 | Section 6. Consuming a secure service
At this point in the tutorial, you should have the service provider running on WebSphere Application Server v7 with the customized HelloWorldPolicySet and bindings attached. If you were to rerun the service consumer as developed above, the service provider would reply with a SOAP fault indicating that the consumer does not adhere to the policy set attached to this provider. Therefore, you need to attach a policy set to the consumer (i.e. client-side) and customize the consumer bindings to match up with the expectations of the service provider.
One way to ensure the consumer adheres to the policy of the service provider is to use the same policy set, which is what we’ll do in this tutorial. Since you imported the HelloWorldPolicySet into Rational Application Developer to attach it to the service provider, it is also available to be attached to our service consumer.
Attaching a policy set
In a similar fashion to attaching the policy set to the service provider, you do the same thing with the service consumer. The following sections describe this process.
To configure the consumer-side binding for signatures:
-
Drill down to HelloWorldConsumer > Services > Clients > {http://dwexample.ibm.com}HelloWorldProviderService. Right-click and choose Manage policy set attachment…
-
Click the Next button followed by the Add… button of the Application
section, which presents the dialog box shown in Figure 40.
Figure 40. Attaching policy
set
-
Select HelloWorldPolicySet for the policy set drop-down.
-
Type HelloWorldConsumerBinding in the drop-down binding field and click OK.
-
Select the WSSecurity policy type in the bindings configuration section. Click the
Configure… button, which presents the WSSecurity Binding Configuration dialog as shown in Figure 41.
Figure 41. WSSecurity Binding
Configuration (see
enlarged Figure 41)
-
Select the Digital Signature Configuration tab, and then click the Key Store Settings… button of the Outbound Message Security Configuration section.
-
Enter the values in the following table for the Key Store Settings dialog shown in Figure 42.
|
Field
|
Value
| |
Keystore path
| C:\Program Files\IBM\SDP
\myclientKeys.jks
| |
Keystore password
|
g00ber
| |
Keystore type
|
JKS
| |
Key alias
|
myclient
| |
Key Password
|
p@ssword
|
Figure 42. Outbound signature key
settings
Notice that you are specifying that you want to sign the outbound (i.e. service request) message using the private key of the myclient alias.
-
Click the OK button.
-
In the Inbound Message Security Configuration section, uncheck the Trust Any Certificate, because we only want to trust the signature if the response is from the server.
-
Click the Key Store Settings… button, then enter the values in the following
table:
|
Field
|
Value
| |
Keystore path
|
C:\Program Files\IBM\SDP
\myclientKeys.jks
| |
Keystore password
|
g00ber
| |
Keystore type
|
JKS
|
-
Click the OK button.
-
Enter
C:\temp\server1.cert as the value for the Certificate Path field.
Now you have configured the consumer-side binding for signatures. Next, you will configure the keys to use for encryption.
To configure the keys to use for encryption:
Select the XML Encryption Configuration tab, and then click the Key Store Settings… button of the Outbound Message Security Configuration section. -
Enter the values from the following table for the Key Store Settings dialog shown in
Figure 43.
|
Field
|
Value
| |
Keystore path
|
C:\Program Files\IBM\SDP
\myclientKeys.jks
| |
Keystore password
|
g00ber
| |
Keystore type
|
JKS
| |
Key alias
|
server1
|
Figure 43. Outbound encryption key
settings
Since you are encrypting the service request for the service provider, which is associated with the server1 certificate, you specify the public key of server1 in Figure 44.
-
Click the OK button.
To configure how to decrypt the inbound message (i.e. the response):
-
On the XML Encryption Configuration tab, click the Key Store Settings… button in the Inbound Message Security Configuration section.
-
Enter the values from the following table for the Key Store Settings dialog shown in Figure 44.
|
Field
|
Value
| |
Keystore path
|
C:\Program Files\IBM\SDP
\myclientKeys.jks
| |
Keystore password
|
g00ber
| |
Keystore type
|
JKS
| |
Key alias
|
myclient
| |
Key password
|
p@ssword
|
Figure 44. Inbound encryption key
settings
When the provider’s response comes back, it will be encrypted with the client’s public
key. Therefore, you need to decrypt the message using the client’s private key, which
is what we have specified in Figure 44.
-
Click the OK button.
Recall that the Username WSSecurity default policy set that you copied included authentication using a username token. Somehow you need to get a valid username token in the SOAP header for the server to verify that you are authenticated before executing the service provider Web service. The Token Authentication tab provides two such methods. You will choose the UNTGenerateCallbackHandler.
-
Select the Token Authentication tab then choose the
com.ibm.websphere.wssecurity.callbackhandler.UNTGenerateCallbackHandler as the
callback handler, as Figure 45 shows.
-
Enter a valid user name and password that matches the user repository of your WebSphere Application Server (e.g. admin/admin).
-
Click the Add Timestamp checkbox.
-
Click the Add Nonce checkbox.
-
Click the OK button, and then click the Finish button.
Figure 45. Token
authentication (see
enlarged Figure 45)
If the dialog box as shown in Figure 45 does not include checkboxes for Add Timestamp and Add Nonce, you will need to ensure you are using Rational Application Developer 7.5.2 .
 |
| |
