A collection certificate
store is a collection of non-root,
certificate authority (CA) certificates and certificate revocation
lists (CRLs). This collection of CA certificates and CRLs is used
to check for a valid signature in a digitally signed SOAP message.
About this task
A collection certificate store is a collection
of non-root,
certificate authority (CA) certificates and certificate revocation
lists (CRLs) that can be used to check for a valid signature in a
digitally signed SOAP message. Complete the following steps to configure
a collection certificate for the consumer bindings on the application
level:
Procedure
- Locate the collection certificate
store configuration panel
in the administrative console.
- Click .
- Under Modules, click .
- Under Web Services Security
properties, you can access
the collection certificate store information for the response consumer
and request consumer bindings.
- For the response
consumer (receiver) binding, click Web
services: Client security bindings. Under Response consumer
(receiver) binding, click Edit custom.
- For
the request consumer (receiver) binding, click Web
services: Server security bindings. Under Response consumer
(receiver) binding, click Edit custom.
- Under Additional properties, click Collection
certificate store.
- Click New to create a collection
certificate store configuration, click Delete to
delete an existing configuration, or click the name of an existing
collection certificate store configuration to edit its settings.
If you are creating a new configuration, enter a name in the
Certificate store name field.
The name of the collection certificate
store must be unique to the level of the application server. For example,
if you create the collection certificate store for the application
level, the store name must be unique to the application level. The
name that is specified in the Certificate store name field is used
by other configurations to refer to a predefined collection certificate
store. WebSphere® Application Server searches
for the collection certificate store based on proximity.
For example, if an application binding
refers to a collection certificate store named cert1,
the Application Server searches for cert1 at
the application level before searching the server level.
- Specify a certificate store provider
in the Certificate
store provider field. WebSphere Application Server supports the IBMCertPath
certificate store provider. To use another certificate store provider,
you must define the provider implementation in the provider list within
the profile_root/properties/java.security file.
However, make sure that your provider supports the same requirements
of the certificate path algorithm as WebSphere Application Server.
-
Click OK and Save to
save the configuration.
- Click the name of your
certificate store configuration. After you specify the
certificate store provider, you must specify
either the location of a certificate revocation list or the X.509
certificates. However, you can specify both a certificate revocation
list and the X.509 certificates for your certificate store configuration.
- Under Additional properties, click Certificate
revocation lists.
- Click New to
specify a certificate
revocation list path, click Delete to delete
an existing list reference, or click the name of an existing reference
to edit the path. You must specify the fully qualified
path to the location where WebSphere Application Server can find your
list of certificates that are not valid. For portability reasons,
it is recommended that you use the WebSphere Application Server variables to specify
a relative path to the certificate revocation lists (CRL). This recommendation
is especially important when you are working in a WebSphere Application Server, Network Deployment environment.
For example, you might use the USER_INSTALL_ROOT variable to
define a path such as $USER_INSTALL_ROOT/mycertstore/mycrl1.
For a list of supported variables, click in the administrative
console. The following list provides recommendation for using certificate
revocation lists:
- If CRLs are added to the collection certificate
store, add the
CRLs for the root certificate authority and each intermediate certificate,
if applicable. When the CRL is in the certificate collection store,
the certificate revocation status for every certificate in the chain
is checked against the CRL of the issuer.
- When the CRL file
is updated, the new CRL does not take effect
until you restart the web service application.
- Before a CRL
expires, you must load a new CRL into the certificate
collection store to replace the old CRL. An expired CRL in the collection
certificate store results in a certificate path (CertPath) build failure.
- Click OK and Save to
save the configuration.
- Return to the Collection
certificate store configuration
panel. See the first few steps of this article to locate
the collection certificate store panel.
- Under
Additional properties, click X.509 certificates.
- Click New to create a new
configuration
for X.509 certificates, click Delete to delete
an existing configuration, or click the name of an existing X.509
certificate configuration to edit its settings. If you
are creating a new configuration, enter a name in the Certificate
store name field.
- Specify a path in the X.509
certificate path field. This entry is the absolute path
to the location of the X.509
certificates. The collection certificate store is used to validate
the certificate path of incoming X.509-formatted security tokens.
You
can use the USER_INSTALL_ROOT variable as part of the path
name. For example, you might type: USER_INSTALL_ROOT/etc/ws-security/samples/intca2.cer.
Do not use this certificate path for production use. You must obtain
your own X.509 certificate from a certificate authority before putting
your WebSphere Application Server environment
into production.
Click in the administrative
console to configure the USER_INSTALL_ROOT variable.
- Click OK and then Save to
save your configuration.
Results
You have configured
the collection certificate store for the
consumer binding.
What to do next
You must configure a token consumer
configuration that references
this certificate store configuration.