DSS Signature Verification Web Service

• Overview
• Configuration

Overview

The filter allows the Enterprise Gateway to verify XML Signatures "as a service" according to the OASIS DSS (Digital Signature Services) specification. The DSS specification describes how a client can send a message containing an XML Signature to a DSS Signature verification Web Service that can verify the Signature and return the result of the verification to the client.

The advantage of this approach is that the Signature verification code is abstracted away from the logic of the Web Service and does not have to be coded into the Web Service. Furthermore, in an SOA (Services Oriented Architecture), a centralized DSS server provides a single implementation point for all XML Signature related services, which can then be accessed by all Services running within the SOA. This represents a much more manageable solution that one in which the security layer is actually coded into each Web Service.

Configuration

Complete the following fields to configure the DSS Signature Verification Web Service filter.

Name:
Enter a descriptive name for the filter in this field.

Find Signing Key:
The public key to be used to verify the signature can be retrieved from one of the following locations:

• KeyInfo in Message:
  The verification certificate can be located via the <KeyInfo> block within the XML Signature. For example, the certificate could be contained within a <BinarySecurityToken> element in a WSSE Security header. The <KeyInfo> section of the XML Signature can then reference this BinarySecurityToken. The Enterprise Gateway can automatically resolve this reference in order to locate the certificate that contains the public key necessary to perform the signature verification.
• Message Attribute:
  The certificate used to verify the signature can be extracted from the message attribute specified here. The certificate must have been placed into this attribute by a predecessor of the DSS Signature Verification Web Service filter.
• Certificate in LDAP:
  The certificate used to verify the Signature can be retrieved from an LDAP directory. Select a previously configured LDAP directory from the dropdown or add a new one by clicking on the Add/Edit button. For more information on configuring LDAP directories, please refer to the LDAP Configuration help page.
• Certificate in Store:
  Finally, the verification certificate can be selected from the Certificate Store. Click the Select button to view the certificate that have been added to the store. Select the verification certificate by checking the checkbox next to it in the table.