You can configure a list of keystore
objects that contain
trusted root certificates to be used for certificate path validation
of incoming X.509-formatted security tokens.
Before you begin
Prior
to completing the steps to configure
trust anchors, you must create the keystore file using the key tool. WebSphere® Application Server provides the
key tool in the install_dir/java/jre/bin/keytool file.
About this task
This task provides the steps that are needed to configure
a list of keystore objects that contain trusted root certificates.
These objects are used for certificate path validation of incoming
X.509-formatted security tokens. Keystore objects within trust anchors
contain trusted root certificates that are used by the
CertPath application
programming interface (API) to determine whether to trust a certificate
chain.
You can configure trust anchors on the server
level and the cell level. In the following steps, use the first step
to access the server-level default bindings and use the second step
to access the cell-level bindings.
Procedure
- Access the default bindings for the server level.
- Click .
- Under Security, click JAX-WS
and JAX-RPC
security runtime.
Mixed-version environment: In
a mixed node cell with a server using Websphere Application Server
version 6.1 or earlier, click
Web services: Default bindings
for Web Services Security.
mixv
- Click to access the default
bindings on the cell level.
- Under Additional
properties, click Trust anchors.
- Click one of the following to work with trust anchor configuration:
- New
- To create a trust anchor configuration.
Enter a unique name for
the trust anchor in the Trust anchor name field.
- Delete
- To delete an existing configuration.
- an existing trust anchor configuration
- To
edit the settings for an existing trust anchor.
- Specify a password in the Key store password field
that
is used to access the keystore file.
- Specify
the absolute location of the keystore file in the Key
store path field. It is recommended that you
use the USER_INSTALL_ROOT variable as a portion
of the keystore path. To change this predefined variable, click . The USER_INSTALL_ROOT variable
might display on the second page of variables.
- Specify the type of keystore file in the key store type
field. WebSphere Application Server
supports the following keystore types:
- JKS
- Use
this option if you are not using Java Cryptography
Extensions (JCE) and your keystore file uses the Java Key
Store (JKS) format.
- JCEKS
- Use this
option if you are using Java Cryptography
Extensions.
- JCERACFKS
- Use
JCERACFKS if the certificates are stored in a SAF key ring
(z/OS® only).
- PKCS11KS
(PKCS11)
- Use this option if your keystore file uses the PKCS#11
file format.
Keystore files that use this format might contain Rivest Shamir Adleman
(RSA) keys on cryptographic hardware or might encrypt keys that use
cryptographic hardware to ensure protection.
- PKCS12KS
(PKCS12)
- Use this option if your keystore file uses the PKCS#12
file format.
- Click OK and Save to
save your configuration.
Results
You have configured
trust anchors at the server or cell level.