Adding signatures

You can add signatures if you want to apply signature authentication to the header and body elements of a SOAP message.

Before you begin

You must have created an identity store before you can add a signature, see Identity stores and SSL.

About this task

You can configure the outgoing messages to be signed. You can use symmetric or asymmetric key-based signature algorithms to sign the messages.

Procedure

  1. Open a SOAP message for editing.

    The message editor is displayed.

  2. Right-click the message node, and then click Properties.

    The Field Properties dialog box is displayed.

  3. Click the WS-Security tab.
  4. Select the Enable check box.
  5. Select Signature from the drop-down list.

    The Signature dialog box is displayed.

    Note: The default keystore uses the asymmetric key-based signature algorithm to sign the outgoing messages and the Keystore option is selected.
  6. Perform any of the following actions:
    • To use the asymmetric key-based signature algorithms to sign messages, go to Step 7.
    • To use the symmetric key-based signature algorithms to sign messages, go to Step 8.
  7. Perform the following steps to use the asymmetric key-based signature algorithms to sign messages:
    Image of the Signature window.
    1. Perform the actions indicated in the following table:
      Option Description Action
      Transformation Name Specifies a user-defined name for the security action. The name helps you to identify the action in the main list. Enter a name for the action or continue to use the default name listed as Signature.
      Signature Key Source panel
      Keystore Specifies whether to sign with a keystore (identity store) provided by Rational® Integration Tester.
      Note: The keys used in the keystore are asymmetric keys and are based on any of the following signature standards that are supported:
      • DSA-SHA1

      • ECDSA-SHA1

      • ECDSA-SHA256

      • ECDSA-SHA384

      • ECDSA-SHA512

      • RSA-SHA1

      • RSA-SHA256

      • SHA1

      • SHA384

      Note: This is the default option that is selected.

      Retain this default option as selected.

      Username Token Specifies whether to sign with a user token.
      Note: These fields are enabled only if you created a user token by using Digest or Nonce and with the Created options enabled.
      Enter the user token and the assertion token.
      SAML Assertion Token
      Symmetric Key Specifies whether to use the symmetric key-based signature algorithm for signing. Do not select this option if you want to use asymmetric key-based signature algorithms.
      Certificate Information panel
      Keystore Specifies the keystore that contains the digital certificates and private keys. Select the keystore to use.
      Key Alias Specifies the private key alias to use that is defined in the selected keystore. Select the key alias to use.
      Password Specifies the password to use for the certificate that is in the keystore. Enter the password to use.
      Key identifier type Specifies how the signature key is referred.
      Select from the following options:
      • Binary security token direct reference
      • Issuer serial
      • X509 key identifier
      Sign with certificate chain Specifies whether the signing is done by using the certificates that are available in the keystore. Select this option if you want to use the certificate chain for signing.
      Algorithm panel
      Signature Algorithm Specifies the asymmetric key-based signature algorithm to use for signing. Select the signature algorithm from the following algorithms that are supported:
      • DSA-SHA1

      • ECDSA-SHA1

      • ECDSA-SHA256

      • ECDSA-SHA384

      • ECDSA-SHA512

      • RSA-SHA1

      • RSA-SHA256

      • SHA1

      • SHA384

      Actor Information panel
      Actor Specifies a specific message receiver (either the ultimate receiver or an intermediary). For each actor or role that is defined (that is, in multiple tokens), a separate security header is added to the SOAP header. Specify a message receiver.
      Must understand Specifies the following action:
      • When enabled, makes the SOAP header mandatory for the specified actor or role. In this case, either the header block must be processed or the entire SOAP message is ignored, and a SOAP fault is generated.
      • When not enabled, the specified actor or role may or may not process the SOAP header.
      Perform any of the following actions:
      • Retain the default option as unselected.
      • Select this option.
      • Clear the selection, if it is selected.
    2. Continue to configure the other settings for the outgoing messages as described in Step 9.
  8. Perform the following steps to use the symmetric key-based signature algorithms to sign messages:
    Image of the Signature window.
    1. Perform the actions indicated in the following table:
      Option Description Action
      Transformation Name User-defined name for the security action. The name helps you to identify the action in the main list. Enter a name for the action or continue to use the default name listed as Signature.
      Signature Key Source panel
      Keystore Specifies whether to sign with a keystore (identity store) provided by Rational® Integration Tester.
      Note: This is the default option that is selected. Do not select this option if you want to use symmetric key-based signature algorithms.

      Select the Symmetric Key option to clear this default selection.

      Username Token Specifies whether to sign with a user token created by using Digest or Nonce.
      Note: These options are not enabled when you select the Symmetric Key option.
      SAML Assertion Token
      Symmetric Key Specifies whether to use the symmetric key-based signature algorithms. Perform the following steps:
      1. Select this option if you want to use symmetric key-based signature algorithms.
      2. Enter the hexadecimal key that is used to sign the outgoing messages.
      Certificate Information panel
      Keystore Specifies the keystore that contains the digital certificates and private keys.
      Note: These options are not enabled when you select the Symmetric Key option.
      Key Alias Specifies the private key alias to use that is defined in the selected keystore.
      Password Specifies the password to use for the certificate that is in the keystore.
      Key identifier type Specifies how the signature key is referred.
      Sign with certificate chain Specifies whether the signing is done by using the certificates that are available in the keystore. Select this option if you want to use the certificate chain for signing.
      Algorithm panel
      Signature Algorithm Specifies whether to use the symmetric key-based signature algorithm for signing. Select the signature algorithm from the following algorithms that are supported:
      • HMAC-MD5

      • HMAC-SHA1

      • HMAC-SHA256

      • HMAC-SHA384

      • HMAC-SHA512

      Actor Information panel
      Actor Specifies a specific message receiver (either the ultimate receiver or an intermediary). For each actor or role that is defined (that is, in multiple tokens), a separate security header is added to the SOAP header. Specify a message receiver.
      Must understand Specifies the following action:
      • When enabled, makes the SOAP header mandatory for the specified actor or role. In this case, either the header block must be processed or the entire SOAP message is ignored, and a SOAP fault is generated.
      • When not enabled, the specified actor or role may or may not process the SOAP header.
      Perform any of the following actions:
      • Retain the default option as unselected.
      • Select this option.
      • Clear the selection, if it is selected.
    2. Continue to configure the other settings for the outgoing messages as described in Step 9.
  9. Configure the following settings:
    Option Action
    SOAP Body Select this check box to sign the body of a SOAP message.
    Note: In the Signature window, only message elements that are explicitly selected will be signed.
    WS-Security Tokens Select this check box to sign other security actions listed above this action (under the toolbar on the WS-Security tab) for a SOAP message. For each action displayed under this check box, you must select the check box next to it if you want to sign it.
    WS-Addressing Select this check box to encrypt WS-Addressing fields of a SOAP message. For each field that is displayed under this check box, you must select the check box next to it if you want to encrypt it.
    SOAP Headers Select this check box to sign individual header elements in the SOAP envelope. You must select the header element that you want to sign.
    Body Fields Add a qualified name for each body element that you want to sign in the SOAP envelope.
  10. Perform the following steps:
    1. Click OK to save and close the Signature dialog box.
    2. Click OK to save and close the Field Properties dialog box.
    3. Click OK to save and close the Message Editor dialog box.

Results

You have configured the outgoing SOAP messages to use asymmetric or symmetric key-based signature algorithms to sign the messages.

What to do next

You can use the signature validation option to validate signatures on incoming messages. See Validating signatures.