A collection certificate store is a collection of non-root, certificate
authority (CA) certificates and certificate revocation lists (CRLs). This
collection of CA certificates and CRLs is used to check for a valid signature
in a digitally signed SOAP message.
About this task
A collection certificate store is a collection of non-root, certificate
authority (CA) certificates and certificate revocation lists (CRLs) that can
be used to check for a valid signature in a digitally signed SOAP message.
Complete the following steps to configure a collection certificate for the
consumer bindings on the application level:
Procedure
- Locate the collection certificate store configuration panel in
the administrative console.
- Click Applications > Application Types > WebSphere
enterprise applications > application_name.
- Under Modules, click Manage modules > URI_name.
- Under Web services security properties, you can access the collection
certificate store information for the response consumer and request consumer
bindings.
- For the response consumer (receiver) binding, click Web services: Client
security bindings. Under Response consumer (receiver) binding, click Edit
custom.
- For the request consumer (receiver) binding, click Web services: Server
security bindings. Under Response consumer (receiver) binding, click Edit
custom.
- Under Additional properties, click Collection certificate
store.
- Click New to create a collection certificate store configuration,
click Delete to delete an existing configuration, or click the name
of an existing collection certificate store configuration to edit its settings.
If you are creating a new configuration, enter a name in the Certificate
store name field.
The name of the collection certificate store must be
unique to the level of the application server. For example, if you create
the collection certificate store for the application level, the store name
must be unique to the application level. The name that is specified in the
Certificate store name field is used by other configurations to refer to a
predefined collection certificate store. WebSphere® Application Server searches
for the collection certificate store based on proximity.
For
example, if an application binding refers to a collection certificate store
named cert1, the Application Server searches for cert1 at
the application level before searching the server level and then the cell
level.
- Specify a certificate store provider in the Certificate store provider
field. WebSphere Application Server supports the IBMCertPath
certificate store provider. To use another certificate store provider, you
must define the provider implementation in the provider list within the profile_root/properties/java.security file.
However, make sure that your provider supports the same requirements of the
certificate path algorithm as WebSphere Application Server.
- Click OK and Save to save the configuration.
- Click the name of your certificate store configuration. After
you specify the certificate store provider, you must specify either the location
of a certificate revocation list or the X.509 certificates. However, you can
specify both a certificate revocation list and the X.509 certificates for
your certificate store configuration.
- Under Additional properties, click Certificate revocation lists.
- Click New to specify a certificate revocation list path,
click Delete to delete an existing list reference, or click the name
of an existing reference to edit the path. You must specify the
fully qualified path to the location where WebSphere Application Server can find
your list of certificates that are not valid. For portability reasons, it
is recommended that you use the WebSphere Application Server variables
to specify a relative path to the certificate revocation lists (CRL). This
recommendation is especially important when you are working in a WebSphere Application Server, Network Deployment environment. For example, you might use the USER_INSTALL_ROOT variable
to define a path such as $USER_INSTALL_ROOT/mycertstore/mycrl1. For
a list of supported variables, click Environment > WebSphere
variables in the administrative console. The following list provides
recommendation for using certificate revocation lists:
- If CRLs are added to the collection certificate store, add the CRLs for
the root certificate authority and each intermediate certificate, if applicable.
When the CRL is in the certificate collection store, the certificate revocation
status for every certificate in the chain is checked against the CRL of the
issuer.
- When the CRL file is updated, the new CRL does not take effect until you
restart the Web service application.
- Before a CRL expires, you must load a new CRL into the certificate collection
store to replace the old CRL. An expired CRL in the collection certificate
store results in a certificate path (CertPath) build failure.
- Click OK and Save to save the configuration.
- Return to the Collection certificate store configuration panel.
See the first few steps of this article to locate the collection certificate
store panel.
- Under Additional properties, click X.509 certificates.
- Click New to create a new configuration for X.509 certificates,
click Delete to delete an existing configuration, or click the name
of an existing X.509 certificate configuration to edit its settings.
If you are creating a new configuration, enter a name in the Certificate
store name field.
- Specify a path in the X.509 certificate path field. This
entry is the absolute path to the location of the X.509 certificates. The
collection certificate store is used to validate the certificate path of incoming
X.509-formatted security tokens.
You can use the USER_INSTALL_ROOT variable
as part of the path name. For example, you might type: USER_INSTALL_ROOT/etc/ws-security/samples/intca2.cer.
Do not use this certificate path for production use. You must obtain your
own X.509 certificate from a certificate authority before putting your WebSphere Application Server environment into production.
Click Environment >
WebSphere variables in the administrative console to configure
the USER_INSTALL_ROOT variable.
- Click OK and then Save to save your configuration.
Results
You have configured the collection certificate store for the consumer
binding.
What to do next
You must configure a token consumer configuration that references
this certificate store configuration.