trust anchor dialog, point to the keystore that holds your trusted signer certificates, as shown in Figure 4. More sophisticated PKI installations may also require a certificate store list that contains certificates required to process certificate chains.
    Figure 4. Trust Anchor dialog
    Figure 4. Trust Anchor dialog
  7. In the Signing Information section, click Add.
  8. In the Signing Info dialog, use the default algorithms unless you know differently.
  9. Select Use certificate path reference, then select your new trust anchor, and click OK.
    Figure 5. Signing Information dialog
    Figure 5. Signing Information dialog

Configure the client side

To configure the client for digital signatures in the SOAP message, complete the following steps:

  1. In the Web perspective, open the Web services client deployment descriptor (webservicesclient.xml), by selecting EchoServiceClientWeb => Web Content => WEB-INF => webservicesclient.xml.
  2. Switch to the Security Extensions tab.
  3. In the Integrity section, click Add to add body and securitytoken. Note that this requires two add steps.
    Figure 6. Integrity
    Figure 6. Integrity
  4. Switch to the Port Binding tab.
  5. In the Key Locators field, add a key locator, click Add.
    Figure 7. Key locators
    Figure 7. Key locators
  6. In the Key Locator dialog, check Use key store and specify the keyStore storepass (password), path and type.
  7. In the Key field, add a key reference. Specify the alias and key password associated with the key in the keystore. Specify a name for the key, such as SignerKey.
  8. Click OK.
    Figure 8. Key Locator dialog
    Figure 8. Key Locator dialog
  9. In the Signing Information section, click Enable.
  10. In the Signing Info dialog, enter the string you used for the key name as the Signing key name; for example, SignerKey.
  11. IIn the Signing key locator field enter the name you gave the locator you created previously.
  12. Click OK.
    Figure 9. Signing Information dialog
    Figure 9. Signing Information dialog

Configure encryption

This section discusses the steps required to configure the Web services security infrastructure to encrypt parts of a SOAP message. We will do this in Application Developer, but the steps are almost identical if you use the ATK supplied with the Application Server runtime.

Configure the service side

Follow these steps to configure the service side:

  1. In the Web perspective, open the Web services deployment descriptor (webservices.xml), by selecting EchoServiceEJB => ejbModule => META-INF => webservices.xml
  2. Switch to the Security Extensions tab.
  3. In the Required Confidentiality section, click Add to add bodycontent and usernametoken. Note that this requires two add steps.
    Figure 10. Required confidentiality
    Figure 10. Required confidentiality
  4. Switch to the Binding Configurations tab.
  5. In the Key Locators section, click Add to add a key locator.
    Figure 11. Key locator
    Figure 11. Key locator
  6. In the Key Locator dialog, specify the Key locator name. In this case, we'll use EchoServiceDecryptionKeyLocator
  7. For the Key locator class, specify ...KeyStoreKeyLocator
  8. Check Use key store and fill in appropriate values for your keystore, as shown below.
  9. In the Key section, click Add to add a key to the list, and set the Alias and Key pass fields to the values from the key store, and specify a Key name. In this case, we'll use DecryptionKey.
  10. Click OK.
    Figure 12. Key locator dialog
    Figure 12. Key locator dialog
  11. In the Encryption Information section, click Add to add an entry.
  12. In the Encryption Info dialog, leave the defaults for the algorithms, and enter your the Encryption key name and Encryption key locator that you just defined (DecryptionKey and EchoServiceDecryptionKeyLocator)
    Figure 13. Encryption Information dialog
    Figure 13. Encryption Information dialog

Configure the client side

To configure the client for encryption complete the following steps:

  1. In the Web perspective, open the Web services client deployment descriptor (webservicesclient.xml), by selecting EchoServiceClientWeb => Web Content => WEB-INF => webservicesclient.xml
  2. Switch to the Security Extensions tab.
  3. In the Confidentiality section, click Add to add bodycontent and usernametoken. Note that this requires two add steps.
    Figure 14. Confidentiality
    Figure 14. Confidentiality
  4. Switch to the Port Binding tab.
  5. In the Key Locators section, click Add to add a key locator.
    Figure 15. Key locator
    Figure 15. Key locator
  6. In the Key Locator dialog, specify the Key locator name. In this case, we'll use EchoServiceEncryptionKeyLocator
  7. For the Key locator class, specify ...KeyStoreKeyLocator
  8. Check Use key store and fill in appropriate values for your keystore, as shown below.
  9. In the Key section, click Add to add a key to the list, and set the Alias and Key pass fields to the values from the key store, and specify a Key name. In this case, we'll use EncryptionKey.
  10. Click OK.
    Figure 16. Key Locator dialog
    Figure 16. Key Locator dialog
  11. In the Encryption Information section, click Enable.
  12. In the Encryption Info dialog, leave the defaults for the algorithms, and enter your the Encryption key name and Encryption key locator that you just defined (EncryptionKey and EchoServiceEncryptionKeyLocator)
    Figure 17. Encryption Information dialog
    Figure 17. Encryption Information dialog

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere, SOA and web services
ArticleID=82982
ArticleTitle=Configure Web Services Security with WebSphere: Part 2, Digital Signatures and Encryption
publish-date=04132005