Configuring a policy set and bindings for Signer Certificate Encryption

This procedure describes how to configure a JAX-WS consumer/provider for signer certificate encryption. Signer certificate encryption means that the client's public certificate that is used to verify the digital signature of the inbound request message is used to encrypt the outbound response.

Before you begin

This task assumes that the service provider and client that you are configuring are in the JaxWSServicesSamples application. Refer to the topic Accessing Samples for more information on how to obtain and install this application.

Use the following trace specification on your server. These specifications enable you to debug any future configuration problems that might occur. 
*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all:  com.ibm.ws.wssecurity.*=all:
    com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all:
    com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:
    com.ibm.ws.webservices.multiprotocol.AgnosticService=all:
    com.ibm.ws.websvcs.utils.SecurityContextMigrator=all

About this task

Since signer certificate encryption is being used, only the client's digital signature keystore will be used in this procedure. The service will obtain the public certificate used for signature verification from the inbound request then use it to encrypt the response. On the provider side, the custom property com.ibm.wsspi.wssecurity.token.cert.useRequestorCert=true on the provider's encryption generator is used to accomplish this.

The keystore that is used in this procedure is provided with WebSphere Application Server and is installed in every profile that is created. You can use the ${USER_INSTALL_ROOT} variable directly in the configuration to conveniently point to the keystore location without using a fully-qualified path. ${USER_INSTALL_ROOT} resolves to a path such as c:/WebSphere/AppServer/profiles/AppSrv01.
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
Because of the nature of JaxWSServicesSamples, to apply the policy set and bindings to this application, in the administrative console click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples. When using your own applications, you can use the following paths as an alternative way to access the provider and client for attachment of the policy set and bindings:
  • Services > Service providers > (AppName)
  • Services > Service clients > (AppName)
This procedure will do the following to simplify the task:
  • Only outbound digital signature and inbound encryption will be configured.
  • General bindings will be used for both the client and the provider.
Avoid trouble:

After completing the task, if you have to go back and edit the general bindings that you have created, you will need to restart the application server after saving your updates. Although you can create a general binding and use it immediately without restarting the application server, once a general binding has been loaded by an application, changes to the binding will not be recognized until the server is restarted.

Procedure

  1. Create the custom policy set..
    1. In the administrative console, click Services > Policy Sets > Application Policy sets.
    2. Click New.
    3. Specify name=OutSignInEncPolicy.
    4. Under Policies, click Add > WS-Security.
  2. Edit the custom policy set to remove outbound encryption and inbound signature.
    1. In the administrative console, click WS-Security > Main Policy.
    2. Under Message level protection, click Request message part protection.
    3. Click app_encparts.
    4. Click Delete.
    5. Click Done.
    6. Click Response message part protection.
    7. Click app_sigparts.
    8. Click Delete.
    9. Click Done.
  3. Click Save to save your configuration changes.
  4. Create the provider general binding.
    1. In the administrative console, click Services > Policy sets > General provider policy set bindings..
    2. Check Provider sample.
    3. Click Copy....
    4. Specify name=ProviderSignerCertGeneralBinding.
    5. Click OK.
  5. Edit ProviderSignerCertGeneralBinding to perform signer certificate encryption.
    1. Click ProviderSignerCertGeneralBinding > WS-Security > Authentication and protection > gen_encx509token > Callback handler.
    2. Under Custom properties, enter: 
      Name=com.ibm.wsspi.wssecurity.token.cert.useRequestorCert
value=true
    3. Under Keystore, select Name=None
    4. Click OK.
  6. Create the client general binding.
    1. In the administrative console, click Services > Policy Sets > General client policy set bindings.
    2. Check Client samples.
    3. Click Copy....
    4. Specify name=ClientSignerCertGeneralBinding.
    5. Click OK.
  7. Edit ClientSignerCertGeneralBinding to use its own signing key to decrypt the message.
    1. Click ClientSignerCertGeneralBinding > WS-Security > Authentication and protection > con_encx509token > Callback handler > Custom keystore configuration.
    2. Under keystore, enter the same keystore that is used by the signature generator: 
      Full path=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
Type=JKS
Password=client
    3. Under key, enter the same key that is used by the signature generator: 
      Name=CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP
Alias=soaprequester
Password=client
    4. Click OK.
  8. Configure the client to use the OutSignInEncPolicy policy set and ClientSignerCertGeneralBinding general binding.
    1. In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings.
    2. Select the web services client resource (JaxWSServicesSamples).
    3. Click Attach Policy Set.
    4. SelectOutSignInEncPolicy.
    5. Select the web services client resource again (JaxWSServicesSamples).
    6. Click Assign Binding.
    7. Select ClientSignerCertGeneralBinding.
  9. Configure the provider to use the SimpleSignEncPolicy policy set and ProviderSignerCertGeneralBinding general binding.
    1. In the administrative console, click Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service provider policy sets and bindings.
    2. Select the web services provider resource (JaxWSServicesSamples).
    3. Click Attach Policy Set.
    4. SelectOutSignInEncPolicy.
    5. Select the web services provider resource again (JaxWSServicesSamples).
    6. Click Assign Binding.
    7. Select PrioviderSignerCertGeneralBinding.
  10. Click Save to save your configuration changes.
  11. Restart the client and the provider.
    1. Stop the client and the provider.
    2. Restart the client and the provider.
  12. Test the service.
    1. Point your web browser to the JaxWSServicesSamples: http://localhost:9080/wssamplesei/demo.
      Avoid trouble: Make sure you provide the correct hostname and port if your provider is not on the same machine, or the port is not 9080.
    2. Select Message Type Synchronous Echo.
    3. Make sure Use SOAP 1.2 is not selected.
    4. Enter a message and click Send Message.
    The sample application should reply with JAXWS==>Message.

Results

The JaxWSServicesSamples web services application is configured to encrypt responses using the certificate used to sign the request.