Yo can configure a key locator for the consumer by using an assembly
tool. The purpose of the key locators is to find keys or certificates. The
key locator information on the consumer side is used to find the key for validating
the digital signature in the received SOAP message or for decrypting the encrypted
parts of the message. The response consumer is configured for the client and
the request consumer is configured for the server.
Before you begin
Prior to completing this task, you must import your application into
an assembly tool.
For information on how to import
your application, see Importing
enterprise applications.
Before configuring a key
locator, you should know which key information configuration references this
key locator. For example, if you configure this key locator for the STRREF
key information type, select the com.ibm.wsspi.wssecurity.keyinfo.X509TokeyKeyLocator
key locator class.
About this task
WebSphere Application Server, Version 6.0.x and later provides
default key locator implementations that you can choose or you can write your
own implementation. Custom key locators must implement the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator
interface. Using this implementation, you can locate keys within any data
source.
Complete the following steps. You must configure either the
client-side bindings in step 2 or the server-side bindings in step 3.
Procedure
- Start the assembly tool.
- Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective.
Click Window > Open Perspective > J2EE.
- Optional: Locate the client-side bindings using the
Project Explorer window. The Client Deployment Descriptor window
is displayed. This Web service contains the bindings that you need to configure.
Complete the following steps to locate the client-side bindings:
- Expand the Web Services > Client section and double-click the
name of the Web service.
- Click the WS Binding tab and expand the Security Response
Consumer Binding Configuration section.
- Optional: Locate the server-side bindings using the
Project Explorer window. The Web Services Editor window is displayed.
This Web service contains the bindings that you need to configure. Complete
the following steps to locate the server-side bindings:
- Expand the Web Services > Services section and double-click
the name of the Web service.
- Click the Binding Configurations tab and expand the Request
Consumer Binding Configuration Details section.
- Expand the Key locators section and click Add to add a new
entry or click Edit to edit a selected entry.
- Specify a name for this configuration in the Key locator name field.
This configuration name is referenced in the Key locator field of the
Key Information dialog.
- Select a key locator implementation in the Key locator class field.
Select the key locator class that matches the Key Information configuration
that references this key locator. For example, select the com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator
key locator class if the received Simple Object Access Protocol (SOAP) message
contains an X.509 certificate that is needed for signature validation. Select
the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key locator class
if the key that is required for signature validation or decryption needs to
be specified using a keystore file. The com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator
key locator class is not used on the consumer side. It is typically used in
the response generator configuration for encrypting the response message using
the signer key from the request message.
- Select the Use key store option if you need to configure
a key store for this key locator. Whether you need to configure
the key store information for a key locator depends upon the key locator class
and your application configuration. For example, if you select the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator
key locator class in the previous step, configure the key store information
for this key locator.
- Specify a keystore password in the Key store storepass field.
The keystore storepass is the password that is required to access the
keystore file.
- Specify the path to the keystore file in the Key store path
field. The key store path is the directory where the keystore resides.
Make sure that wherever you deploy your application that the server can locate
your keystore file.
- Select a key store type from the Key store type field.
The key store type that you select must match the keystore file that
is specified in the Key store path field. The following keystore types are
supported:
- JKS
- Use this option if you are not using Java Cryptography Extensions (JCE)
policy file and if your keystore file uses the Java Keystore (JKS) format.
- JCEKS
- Use this option if you are using Java Cryptography Extensions policy file.
- JCERACFKS
- Use JCERACFKS if the certificates are stored in a SAF key ring (z/OS only).
- PKCS11
- Use this format if your keystore uses the PKCS#11 file format. Keystores
using this format might contain RSA keys on cryptographic hardware or might
encrypt keys that use cryptographic hardware to ensure protection.
- PKCS12
- Use this option if your keystore uses the PKCS#12 file format.
- Click Add under the Key field to add a key entry from the
keystore file that you specified in the previous step. This key
is used for signature validation or decryption. The key that you specify must
match the key that is used for digital signing or encryption for the generator.
Complete the following steps to add a key entry:
- Specify an alias name for the key in the Alias field.
- Specify the password that is associated with the key in the
Key pass field. This password protects the private key of the key
pair that is specified by this key.
- Specify the key name in the Key name field. The key
name specifies the Distinguished Name (DN) for the owner of the key.
- Click OK to save the key locator configuration