Configuring a policy set and bindings for Signer Certificate Encryption
This procedure describes how to configure a JAX-WS consumer/provider for signer certificate encryption. Signer certificate encryption means that the client's public certificate that is used to verify the digital signature of the inbound request message is used to encrypt the outbound response.
Before you begin
This task assumes that the service provider and client that you are configuring are in the JaxWSServicesSamples application. Refer to the topic Accessing Samples for more information on how to obtain and install this application.
*=info:com.ibm.wsspi.wssecurity.*=all:com.ibm.ws.webservices.wssecurity.*=all: com.ibm.ws.wssecurity.*=all:
com.ibm.xml.soapsec.*=all: com.ibm.ws.webservices.trace.*=all:
com.ibm.ws.websvcs.trace.*=all:com.ibm.ws.wssecurity.platform.audit.*=off:
com.ibm.ws.webservices.multiprotocol.AgnosticService=all:
com.ibm.ws.websvcs.utils.SecurityContextMigrator=all
About this task
Since signer certificate encryption is being used, only the client's digital signature keystore
will be used in this procedure. The service will obtain the public certificate used for signature
verification from the inbound request then use it to encrypt the response. On the provider side, the
custom property com.ibm.wsspi.wssecurity.token.cert.useRequestorCert=true
on the
provider's encryption generator is used to accomplish this.
${USER_INSTALL_ROOT}
variable directly in the configuration to conveniently point to the keystore location without using
a fully-qualified path. ${USER_INSTALL_ROOT}
resolves to a path such as
c:/WebSphere/AppServer/profiles/AppSrv01.${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
- Only outbound digital signature and inbound encryption will be configured.
- General bindings will be used for both the client and the provider.
After completing the task, if you have to go back and edit the general bindings that you have created, you will need to restart the application server after saving your updates. Although you can create a general binding and use it immediately without restarting the application server, once a general binding has been loaded by an application, changes to the binding will not be recognized until the server is restarted.