Hello John,
I don't believe the issue lies in the SOAP message signature.
I've verified everything, and the message is identical when sent from both Oracle and WebSphere.
However, the endpoint does not receive it in the same way.
It seems that during the transport phase, the message is somehow altered - as if WebSphere changes the document type and sends it as HTML, including a DOCTYPE declaration in the header.
Is there any way to disable WebSphere from intercepting or altering the transport layer?
Please find attached the error returned by the service.
Thank you,
Regards
------------------------------
Jose Luis Nebril
------------------------------
Original Message:
Sent: Sun September 14, 2025 04:58 PM
From: john vick
Subject: sign SOAP Service using wss4j
I've seen this issue before when running WSS4J with WebSphere. By default, WebSphere applies its own WS-Security policy sets on outbound SOAP messages, which can interfere with WSS4J signatures. A couple of things you could try:
Make sure no WS-Security policy set is bound to your client - in the admin console check Service Client > Policy Sets > Attachments and remove any attached policy sets.
If you still need WS-Security on other calls, you can create a custom policy set with only the modules you require and leave signing off for this specific client.
Also double-check that your message handler order doesn't have WebSphere's security handler wrapping the WSS4J output.
Disabling the default policy set usually allows WSS4J to control the signature fully without WebSphere reprocessing it.
------------------------------
john vick
Original Message:
Sent: Sun September 14, 2025 02:34 PM
From: Jose Luis Nebril
Subject: sign SOAP Service using wss4j
Hi
I have an application that connects to a web service which requires the SOAP request to be digitally signed.
I'm using WSS4J, and when running under Oracle Java, everything works correctly - the request is signed and the connection is successfully established.
However, when we deploy the same code in IBM WebSphere, we get an "invalid signature" error.
It looks like IBM's WS-Security implementation is intercepting the outgoing SOAP message and altering (or re-signing) the message, which causes the signature to become invalid.
Is there any way to disable WebSphere from applying its own WS-Security processing or signing on outgoing messages, so that the message is sent exactly as WSS4J generates it?
Any hints or configuration settings would be greatly appreciated.
JL
------------------------------
Jose Luis Nebril
------------------------------