You can configure a list of keystore objects that contain trusted
root certificates to be used for certificate path validation of incoming X.509-formatted
security tokens.
Before you begin
Prior to completing the steps to configure
trust anchors, you must create the keystore file using the key tool. WebSphere
Application Server provides the key tool in the install_dir/java/jre/bin/keytool file.
Prior to completing the steps to configure trust anchors,
you must create the keystore file using the keytool utility. The keytool utility
is available using the QShell Interpreter.
About this task
newfeat Best practice: The WebSphere® Application Server Version 6.1
Feature Pack for Web Services extends the capabilities of this product
to introduce support for the Java API for XML-Based Web Services (JAX-WS) 2.0 programming model.
JAX-WS is the next generation Web services programming model complimenting
the foundation provided by the Java API for XML-based RPC (JAX-RPC) programming model. Using the strategic
JAX-WS programming model, development of Web services and clients
is simplified through support of a standards-based annotations model.
Although the JAX-RPC programming model and applications are still
supported, take advantage of the easy-to-implement JAX-WS programming
model to develop new Web services applications and clients. bprac
This
task provides the steps that are needed to configure a list of keystore objects
that contain trusted root certificates. These objects are used for certificate
path validation of incoming X.509-formatted security tokens. Keystore objects
within trust anchors contain trusted root certificates that are used by the
CertPath application programming interface (API) to determine whether to trust
a certificate chain.
You can configure
trust anchors on the server level and the cell level. In the following steps,
use the first step to access the server-level default bindings and use the
second step to access the cell-level bindings.
Complete the following
steps to configure the trust anchors on the server level:
Procedure
- Access the default bindings for the server level.
- Click Servers > Application servers > server_name .
- Under Security, click Web services: Default bindings for
Web services security.
- Click Security > Web
services to access the default bindings on the cell level.
- Under Additional properties, click Trust anchors.
- Click one of the following to work with trust anchor configuration:
- New
- To create a trust anchor configuration. Enter a unique name for the trust
anchor in the Trust anchor name field.
- Delete
- To delete an existing configuration.
- an existing trust anchor configuration
- To edit the settings for an existing trust anchor.
- Specify a password in the Key store password field that is used
to access the keystore file.
- Specify the absolute location of the keystore file in the Key store
path field. It is recommended that you use the USER_INSTALL_ROOT variable
as a portion of the keystore path. To change this predefined variable, click Environment
> WebSphere variables. The USER_INSTALL_ROOT variable might display
on the second page of variables.
- Specify the type of keystore file in the key store
type field. WebSphere Application Server supports the following
keystore types:
- JKS
- Use this option if you are not using Java Cryptography Extensions (JCE)
and your keystore file uses the Java Key Store (JKS) format.
- JCEKS
- Use this option if you are using Java Cryptography Extensions.
- JCERACFKS
- Use JCERACFKS if the certificates are stored in a SAF key ring (z/OS
only).
- PKCS11KS (PKCS11)
- Use this option if your keystore file uses the PKCS#11 file format. Keystore
files that use this format might contain Rivest Shamir Adleman (RSA) keys
on cryptographic hardware or might encrypt keys that use cryptographic hardware
to ensure protection.
- PKCS12KS (PKCS12)
- Use this option if your keystore file uses the PKCS#12 file format.
- Click OK and Save to save your configuration.
Results
You have configured trust anchors at the server or
cell level.