The key locator information for the default generator specifies
which key locator implementation is used to locate the key to be used for
signature and encryption information. The key locator information for the
generator specifies which key locator implementation is used to locate the
key to be used for signature validation or encryption.
Before you begin
newfeat Best practice: The WebSphere Application Server Version
6.1 Feature Pack for Web Services extends the capabilities of this product
to introduce support for the Java API for XML-Based Web Services (JAX-WS)
2.0 programming model. JAX-WS is the next generation Web services programming
model complimenting the foundation provided by the Java API for XML-based
RPC (JAX-RPC) programming model. Using the strategic JAX-WS programming model,
development of Web services and clients is simplified through support of a
standards-based annotations model. Although the JAX-RPC programming model
and applications are still supported, take advantage of the easy-to-implement
JAX-WS programming model to develop new Web services applications and clients. bprac
About this task
WebSphere Application Server provides default values for the bindings.
However, you must modify the defaults for a production environment.
Complete
the following steps to configure the key locator for the generator binding
on the application level:
Procedure
- Locate the encryption information configuration panel in the administrative
console.
- Click Applications > Enterprise applications > application_name.
- Under Manage modules, click URI_name.
- Under Web Services Security Properties you
can access the key information for the request generator and response generator
bindings.
- For the request generator (sender) binding, click Web services: Client
security bindings. Under Request generator (sender) binding, click Edit
custom.
- For the response generator (sender) binding, click Web services: Server
security bindings. Under Response generator (sender) binding, click Edit
custom.
- Under Additional properties, click Key locators.
- Click New to create a key locator configuration, select
the box next to the configuration and click Delete to delete an existing
configuration, or click the name of an existing key locator configuration
to edit its settings. If you are creating a new configuration,
enter a unique name in the Key locator name field. For example, you
might specify gen_keyloc.
- Specify a class name for the key locator class implementation in
the Key locator class name field. The Java
Authentication and Authorization Service (JAAS) Login Module implementation
is used to create the security token on the generator side. Specify a
class name according to the requirements of the application. For example,
if the application requires that the key is read from a keystore file, specify
the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator implementation. WebSphere
Application Server supports the following default key locator class implementations
for Versions 6.0.x and later applications that are available to use
with the request generator or response generator:
- com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator
- This implementation locates and obtains the key from the specified keystore
file.
- com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator
- This implementation uses the public key from the signer certificate and
is used by the response generator.
- Specify the keystore password, the keystore location, and the keystore
type. Keystore files contain public and private keys, root certificate
authority (CA) certificates, the intermediate CA certificate, and so on. Keys
retrieved from the keystore are used to sign and validate or encrypt and decrypt
messages or message parts. If you specified the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator
implementation for the key locator class implementation, you must specify
a keystore password, location, and type.
- Specify a password in the keystore Password field.
This password is used to access the keystore file.
- Specify the location of the keystore file in the keystore Path field.
- Select a keystore type from the Type field. The
Java Cryptography Extension (JCE) that is used by IBM supports the following
keystore types:
- JKS
- Use this option if you are not using Java Cryptography Extensions (JCE)
and if your keystore file uses the Java Keystore (JKS) format.
- JCEKS
- Use this option if you are using Java Cryptography Extensions.
- JCERACFKS
- Use JCERACFKS if the certificates are stored in a SAF key ring (z/OS only).
- PKCS11KS (PKCS11)
- Use this format if your keystore uses the PKCS#11 file format. Keystores
using this format might contain RSA keys on cryptographic hardware or might
encrypt keys that use cryptographic hardware to ensure protection.
- PKCS12KS (PKCS12)
- Use this option if your keystore uses the PKCS#12 file format.
WebSphere Application Server provides some sample keystore
files in the
${USER_INSTALL_ROOT}/etc/ws-security/samples directory.
For example, you might use the
enc-receiver.jceks keystore file for
encryption keys. The password for this file is
Storepass and the
type is
JCEKS.
Important: Do not use the sample keystore
files in a production environment. These samples are provided for testing
purposes only.
- Click OK and then click Save to save the configuration.
- Under Additional properties, click Keys.
- Click New to create a key configuration, select the box
next to the configuration and click Delete to delete an existing configuration,
or click the name of an existing key configuration to edit its settings.
This entry specifies the name of the key object within the keystore
file. If you are creating a new configuration, enter a unique name in the Key
name field. For digital signatures, the key name is used by the request
generator or the response generator signing information to determine which
key is used to digitally sign the message.
You must use a fully qualified
distinguished name for the key name. For example, you might use CN=Bob,O=IBM,C=US.
Important: Do not use the sample key files in a production environment.
These samples are provided for testing purposes only.
- Specify an alias in the Key alias field. The
key alias is used by the key locator to search for key objects in the keystore.
- Specify a password in the Key password field. The
password is used to access the key object within the keystore file.
- Click OK and Save to save the configuration.
Results
You have configured the key locator for the generator binding at the
application level.
What to do next
You must specify a similar key information configuration for the
consumer.