Configuring the collection certificate store for the consumer binding with an assembly tool

You can specify the collection certificate store for the consumer bindings at the application level using an assembly tool. The response consumer is configured for the client, and the request consumer is configured for the server.

Before you begin

Prior to completing this task, you must import your application into an assembly tool.

For information on how to import your application, see Importing enterprise applications.

About this task

This task describes the steps to specify the collection certificate store for the consumer bindings at the application level using an assembly tool. A collection certificate store is a collection of non-root certificate authority (CA) certificates and certificate revocation lists (CRLs) that is used for validating an X.509 certificate embedded within the received SOAP message.

Complete the following steps. You must configure either the client-side bindings in step 2 or the server-side bindings in step 3.

Procedure

  1. Start the assembly tool.
  2. Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective. Click Window > Open Perspective > J2EE.
  3. Optional: Locate the client-side bindings using the Project Explorer window. The Client Deployment Descriptor window is displayed. This Web service contains the bindings that you need to configure. Complete the following steps to locate the client-side bindings:
    1. Expand the Web Services > Client section and double-click the name of the Web service.
    2. Click the WS Binding tab and expand the Security Response Consumer Binding Configuration section.
  4. Optional: Locate the server-side bindings using the Project Explorer window. The Web Services Editor window is displayed. This Web service contains the bindings that you need to configure. Complete the following steps to locate the server-side bindings:
    1. Expand the Web Services > Services section and double-click the name of the Web service.
    2. Click the Binding Configurations tab and expand the Request Consumer Binding Configuration Details section.
  5. Expand the Certificate Store List > Collection Certificate Store section and click Add.
  6. Specify a unique certificate store name in the Name field. For example, specify cert1. The name of the collection certificate store must be unique on the level in which it is defined. For example, the name must be unique at the application level. The name specified in the certificate store name field is used by other configurations to refer to a predefined collection certificate store. WebSphere Application Server looks up the collection certificate store based on proximity. For example, if an application binding refers to certificate store cert1, WebSphere Application Server will look first for cert1 at the application level. If it is not found, it will look at the server level, and finally at the cell level.
  7. Specify a certificate store provider in the Provider field. The IBMCertPath certificate path provider is supported. To use another certificate path provider, you must define the provider implementation in the provider list within the java.security file in the Software Development Kit (SDK).
  8. Click Add under X509 Certificate to specify a fully qualified path to an X.509 certificate, click the name of an existing certificate path entry to edit it, or click Remove to delete it. This collection certificate store is used to validate the certificate path of the incoming X.509-formatted security tokens.

    You can use the USER_INSTALL_ROOT variable as part of the path name. For example you might specify ${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer. However, do not use this X.509 certificate path for production use. Obtain your own X.509 certificate from a certificate authority before putting your WebSphere Application Server environment into production.

    In the WebSphere Application Server administrative console, you can click Environment > WebSphere Variables to configure the USER_INSTALL_ROOT variable.

  9. Click Add under CRL to specify the fully qualified path to a certificate revocation list (CRL), click an existing CRL entry to edit it or click Remove to delete it.

    For portability reasons, it is recommended that you use the WebSphere Application Server variables to specify a relative path to the certificate revocation list. For example, you might use the USER_INSTALL_ROOT variable to define a path such as ${USER_INSTALL_ROOT}/mycertstore/mycrl. For a list of the supported variables in the WebSphere Application Server administrative console, click Environment > WebSphere Variables.

    The following list provides recommendations for using CRLs:
    • If CRLs are added to the collection certificate store, add the CRLs for the root certificate authority and each intermediate certificate, if applicable. When the CRL is in the certificate collection store, the certificate revocation status for every certificate in the chain is checked against the CRL of the issuer.
    • When the CRL file is updated, the new CRL does not take effect until you restart the Web service application.
    • Before a CRL expires, you must load a new CRL into the certificate collection store to replace the old CRL. An expired CRL in the collection certificate store results in a certificate path (CertPath) build failure.
  10. Click OK to save your configuration.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 6:22:59 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-express-dist&topic=twbs_speccolcertstconsbind
File name: twbs_speccolcertstconsbind.html