You can configure a list of keystore
objects that contain
trusted root certificates to be used for certificate path validation
of incoming X.509-formatted security tokens.
Before you begin
Prior to completing the steps to configure trust
anchors, you must create the keystore file using the keytool utility.
The keytool utility is available using the QShell Interpreter.
About this task
This task provides the steps that are needed to configure
a list of keystore objects that contain trusted root certificates.
These objects are used for certificate path validation of incoming
X.509-formatted security tokens. Keystore objects within trust anchors
contain trusted root certificates that are used by the
CertPath application
programming interface (API) to determine whether to trust a certificate
chain.
You can configure trust anchors on the server
level and the cell level. In the following steps, use the first step
to access the server-level default bindings and use the second step
to access the cell-level bindings.
Procedure
- Access the default bindings for the server level.
- Click .
- Under Security, click JAX-WS
and JAX-RPC
security runtime.
Mixed-version environment: In
a mixed node cell with a server using Websphere Application Server
version 6.1 or earlier, click
Web services: Default bindings
for Web Services Security.
mixv
- Click to access the default
bindings on the cell level.
- Under Additional
properties, click Trust anchors.
- Click one of the following to work with trust anchor configuration:
- New
- To create a trust anchor configuration.
Enter a unique name for
the trust anchor in the Trust anchor name field.
- Delete
- To delete an existing configuration.
- an existing trust anchor configuration
- To
edit the settings for an existing trust anchor.
- Specify a password in the Key store password field
that
is used to access the keystore file.
- Specify
the absolute location of the keystore file in the Key
store path field. It is recommended that you
use the USER_INSTALL_ROOT variable as a portion
of the keystore path. To change this predefined variable, click . The USER_INSTALL_ROOT variable
might display on the second page of variables.
- Specify the type of keystore file in the key store type
field. WebSphere® Application Server
supports the following keystore types:
- JKS
- Use
this option if you are not using Java Cryptography
Extensions (JCE) and your keystore file uses the Java Key
Store (JKS) format.
- JCEKS
- Use this
option if you are using Java Cryptography
Extensions.
- PKCS11KS
(PKCS11)
- Use this option if your keystore file uses the PKCS#11
file format.
Keystore files that use this format might contain Rivest Shamir Adleman
(RSA) keys on cryptographic hardware or might encrypt keys that use
cryptographic hardware to ensure protection.
- PKCS12KS
(PKCS12)
- Use this option if your keystore file uses the PKCS#12
file format.
- Click OK and Save to
save your configuration.
Results
You have configured
trust anchors at the server
or cell level.