Overview

Part 2 of this tutorial assumes that you have completed Configure Web Services Security with WebSphere, Part 1: HTTPS, .NET, and UsernameToken, which contains information on the following:

• A description of the sample scenario used in this tutorial.
• A description of the set-up required for the tutorial.
• Mapping out your key requirements and creating key stores.
• Configuring transport-level security.
• Configuring SSL for Application Server and non-Application Server based clients.
• Configuring a .NET client.
• Configuring security to pass a UserNameToken.

Part 1 also contains a link to a downloadable file containing the sample .NET client, scripts, and project file used in this tutorial.

Back to top

Configure digital signatures

This section describes the steps required to configure the Web services security (WSS) infrastructure to sign parts of a SOAP message. We'll describe the steps required in Application Developer, but these steps are almost identical to the steps required if you use the ATK supplied with the WebSphere Application Server runtime. We'Il describe how to configure the EchoService client and service to sign and validate a UsernameToken in the Web Services Security header and the message body. Note that the security is being applied only to the traffic from the client to the service. The return traffic is not protected. The process of protecting the return traffic is simply the reverse of the steps shown here. To secure the request traffic, we'll work in the Request Sender section of the client deployment descriptor and the Request Receiver section of the service deployment descriptor. To secure the reply traffic, we would work in the Response Sender section of the service deployment descriptor and the Response Receiver section of the client deployment descriptor.

Configure the service side

Follow these steps to configure the service side:

1. In the Web perspective, open the Web services deployment descriptor (webservices.xml), by selecting: EchoServiceEJB => ejbModule => META-INF => webservices.xml.
2. Switch to the Security Extensions tab.
   Figure 1. Required integrity
   
   
3. In the Required Integrity section, click Add to add body and securitytoken. Note that this requires two add steps.
   Figure 2. Add reference part dialog
   
   
4. Switch to the Binding Configurations tab.
5. In the Trust Anchor section, click Add to add a trust anchor.
   Figure 3. Trust anchor
   
   
6. In the trust anchor dialog, point to the keystore that holds your trusted signer certificates, as shown in Figure 4. More sophisticated PKI installations may also require a certificate store list that contains certificates required to process certificate chains.
   Figure 4. Trust Anchor dialog
   
   
7. In the Signing Information section, click Add.
8. In the Signing Info dialog, use the default algorithms unless you know differently.
9. Select Use certificate path reference, then select your new trust anchor, and click OK.
   Figure 5. Signing Information dialog
   
   

Configure the client side

To configure the client for digital signatures in the SOAP message, complete the following steps:

1. In the Web perspective, open the Web services client deployment descriptor (webservicesclient.xml), by selecting EchoServiceClientWeb => Web Content => WEB-INF => webservicesclient.xml.
2. Switch to the Security Extensions tab.
3. In the Integrity section, click Add to add body and securitytoken. Note that this requires two add steps.
   Figure 6. Integrity
   
   
4. Switch to the Port Binding tab.
5. In the Key Locators field, add a key locator, click Add.
   Figure 7. Key locators
   
   
6. In the Key Locator dialog, check Use key store and specify the keyStore storepass (password), path and type.
7. In the Key field, add a key reference. Specify the alias and key password associated with the key in the keystore. Specify a name for the key, such as SignerKey.
8. Click OK.
   Figure 8. Key Locator dialog
   
   
9. In the Signing Information section, click Enable.
10. In the Signing Info dialog, enter the string you used for the key name as the Signing key name; for example, SignerKey.
11. IIn the Signing key locator field enter the name you gave the locator you created previously.
12. Click OK.
    Figure 9. Signing Information dialog
    
    

Back to top

Configure encryption

This section discusses the steps required to configure the Web services security infrastructure to encrypt parts of a SOAP message. We will do this in Application Developer, but the steps are almost identical if you use the ATK supplied with the Application Server runtime.

Configure the service side

Follow these steps to configure the service side:

1. In the Web perspective, open the Web services deployment descriptor (webservices.xml), by selecting EchoServiceEJB => ejbModule => META-INF => webservices.xml
2. Switch to the Security Extensions tab.
3. In the Required Confidentiality section, click Add to add bodycontent and usernametoken. Note that this requires two add steps.
   Figure 10. Required confidentiality
   
   
4. Switch to the Binding Configurations tab.
5. In the Key Locators section, click Add to add a key locator.
   Figure 11. Key locator
   
   
6. In the Key Locator dialog, specify the Key locator name. In this case, we'll use EchoServiceDecryptionKeyLocator
7. For the Key locator class, specify ...KeyStoreKeyLocator
8. Check Use key store and fill in appropriate values for your keystore, as shown below.
9. In the Key section, click Add to add a key to the list, and set the Alias and Key pass fields to the values from the key store, and specify a Key name. In this case, we'll use DecryptionKey.
10. Click OK.
    Figure 12. Key locator dialog
    
    
11. In the Encryption Information section, click Add to add an entry.
12. In the Encryption Info dialog, leave the defaults for the algorithms, and enter your the Encryption key name and Encryption key locator that you just defined (DecryptionKey and EchoServiceDecryptionKeyLocator)
    Figure 13. Encryption Information dialog
    
    

Configure the client side

To configure the client for encryption complete the following steps:

1. In the Web perspective, open the Web services client deployment descriptor (webservicesclient.xml), by selecting EchoServiceClientWeb => Web Content => WEB-INF => webservicesclient.xml
2. Switch to the Security Extensions tab.
3. In the Confidentiality section, click Add to add bodycontent and usernametoken. Note that this requires two add steps.
   Figure 14. Confidentiality
   
   
4. Switch to the Port Binding tab.
5. In the Key Locators section, click Add to add a key locator.
   Figure 15. Key locator
   
   
6. In the Key Locator dialog, specify the Key locator name. In this case, we'll use EchoServiceEncryptionKeyLocator
7. For the Key locator class, specify ...KeyStoreKeyLocator
8. Check Use key store and fill in appropriate values for your keystore, as shown below.
9. In the Key section, click Add to add a key to the list, and set the Alias and Key pass fields to the values from the key store, and specify a Key name. In this case, we'll use EncryptionKey.
10. Click OK.
    Figure 16. Key Locator dialog
    
    
11. In the Encryption Information section, click Enable.
12. In the Encryption Info dialog, leave the defaults for the algorithms, and enter your the Encryption key name and Encryption key locator that you just defined (EncryptionKey and EchoServiceEncryptionKeyLocator)
    Figure 17. Encryption Information dialog
    
    

Resources

• Configure Web Services Security with WebSphere, Part 1: HTTPS, .NET, and UsernameToken
  
  
• developerWorks WebSphere Web services zone provides articles and other resources on WebSphere and Web services.
  
  

About the author

Tony Cowan is a senior certified IT specialist with the IBM Software Services for WebSphere (ISSW) team. He has been consulting in distributed system development for over 12 years and has lead IBM teams on many projects with Fortune 1000 companies. Tony currently focuses on teaching Web services and Web services security to IBM consultants and customers. A frequent speaker at technical events, one of Tony's primary objectives at IBM is to bring real customer requirements to the IBM development teams to assist in aligning IBM's products with real world needs.

Comments

Back to top

Trademarks  |  My developerWorks terms and conditions

Table of contents

• Overview
• Configure digital signatures
• Configure encryption
• Resources
• About the author
• Comments

Next steps from IBM

Rational Application Developer features provide the comprehensive Integrated Development Environment (IDE) used to develop J2EE applications requiring Servlets and JavaServer Pages (JSPs).

---

• Try: Try the free Rational Application Developer, which helps developers quickly design, develop, test, analyze, and deploy high-quality Java, Javaserver pages, and J2EE applications.
• Article: Learn how you can deliver accurate, higher-quality J2EE apps with Rational Application Developer, open source JUnit and JUnitEE test frameworks.
• Tutorial: Build a Facebook application using PHP, the Spring framework, and J2EE.
• Buy: Rational Application Developer

My developerWorks community

Dig deeper into WebSphere on developerWorks

Rate a product. Write a review.

Write a review for Rational products today!

Special offers