Use this page to specify the settings for a key locator
configuration. The key locators retrieve keys from the keystore file
for digital signature and encryption. This product enables you to
plug in a custom key locator configuration.
To view the administrative console panel for the
key locator collection on the cell level, complete the following steps:
- Click Security > JAX-WS and JAX-RPC security runtime.
- Under Additional properties, click Key locators.
- Click New to create a new configuration or click the name
of a configuration to modify its settings.
To view this administrative console page for the key locator collection
on the server level, complete the following steps:
- Click server_name.
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere
Application Server version 6.1 or earlier, click
Web services:
Default bindings for Web services security.
mixv
- Under Additional properties, click Key locators.
- Click New to create a new configuration or click the name
of a configuration to modify its settings.
To use this administrative console page for the key locator collection
on the application level, complete the following steps:
- Click application_name.
- Click Manage modules > URI_name.
- Under Web Services Security properties, you can access key locators
for the following bindings:
- For the Request generator, click Web services: Client security
bindings. Under Request generator (sender) binding, click Edit
custom > Key locators.
- For the Request consumer, click Web services: Server security
bindings. Under Request consumer (receiver) binding, click Edit
custom > Key locators.
- For the Response generator, click Web services: Server security
bindings. Under Response generator (sender) binding, click Edit
custom > Key locators.
- For the Response consumer, click Web services: Client security
bindings. Under Response consumer (receiver) binding, click Edit
custom > Key locators.
Under Additional
properties, you can access key locators for the following bindings:
- For the Request sender, click Web services: Client security
bindings. Under Request sender binding, click Edit > Key
locators.
- For the Request receiver, click Web services: Server security
bindings. Under Request receiver binding, click Edit > Key
locators.
- For the Response sender, click Web services: Server security
bindings. Under Response sender binding, click Edit > Key
locators.
- For the Response receiver, click Web services: Client security
bindings. Under Response receiver binding, click Edit >
Key locators.
- Click New to create a new configuration or click the name
of a configuration to modify its settings.
Specifies the name for the key locator class implementation.
Key locators that are associated with Versions 6 and later applications
must implement the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator interface.
This product provides the following default key locator class implementations
for Versions 6 and later applications:
- com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator
- This implementation locates and obtains the key from the specified
keystore file.
- com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator
- This implementation uses the public key from the certificate of
the signer. This class implementation is used by the response generator.
This
property is for the JAX-RPC programming model only. To implement signer
certificate encryption for the JAX-WS programming model, set a custom
property on the callback handler for the encryption token generator. For more information, read the topic Callback handler settings.
- com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator
- This implementation uses the X.509 security token from the sender
message for digital signature validation and encryption. This class
implementation is used by the request consumer and the response consumer.
![[Version 5 only]](../../v5app.gif)
Key locators
that are associated with Version 5.
x applications must implement
the com.ibm.wsspi.wssecurity.config.KeyLocator interface. This product
provides the following default key locator class implementations for
Version 5.
x applications.
- com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
- This implementation maps an authenticated identity to a key and
is used by the response sender. If encryption is used, this class
is used to locate a key to encrypt the response message. The com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
class can map an authenticated identity from the invocation credential
of the current thread to a key that is used to encrypt the message.
If an authenticated identity is present on the current thread, the
class maps the ID to the mapped name. For example, user1 is mapped
to mappedName_1. Otherwise, name="default". When a matching
key is not found, the authenticated identity is mapped to the default
key that is specified in the binding file. This implementation supports
the following formats: JKS, JCEKS, and PKCS12.
- com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
- This implementation maps a name to an alias and is used by the
response receiver, request sender, and request receiver. The encryption
process uses this class to obtain a key to encrypt a message, and
the digital signature process uses this class to obtain a key to sign
a message. The com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
class maps a logical name to a key alias in the keystore file. For
example, key #105115176771 is mapped to CN=Alice, O=IBM, c=US.
- com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator
- This implementation uses the signer certificate to encrypt the
response. This class implementation is used by the response sender
and response receiver.