Configuring the key information in JAX-WS WS-Security bindings

In the WS-Security bindings, you can modify the key information that the JAX-WS WS-Security run time uses when emitting X.509 keys or certificates in the <ds:KeyInfo> element in the Security header of a SOAP message. The default key information for outbound digital signature is Security token reference and the default key information for outbound encryption is Key identifier. It is not necessary to change these values. You would want to go through this procedure if, for instance, the Security header in your outbound message currently contains a <wsse:KeyIdentifier> in the <ds:KeyInfo> element and the receiver of your messages is requiring a <ds:X509IssuerSerial>.

Before you begin

This task assumes that you have created your WS-Security application specific or general bindings and that the binding contains key information entries for digital signature, encryption or both.

About this task

This task describes how to modify the key information type in WS-Security bindings so that the run time emits the <ds:KeyInfo> element that you need. You are selecting the key information type that you want to use for outbound digital signature, encryption or both. The JAX-WS run time in the WebSphere® Application Server supports the following key information types:
  • Security token reference
  • Key identifier
  • X509 issuer name and issuer serial
  • Embedded token
  • Thumbprint

For more information about the <ds:KeyInfo> element, see Key Information.

Here is the general procedure for editing your bindings to change the key information types.

Procedure

  1. In the administrative console, open your bindings and browse to Authentication and protection.
    1. Open your client or provider general bindings or application-specific bindings.
    2. Click WS-Security Authentication and protection.
  2. Optional: Find the name of the key information associated with the sign part.

    If editing a client binding:

    1. In Request message signature and encryption protection open the asymmetric sign part.

    If editing a provider binding:

    1. In Response message signature and encryption protection open the asymmetric sign part.
    2. Note the name of the Signing key information.
    3. Click Cancel.
  3. Optional: Find the name of the key information associated with the encrypt part

    If editing a client binding:

    1. In Request message signature and encryption protection open the asymmetric encrypt part.

    If editing a provider binding:

    1. In Response message signature and encryption protection open the asymmetric encrypt part.
    2. Note the name of the Signing key information.
    3. Click Cancel.
  4. Browse to Keys and certificates.
    1. Click WS-Security.
    2. Click Keys and certificates.
  5. Optional: Set the outbound signing key information.
    1. Select the name of the signing key information that you noted.
    2. For Type, select the key information type that you want to use for digital signature.
    3. Click OK.
  6. Optional: Set the outbound encryption key information.
    1. Select the name of the signing key information that you noted.
    2. For Type, select the key information type that you want to use for digital signature.
    3. Click OK.
  7. Click Save to save your configuration changes.

    If you modified general bindings, you need to restart the application server before the changes take effect. If you modified application-specific bindings, the changes take effect when your application is restarted.

Results

You have changed the key information type in your WS-Security bindings.

Example

Here is a sample procedure that uses the Client sample general bindings.

  1. In the administrative console, open your bindings and browse to Authentication and protection.
    1. Click Services Policy sets General client policy set bindings Client sample.
    2. Click WS-Security Authentication and protection.
  2. Find the name of the key information associated with the sign part.
    1. For Request message signature and encryption protection, open the asymmetric sign part (asymmetric-signingInfoRequest).
    2. Note the name of the Signing key information (gen_signkeyinfo).
    3. Click Cancel.
  3. Find the name of the key information that is associated with the encrypt part.
    1. For Request message signature and encryption protection, open the asymmetric encrypt part (asymmetric-encryptionInfoRequest).
    2. Note the name of the Encryption key information (gen_enckeyinfo).
    3. Click Cancel.
  4. Browse to Keys and certificates.
    1. Click WS-Security.
    2. Click Keys and certificates.
  5. Set the outbound signing key information.
    1. Select the name of the signing key information that you noted (gen_signkeyinfo).
    2. For Type, select the key information type that you want to use for digital signature.
    3. In the Type drop-down, you will see the following:
      
Key identifier
Security token reference
Embedded token
X509 issuer name and issuer serial
Thumbprint
    4. Click OK.
  6. Set the outbound encryption key information.
    1. Select the name of the encryption key information that you noted (gen_enckeyinfo).
    2. For Type, select the key information type that you want to use for encryption.
    3. In the Type drop-down, you will see the following:
      
Key identifier
Security token reference
Embedded token
X509 issuer name and issuer serial
Thumbprint
    4. Click OK.
  7. Click Save to save your configuration changes.