Use the key information for the default generator to specify
the key that is used by the signing or the encryption information
configurations if these bindings are not defined at the application
level.
About this task
The signing and encryption information
configurations
can share the same key information, which is why they are both defined
on the same level. WebSphere® Application Server
provides default values for these bindings. However, an administrator
must modify these values for a production environment.
You can configure the key information for the generator
binding on the server level and the cell level. In the following steps,
use the first step to configure the key information on the server
level or use the second step to configure the key information on the
cell level:
Procedure
- Access the default
bindings for the server level.
- Click .
- Under Security, click JAX-WS
and JAX-RPC
security runtime.
Mixed-version environment: In
a mixed node cell with a server using Websphere Application Server
version 6.1 or earlier, click
Web services: Default bindings
for Web Services Security.
mixv
- Click to access the default
bindings on the cell level.
- Under Default generator
bindings, click Key
information.
- Click New to
create a key information
configuration, click Delete to delete an existing
configuration, or click the name of an existing key information configuration
to edit the settings. If you are creating a new configuration,
enter a unique name for the key configuration in the Key information
name field. For example, you might specify sig_keyinfo.
- Select a key information type from the Key information
type field. WebSphere Application Server
supports the following types of key information:
- Key
identifier
- This key information type is used when two parties
agree on how
to create a key identifier. For example, a field of X.509 certificates
can be used for the key identifier according to the X.509 profile.
- Key name
- This key information type
is used when the sender and receiver
agree on the name of the key.
- Security
token reference
- This key information type is typically used
when an X.509 certificate
is used for digital signature.
- Embedded
token
- This key information type is used to embed a security
token in
an embedded element.
- X509 issuer name and
issuer serial
- This key information type specifies an X.509
certificate with
its issuer name and serial number.
Select
Security
token reference if you are
using an X.509 certificate for the digital signature. In these steps,
it is assumed that
Security token reference is
selected for this field.
Important: This key information
type must match the key information type that is specified for the
consumer.
- Select a key locator
reference from the Key locator reference
menu. In these steps, assume that the key locator reference
is called sig_klocator. The key locator reference
is the name of the key locator that is used to generate the key for
digital signature. You must configure a key locator before you can
select it in this field. For more information on configuring the key
locator, see Configuring the key locator using JAX-RPC on the server or cell level.
- Click Get keys to view a
list of
key name references. After you click Get keys,
the key names that are defined in the <sig_klocator> element
are shown in the key name reference menu. If you change the key locator
reference, you must click Get keys again to
display the list of key names that are associated with the new key
locator.
- Select a key name reference from
the Key name reference
menu. The key name reference specifies the name of the
key that is used for generating the digital signature or for encryption.
The Key name reference menu displays a list of key names that are
defined for the selected key locator in the Key locator reference
field. For example, select signerkey. It is
assumed that signer key is a key name that is defined for the sig_klocator key
locator.
- Select a token reference from the
Token reference field. The token reference refers to the
name of a configured token
generator. When a security token is required in the deployment descriptor,
the token reference attribute is required. If you select Security
token reference in the Key information type field, the
token reference is required and you can specify an X.509 token generator.
To specify an X.509 token generator, you must have an X.509 token
generator configured. To configure an X.509 token generator, see Configuring token generators using JAX-RPC to protect message authenticity at the server or cell level. For the
remaining steps, it is assumed that an X.509 token generator that
is named gen_tcon is already configured.
- Optional: Select an encoding method from the
Encoding method field This field specifies the encoding
format for the key identifier. The encoding method attribute is valid
when you select Key identifer as the key information
type. WebSphere Application Server supports the
following encoding methods:
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
- Optional: Select a calculation
method from
the Calculation method field. The calculation method specifies
the calculation algorithm that is used for the key identifier. This
attribute is valid when you select Key identifier as
the key information type. WebSphere Application Server
supports the following calculation methods:
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#ITSHA1
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#IT60SHA1
- Optional: Specify a Uniform
Resource Identifier
(URI) of the value type for a security token from the Namespace URI
field. The namespace URI is referenced by the key identifier.
This attribute is valid when you select Key identifier as
the key information type. When you specify the X.509 certificate token,
you do not need to specify the namespace URI. If another token is
specified, you must specify the namespace URI. For example, you can
specify http://www.ibm.com/websphere/appserver/tokentype/5.0.2 for
the Lightweight Third Party Authentication (LTPA) token and http://www.ibm.com/websphere/appserver/tokentype for
the LTPA_PROPAGATION token.
- Optional:
Specify the local name of the value
type for a security token in the Local name field.
The local name is referenced by the key identifier. This attribute
is valid when you select Key identifier as
the key information type. WebSphere Application Server
supports the following local names:
- For an X.509 certificate
token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
- For X.509 certificates in a PKIPath
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1
- For a list of X.509 certificates and CRLs in
a PKCS#7
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7
- For LTPA
- LTPA
- For
LTPA_PROPAGATION
- LTPA_PROPAGATION
- Click OK and Save to
save the configuration.
Results
You have configured
the key information for the generator
binding at the server or cell level.
What to do next
You must specify a similar key information configuration
for the consumer.