How to Sign a SOAP Message
Part 1: Client setup
On the client side, using WSS4J (Web Service Security For Java), create the SOAP header to include a signed message digest of the outgoing SOAP message. The body of the SOAP message must be created before signing, otherwise verification on the server will fail since the message digests, which is derived from the body, won’t match.
Libraries needed:
opensaml.jar and wss4j.jar
1. Generate client keystore using “keytool” utility from JDK 1.6
keytool -genkey -alias MyClientCert -keystore MyClient.keystore
2. Create a crypto.properties file
Example:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=[some_password]
org.apache.ws.security.crypto.merlin.keystore.alias=MyClientCert
org.apache.ws.security.crypto.merlin.alias.password=[some_password]
org.apache.ws.security.crypto.merlin.file=C:/Temp/MyClient.keystore
3. Generate the SOAP message using SAAJ and WSS4J. The message construction should look like the following:
Part 2: Server setup
On the server side, using EJB 3.0 to implement the web service under JBoss 4.2.2 makes it pretty simple to verify the signed SOAP.
Libraries needed:
jbossws-core.jar
1. In the stateless web service bean, add the @EndpointConfig annotation. The web service annotation should look something like this:
Example;
2. Create a server keystore
keytool -genkey -alias MyServerCert –keystore MyServer.keystore
3. Create a public certificate of the client and create a server truststore that includes the client’s certificate.
keytool -export -alias MyClientCert -keystore MyClient.keystore -file MyClient.cer
keytool -import -alias MyClientCert -keystore MyServer.truststore -file MyClient.cer
NOTE: To list the certificates contained in the MyServer.truststore (or any keystore) to verify it was imported, do the following:
keytool -list -keystore MyServer.truststore -v
4. In the META-INF folder of your web service “-ejb.jar” package, you must include the MyServer.keystore and MyServer.truststore and a new configuration file called jboss-wsse-server.xml. This new file should look like the following.