You can configure a list of keystore objects that contain trusted
root certificates to be used for certificate path validation of incoming X.509-formatted
security tokens.
Before you begin
Prior to completing the steps to configure
trust anchors, you must create the keystore file using the key tool. WebSphere® Application
Server provides the key tool in the install_dir/java/jre/bin/keytool file.
About this task
This task provides the steps that are needed to configure a list
of keystore objects that contain trusted root certificates. These objects
are used for certificate path validation of incoming X.509-formatted security
tokens. Keystore objects within trust anchors contain trusted root certificates
that are used by the CertPath application programming
interface (API) to determine whether to trust a certificate chain.
Procedure
- Access the default bindings for the server level.
- Click Servers > Server Types > WebSphere application
servers > server_name.
- Under Security, click JAX-WS and JAX-RPC security
runtime.
Mixed-version environment: In a mixed node cell
with a server using Websphere Application Server version 6.1 or earlier, click
Web
services: Default bindings for Web services security.
mixv
- Under Additional properties, click Trust anchors.
- Click one of the following to work with trust anchor configuration:
- New
- To create a trust anchor configuration. Enter a unique name for the trust
anchor in the Trust anchor name field.
- Delete
- To delete an existing configuration.
- an existing trust anchor configuration
- To edit the settings for an existing trust anchor.
- Specify a password in the Key store password field that is used
to access the keystore file.
- Specify the absolute location of the keystore file in the Key
store path field. It is recommended that you use the USER_INSTALL_ROOT variable
as a portion of the keystore path. To change this predefined variable, click Environment >
WebSphere variables. The USER_INSTALL_ROOT variable might
display on the second page of variables.
- Specify the type of keystore file in the key store type field.
WebSphere Application
Server supports the following keystore types:
- JKS
- Use this option if you are not using Java™ Cryptography Extensions (JCE) and your
keystore file uses the Java Key Store (JKS) format.
- JCEKS
- Use this option if you are using Java Cryptography Extensions.
- JCERACFKS
- Use JCERACFKS if the certificates are stored in a SAF key ring (z/OS® only).
- PKCS11KS (PKCS11)
- Use this option if your keystore file uses the PKCS#11 file format. Keystore
files that use this format might contain Rivest Shamir Adleman (RSA) keys
on cryptographic hardware or might encrypt keys that use cryptographic hardware
to ensure protection.
- PKCS12KS (PKCS12)
- Use this option if your keystore file uses the PKCS#12 file format.
- Click OK and Save to save your configuration.
Results
You have configured trust anchors at the server level.