You can specify the collection certificate store for the consumer
bindings at the application level using an assembly tool. The response consumer
is configured for the client, and the request consumer is configured for the
server.
Before you begin
Prior to completing this task, you must import your application into
an assembly tool.
For information on how to import
your application, see Importing
enterprise applications.
About this task
This task describes the steps to specify the collection certificate
store for the consumer bindings at the application level using an assembly
tool. A
collection certificate store is a collection of non-root certificate
authority (CA) certificates and certificate revocation lists (CRLs) that is
used for validating an X.509 certificate embedded within the received SOAP
message.
Complete the following steps. You must configure either the client-side
bindings in step 2 or the server-side bindings in step 3.
Procedure
- Start the assembly tool.
- Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective.
Click Window > Open Perspective > J2EE.
- Optional: Locate the client-side bindings using the
Project Explorer window. The Client Deployment Descriptor window
is displayed. This Web service contains the bindings that you need to configure.
Complete the following steps to locate the client-side bindings:
- Expand the Web Services > Client section and double-click
the name of the Web service.
- Click the WS Binding tab and expand the Security Response
Consumer Binding Configuration section.
- Optional: Locate the server-side bindings using the
Project Explorer window. The Web Services Editor window is displayed.
This Web service contains the bindings that you need to configure. Complete
the following steps to locate the server-side bindings:
- Expand the Web Services > Services section and double-click
the name of the Web service.
- Click the Binding Configurations tab and expand the Request
Consumer Binding Configuration Details section.
- Expand the Certificate Store List > Collection Certificate Store
section and click Add.
- Specify a unique certificate store name in the Name field.
For example, specify cert1. The name of the collection certificate
store must be unique on the level in which it is defined. For example, the
name must be unique at the application level. The name specified in the certificate
store name field is used by other configurations to refer to a predefined
collection certificate store. WebSphere Application Server looks up the collection
certificate store based on proximity. For example, if an application binding
refers to certificate store cert1, WebSphere Application Server will look
first for cert1 at the application level. If it is not found, it will look
at the server level, and finally at the cell level.
- Specify a certificate store provider in the Provider field.
The IBMCertPath certificate path provider is supported. To
use another certificate path provider, you must define the provider implementation
in the provider list within the java.security file in the Software
Development Kit (SDK).
- Click Add under X509 Certificate to specify a fully qualified
path to an X.509 certificate, click the name of an existing certificate path
entry to edit it, or click Remove to delete it. This collection
certificate store is used to validate the certificate path of the incoming
X.509-formatted security tokens.
You can use the USER_INSTALL_ROOT variable
as part of the path name. For example you might specify ${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer.
However, do not use this X.509 certificate path for production use. Obtain
your own X.509 certificate from a certificate authority before putting your
WebSphere Application Server environment into production.
In the WebSphere
Application Server administrative console, you can click Environment >
WebSphere Variables to configure the USER_INSTALL_ROOT variable.
- Click Add under CRL to specify the fully qualified path
to a certificate revocation list (CRL), click an existing CRL entry to edit
it or click Remove to delete it.
For portability reasons,
it is recommended that you use the WebSphere Application Server variables
to specify a relative path to the certificate revocation list. For example,
you might use the USER_INSTALL_ROOT variable to define a path such
as ${USER_INSTALL_ROOT}/mycertstore/mycrl. For a list of the supported
variables in the WebSphere Application Server administrative console, click Environment
> WebSphere Variables.
The following list provides recommendations
for using CRLs:
- If CRLs are added to the collection certificate store, add the CRLs for
the root certificate authority and each intermediate certificate, if applicable.
When the CRL is in the certificate collection store, the certificate revocation
status for every certificate in the chain is checked against the CRL of the
issuer.
- When the CRL file is updated, the new CRL does not take effect until you
restart the Web service application.
- Before a CRL expires, you must load a new CRL into the certificate collection
store to replace the old CRL. An expired CRL in the collection certificate
store results in a certificate path (CertPath) build failure.
- Click OK to save your configuration.