Channels ▼


Digitally Signing and Verifying Messages in Web Services

Signature Verification by Oracle WSM

Oracle Web Services Manager can actually validate the signature in the incoming i.e. request SOAP message. By using Oracle WSM to validate the signature, organizations can actually centralize the policy enforcement and also the public key management. As organizations deploy more web services that are accessed by other divisions and business partners, managing the signature verification process might become tedious, as with each new consumer, the certificate information should be maintained. Oracle WSM can address such issues by centralizing those operations. In this section I describe how to configure Oracle WSM policy to validate the signature of the SOAP request message.

To view the policy, you can click on Policy Management and then Manage Policies. This will bring you to the screen with the gateway information and a hyperlink for policies (see the following screen capture).

[Click image to view at full size]
Figure 7

You can then click on Policies to see all the policies and you will see the VerifyAndSign policy too that is created by default.

[Click image to view at full size]
Figure 8

A default policy is attached to the service. We can now click Edit to edit the policy. When you click Edit, you will see the policy steps as shown in the following screenshot.

[Click image to view at full size]
Figure 9

In this section, we want to configure the Request pipeline to validate the signature of the incoming SOAP message. To validate the signature, click Add Step Below to add the Verify Signature policy step as shown in the following screenshot.

[Click image to view at full size]
Figure 10

Once you click OK, the verify signature policy step is added, but that policy step should be confi gured. If you click on the Configure button on the verify signature policy step, it will take you to the screen where you can confi gure the verify signature policy information as shown in the following screen capture. In the previous screenshot, I configured Verify Signature policy steps with:

[Click image to view at full size]
Figure 11

  • Location of the key store
  • Key store type as PKCS12
  • Password of the key store
  • Public key alias in the key store
  • Set Remove Signatures to true to remove the digital signature after the signature validation
  • Enforce Signing is set to true to make sure that the incoming requests are signed

    Note: To generate a PKCS12 key store from certificate that is installed already in Microsoft certificate services, you should fi rst export the certifi cate (with or without private key) and then import that certifi cate in FireFox (Advanced option) and then export back to PKCS12. Once the verify signature policy has been confi gured and saved (Commit Policy), the policy would enforce that any request for the time service with the particular service ID be digitally signed.

    Signature Generation by Oracle WSM

    In the last section, I discussed how to digitally sign a web service request by Microsoft .NET application and how to validate the signature by Oracle WSM. In this section, I discuss how to digitally sign the web service response message. In the earlier section, we discussed how to register the service and how to attach the verify signature policy step to the request pipeline. To digitally sign the response message, the response pipeline of the policy should be modified to include the sign message policy step. The policy with the request pipeline that is already configured to verify signature would look like:

    [Click image to view at full size]
    Figure 12

    Now we have to add the step in the Response pipeline to actually sign the response message. To add the policy step, click on Add Step Below and then select the Sign Message policy step. Once the Sign Message policy step is added, it can then be configured, as shown in the following screenshot, to include the appropriate key store location for the public key to digitally sign the message.

    [Click image to view at full size]
    Figure 13

    In the previous figure, the location of the key store that has the private key, along with the Keystore password, alias and part of message to be signed are specified.

    Once the policy is created, it would look like:

    [Click image to view at full size]
    Figure 14

    In the previous screenshot, the Response pipeline has two log steps -- one to log the message before digitally signing and one to log the message after digitally signing the message. In this sample, we are using the same WSEQuickStartServer certificate to sign the message.

    Once the policy is saved, the response message will be digitally signed. The client application (Microsoft .NET) can be configured to validate the signature.

    Oracle WSM Test Page as Client Application

    Oracle WSM comes with its own test page where you can test the web service and the security policy associated with the web service. In this example, I show how to test the web service policy that was just deployed and which digitally signs the response message.

    You get the test page from the Tools menu.

    [Click image to view at full size]
    Figure 15

    In the WSDL URL text box, enter the WSDL URL and then click on Submit Query. It will come up with a window to enter any credentials (username and password) and specify if that should be sent in the HTTP header or as a part of the SOAP message. It also has an option to save the test as shown in the following screen capture.

    [Click image to view at full size]
    Figure 16

    You can give a name for the test and any description and then click Invoke. When you click the Invoke button, the web service is invoked and the test is also saved. In our example, once the web service is invoked, the security policy is applied and the response message is digitally signed as shown in the next screenshot.

    [Click image to view at full size]
    Figure 17

    In the next example, you will see how to create a client application in Microsoft .NET to perform the signature generation and validation.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.