Digital signature verification failure in DataPower SOA appliance.
This document applies only to the following language version(s):
Why does digital signature verification fail on a WebSphere DataPower SOA appliance?
'Hash values do not match.' - This is returned for detached and enveloping signatures.
'Incorrect reference digest value' - This is returned for enveloped-signatures.
The hash DataPower generated of the reference node(s) did not match the hash provided by the original signer in the DigestValue node. Typically this is caused by one of the following:
- The processing policy modified the data
- The message was modified by a intermediate node
- Improper handling by the signing application
'RSA signature did not verify' - This is thrown for errors that occur while comparing the provided RSA signature to the generated version.
The most common causes are as follows:
- The private key used to sign the request does not match the specified certificate. If both keys are already stored on DataPower, you can confirm that the keys match using an IDCred. If it is up after adding both keys, they match, otherwise they may not.
- The SignedInfo nodeset was modified after the signature was generated. This may occur for the same reasons as the hash/digest mismatch.
- The device has an HSM that has not been initialized. RSA operations are not available on HSM enabled devices until the unit is initialized. See HSM documentation for details on the initialization process.
- The SignatureValue itself was modified.
- The signature verification is performed using a custom style sheet that is not implemented properly.
If you are still unable to verify digital signatures after investigating the causes above, contact DataPower support.
More support for:
IBM DataPower Gateways
Software version: 3.8.2, 4.0.1, 4.0.2, 5.0.0, 6.0.0
Operating system(s): Firmware
Software edition: Edition Independent
Reference #: 1418624
Modified date: 11 August 2010
Translate this page: