WebSphere Application Server Version 6.0.x provides a variety of sample
configurations that you can configure through the administrative console.
The configurations that you specify are reflected on the cell or server level.
Do not use these configurations in a production environment as they are for
sample and testing purposes only. To make modifications to these sample configurations,
it is recommended that you use the administrative console provided by WebSphere
Application Server.
For a Web services security-enabled application,
you must correctly configure a deployment descriptor and a binding. In WebSphere
Application Server Version 6.0.x, one set of default bindings is shared by
the applications to make application deployment easier. The default binding
information for server level can be overridden by the binding information
on the application level. The Application Server searches for binding information
for an application on the application level before searching the server level.
This article contains information on the sample default bindings, keystores,
key locators, collection certificate store, trust anchors, and trusted ID
evaluators.
Default generator binding
WebSphere Application
Server Version 6.0.x provides a sample set of default generator binding. The
default generator binding contain both signing information and encryption
information.
The sample signing information configuration is called
gen_signinfo and
contains the following configurations:
- Uses the following algorithms for the gen_signinfo configuration:
- Signature method: http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Canonicalization method: http://www.w3.org/2001/10/xml-exc-c14n#
- References the gen_signkeyinfo signing key information. The following
information pertains to the gen_signkeyinfo configuration:
- Contains a part reference configuration that is called gen_signpart.
The part reference is not used in default binding. The signing information
applies to all of the Integrity or Required Integrity elements within the
deployment descriptors and the information is used for naming purposes only.
The following information pertains to the gen_signpart configuration:
- Uses the transform configuration called transform1. The following
transforms are configured for the default signing information:
- Uses the http://www.w3.org/2001/10/xml-exc-c14n# algorithm
- Uses the http://www.w3.org/2000/09/xmldsig#sha1 digest method
- Uses the security token reference, which is the configured default key
information.
- Uses the SampleGeneratorSignatureKeyStoreKeyLocator key locator.
For more information on this key locator, see Sample key
locators.
- Uses the gen_signtgen token generator, which contains the following configuration:
- Contains the X.509 token generator, which generates the X.509 token of
the signer.
- Contains the gen_signtgen_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509 value
type local name value.
- Uses X.509 Callback Handler. The callback handler calls the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks keystore.
- The keystore password is client.
- The alias name of the trusted certificate is soapca.
- The alias name of the personal certificate is soaprequester.
- The key password client issued by intermediary certificate authority Int
CA2, which is, in turn, issued by soapca.
The sample encryption information configuration is called
gen_encinfo and
contains the following configurations:
- Uses the following algorithms for the gen_encinfo configuration:
- Data encryption method: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- Key encryption method: http://www.w3.org/2001/04/xmlenc#rsa-1_5
- References the gen_enckeyinfo encryption key information. The
following information pertains to the gen_enckeyinfo configuration:
- Uses the key identifier as the default key information.
- Contains a reference to the SampleGeneratorEncryptionKeyStoreKeyLocator key
locator. For more information on this key locator, see Sample key
locators.
- Uses the gen_signtgen token generator, which has the following
configuration:
- Contains the X.509 token generator, which generates the X.509 token of
the signer.
- Contains the gen_enctgen_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509 value
type local name value.
- Uses X.509 Callback Handler. The callback handler calls the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks keystore.
- The keystore password is storepass.
- The secret key CN=Group1 has an alias name of Group1 and
a key password of keypass.
- The public key CN=Bob, O=IBM, C=US has an alias name of bob and
a key password of keypass.
- The private key CN=Alice, O=IBM, C=US has an alias name of alice and
a key password of keypass.
Default consumer binding
WebSphere Application Server
Version 6.0.x provides a sample set of default consumer binding. The default
consumer binding contain both signing information and encryption information.
The
sample signing information configuration is called
con_signinfo and
contains the following configurations:
- Uses the following algorithms for the con_signinfo configuration:
- Signature method: http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Canonicalization method: http://www.w3.org/2001/10/xml-exc-c14n#
- Uses the con_signkeyinfo signing key information reference. The
following information pertains to the con_signkeyinfo configuration:
- Contains a part reference configuration that is called con_signpart.
The part reference is not used in default binding. The signing information
applies to all of the Integrity or RequiredIntegrity elements within the deployment
descriptors and the information is used for naming purposes only. The following
information pertains to the con_signpart configuration:
- Uses the transform configuration called reqint_body_transform1.
The following transforms are configured for the default signing information:
- Uses the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- Uses the http://www.w3.org/2000/09/xmldsig#sha1 digest method.
- Uses the security token reference, which is the configured default key
information.
- Uses the SampleX509TokenKeyLocator key locator. For more information
on this key locator, see Sample key
locators.
- References the con_signtcon token consumer configuration. The
following information pertains to the con_signtcon configuration:
- Uses the X.509 Token Consumer, which is configured as the consumer for
the default signing information.
- Contains the signtconsumer_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509 value
type local name value.
- Contains a JAAS configuration called system.wssecurity.X509BST that
references the following information:
- Trust anchor: SampleClientTrustAnchor
- Collection certificate store: SampleCollectionCertStore
The encryption information configuration is called
con_encinfo and
contains the following configurations:
- Uses the following algorithms for the con_encinfo configuration:
- Data encryption method: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- Key encryption method: http://www.w3.org/2001/04/xmlenc#rsa-1_5
- References the con_enckeyinfo encryption key information. This
key actually decrypts the message. The following information pertains to the con_enckeyinfo configuration:
- Uses the key identifier, which is configured as the key information for
the default encryption information.
- Contains a reference to the SampleConsumerEncryptionKeyStoreKeyLocator key
locator. For more information on this key locator, see Sample key
locators.
- References the con_enctcon token consumer configuration. The
following information pertains to the con_enctcon configuration:
- Uses the X.509 token consumer, which is configured for the default encryption
information.
- Contains the enctconsumer_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509 value
type local name value.
- Contains a JAAS configuration called system.wssecurity.X509BST.
Sample
keystore configurations
WebSphere Application Server provides the
following keystores. You can work with these keystores outside of the Application
Server by using the iKeyman utility or the key tool.
The iKeyman utility
is located in the following directories:
install_dir/bin/ikeyman
install_dir\bin\ikeyman.sh
The key tool is located in the following directories:
install_dir/java/jre/bin/keytool
install_dir\java\jre\bin\keytool.sh
The following sample keystores are for testing purposes only;
do not use these keystores in a production environment:
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
- The keystore format is JKS.
- The keystore password is client.
- The trusted certificate has a soapca alias name.
- The personal certificate has a soaprequester alias name and a client key
password that is issued by the Int CA2 intermediary certificate authority,
which is, in turn, issued by soapca.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
- The keystore format is JKS.
- The keystore password is server.
- The trusted certificate has a soapca alias name.
- The personal certificate has a soapprovider alias name and a server key
password that is issued by the Int CA2 intermediary certificate authority,
which is, in turn, issued by soapca.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks
- The keystore format is JCEKS.
- The keystore password is storepass.
- The CN=Group1 DES secret key has a Group1 alias name
and a keypass key password.
- The CN=Bob, O=IBM, C=US public key has a bob alias name
and a keypass key password.
- The CN=Alice, O=IBM, C=US private key has a alice alias
name and a keypass key password.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks
- The keystore format is JCEKS.
- The keystore password is storepass.
- The CN=Group1 DES secret key has a Group1 alias name
and a keypass key password.
- The CN=Bob, O=IBM, C=US private key has a bob alias
name and a keypass key password.
- The CN=Alice, O=IBM, C=US public key has a alice alias
name and a keypass key password.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer
- The intermediary certificate is signed by soapca and it signs
both the soaprequester and the soapprovider.
Sample key
locators
Key locators
Key locators are used to locate
the key for digital signature, encryption, and decryption. For information
on how to modify these sample key locator configurations, see the following
articles:
- SampleClientSignerKey
- This key locator is used by the request sender for a Version 5.x application
to sign the Simple Object Access Protocol (SOAP) message. The signing key
name is clientsignerkey, which is referenced in the signing information
as the signing key name.
- SampleServerSignerKey
- This key locator is used by the response sender for a Version 5.x application
to sign the SOAP message. The signing key name is serversignerkey,
which can be referenced in the signing information as the signing key name.
- SampleSenderEncryptionKeyLocator
- This key locator is used by the sender for a Version 5.x application to
encrypt the SOAP message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks keystore
and the com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator keystore key locator.
The implementation is configured for the DES secret key. To use asymmetric
encryption (RSA), you must add the appropriate RSA keys.
- SampleReceiverEncryptionKeyLocator
- This key locator is used by the receiver for a Version 5.x application
to decrypt the encrypted SOAP message. The implementation is configured to
use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks keystore
and the com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator keystore key locator.
The implementation is configured for symmetric encryption (DES or TRIPLEDES).
To use RSA, you must add the private key CN=Bob, O=IBM, C=US, alias
name bob, and key password keypass.
- SampleResponseSenderEncryptionKeyLocator
- This key locator is used by the response sender for a Version 5.x application
to encrypt the SOAP response message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks keystore
and the com.ibm.wsspi.wssecurity.config.WSIdKeyStoreMapKeyLocator keystore
key locator. This key locator maps an authenticated identity (of the current
thread) to a public key for encryption. By default, WebSphere Application
Server is configured to map to public key alice, and you must change
WebSphere Application Server to the appropriate user. The SampleResponseSenderEncryptionKeyLocator
key locator also can set a default key for encryption. By default, this key
locator is configured to use public key alice.
- SampleGeneratorSignatureKeyStoreKeyLocator
- This key locator is used by generator to sign the SOAP message. The signing
key name is SOAPRequester, which is referenced in the signing information
as the signing key name. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks keystore
and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator keystore key locator.
- SampleConsumerSignatureKeyStoreKeyLocator
- This key locator is used by the consumer to verify the digital signature
in the SOAP message. The signing key is SOAPProvider, which is referenced
in the signing information. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks keystore
and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator keystore key locator.
- SampleGeneratorEncryptionKeyStoreKeyLocator
- This key locator is used by the generator to encrypt the SOAP message.
It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks keystore
and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator keystore key locator.
- SampleConsumerEncryptionKeyStoreKeyLocator
- This key locator is used by the consumer to decrypt an encrypted SOAP
message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks keystore
and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator keystore key locator.
- SampleX509TokenKeyLocator
- This key locator is used by the consumer to verify a digital certificate
in an X.509 certificate. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks keystore
and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator keystore key locator.
Sample
collection certificate store
Collection certificate stores are used
to validate the certificate path. For information on how to modify this sample
collection certificate store, see the following articles:
- SampleCollectionCertStore
- This collection certificate store is used by the response consumer and
the request generator to validate the signer certificate path.
Sample
trust anchors
Trust anchors are used to validate the trust of the
signer certificate. For information on how to modify the sample trust anchor
configurations, see the following articles:
- SampleClientTrustAnchor
- This trust anchor is used by the response consumer to validate the signer
certificate. This trust anchor is configure to access the {USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks keystore.
- SampleServerTrustAnchor
- This trust anchor is used by the request consumer to validate the signer
certificate. This trust anchor is configure to access the {USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks keystore.
Sample
trusted ID evaluators
Trusted ID evaluators are used to establish
trust before asserting the identity in identity assertion. For information
on how to modify the sample trusted ID evaluator configuration, see
Configuring trusted ID evaluators on the server or cell level.
- SampleTrustedIDEvaluator
- This trusted ID evaluator uses the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl
implementation. The default implementation of com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator
contains a list of trusted identities. This list, which is used for identity
assertion, defines the key name and value pair for the trusted identity. The
key name is in the form trustedId_* and the value is the trusted identity.
For more information, see the example in Configuring trusted ID evaluators on the server or cell level.
Complete the following steps
to define this information for the server level in the administrative console:
- Click Servers > Application servers > server_name.
- Under Security, click Web services: Default bindings for Web services
security.
- Under Additional properties, click Trusted ID evaluators > SampleTrustedIDEvaluator.