Configuring the collection certificate store for the generator binding on the application level
You can configure a collection certificate for the generator bindings on the application level.
About this task
A collection certificate store is a collection of non-root, certificate authority (CA) certificates and certificate revocation lists (CRLs). This collection of CA certificates and CRLs is used to check for a valid signature in a digitally signed SOAP message.
Complete the following steps to configure a collection certificate for the generator bindings on the application level:
Procedure
- Locate the collection certificate store configuration panel
in the administrative console.
- Click Applications > Application Types > WebSphere enterprise applications > application_name.
- Under Manage modules, click URI_name.
- Under Web Services Security Properties, you can access
the key information for the request generator and response generator
bindings.
- For the request generator (sender) binding, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom.
- For the response generator (sender) binding, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom.
- Under Additional properties, click Collection certificate store.
- Specify the Certificate store name. Click New to
create a collection certificate store configuration, select the box
next to the configuration and click Delete to
delete an existing configuration, .or click the name of an existing
collection certificate store configuration to edit its settings. If
you are creating a new configuration, enter a name in the Certificate
store name field.
The name of the collection certificate store must be unique to the level of the application server. For example, if you create the collection certificate store for the application level, the store name must be unique to the application level. The name that is specified in the Certificate store name field is used by other configurations to refer to a predefined collection certificate store. WebSphere® Application Server searches for the collection certificate store based on proximity.
For example, if an application binding refers to a collection certificate store named cert1, the Application Server searches for cert1 at the application level before searching the server level and then the cell level.
- Specify a certificate store provider in the Certificate
store provider field. WebSphere Application Server supports the IBMCertPath
certificate store provider. To use another certificate store provider,
you must define the provider implementation in the provider list within
the
install_dir/java/jre/lib/security
profile_root/properties/java.security file. However, make sure that your provider supports the same requirements of the certificate path algorithm as WebSphere Application Server.
- Click OK and Save to save the configuration.
- Click the name of your certificate store configuration. After you specify the certificate store provider, you must specify either the location of a certificate revocation list or the X.509 certificates. However, you can specify both a certificate revocation list and the X.509 certificates for your certificate store configuration.
- Under Additional properties, click Certificate revocation lists.
- Click New to specify a certificate
revocation list path, click Delete to delete
an existing list reference, or click the name of an existing reference
to edit the path. You must specify the fully qualified
path to the location where WebSphere Application Server can find your
list of certificates that are not valid. For portability reasons,
it is recommended that you use the WebSphere Application Server variables to specify
a relative path to the certificate revocation lists (CRL). This recommendation
is especially important when you are working in a WebSphere Application Server, Network Deployment environment.
For example, you might use the USER_INSTALL_ROOT variable to
define a path such as $USER_INSTALL_ROOT/mycertstore/mycrl1.
For a list of supported variables, click Environment > WebSphere variables in the administrative
console. The following list provides recommendation for using certificate
revocation lists:
- If CRLs are added to the collection certificate store, add the CRLs for the root certificate authority and each intermediate certificate, if applicable. When the CRL is in the certificate collection store, the certificate revocation status for every certificate in the chain is checked against the CRL of the issuer.
- When the CRL file is updated, the new CRL does not take effect until you restart the web service application.
- Before a CRL expires, you must load a new CRL into the certificate collection store to replace the old CRL. An expired CRL in the collection certificate store results in a certificate path (CertPath) build failure.
- Click OK and Save to save the configuration.
- Return to the collection certificate store configuration
panel. To access the panel, complete the following steps:
- Click Applications > Application Types > WebSphere enterprise applications > application_name.
- Under Manage modules, click URI_name.
- Under Web Services Security properties, you can access
the key information for the request generator and response generator
bindings.
- For the request generator (sender) binding, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom.
- For the response generator (sender) binding, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom.
- Under Additional properties, click Collection certificate store > certificate_store_name.
- Under Additional properties, click X.509 certificates.
- Click New to create a X.509 certificate configuration, click Delete to delete an existing configuration, or click the name of an existing X.509 certificate configuration to edit its settings. If you are creating a new configuration, enter a name in the Certificate store name field.
- Specify a path in the X.509 certificate path field. This entry is the absolute path to the location of the X.509
certificate. The collection certificate store is used to validate
the certificate path of incoming X.509-formatted security tokens.
You can use the USER_INSTALL_ROOT variable as part of path name. For example, you might type: USER_INSTALL_ROOT/etc/ws-security/samples/intca2.cer. Do not use this certificate path for production use. You must obtain your own X.509 certificate from a certificate authority before putting your WebSphere Application Server environment into production.
Click Environment > WebSphere variables in the administrative console to configure the USER_INSTALL_ROOT variable.
- Click OK and then Save to save your configuration.
Results
What to do next
Subtopics
Collection certificate store collection
Use this page to view a list of certificate stores that contains untrusted, intermediary certificate files awaiting validation. Validation might consist of checking to see if the certificate is on a certificate revocation list (CRL), checking that the certificate is not expired, and checking that the certificate is issued by a trusted signer.Collection certificate store configuration settings
Use this page to specify the name and the provider for a collection certificate store. A collection certificate store is a collection of non-root, certificate authority (CA) certificates and certificate revocation lists (CRLs). This collection of CA certificates and CRLs is used to check the signature of a digitally signed SOAP message.X.509 certificates collection
Use this page to view a list of untrusted, intermediate certificate files. This collection certificate store is used for certificate path validation of incoming X.509-formatted security tokens.X.509 certificate configuration settings
Use this page to specify a list of untrusted, intermediate certificate files. This collection certificate store is used for certificate path validation of incoming X.509-formatted security tokens.Certificate revocation list collection
Use this page to determine the location of the certificate revocation list (CRL) known to the application server. The Application Server checks the CRL to determine the validity of the client certificate. A certificate that is found in a certificate revocation list might not be expired, but is no longer trusted by the certificate authority (CA) that issued the certificate. The CA might add the certificate to the certificate revocation list if it believes that the client authority is compromised.Certificate revocation list configuration settings
Use this page to specify a list of certificate revocations that check the validity of a certificate. The application server checks the certificate revocation lists (CRL) to determine the validity of the client certificate. A certificate that is found in a certificate revocation list might not be expired, but is no longer trusted by the certificate authority (CA) that issued the certificate. The CA might add the certificate to the certificate revocation list if it believes that the client authority is compromised.Collection certificate store collection
Use this page to view a list of certificate stores that contains untrusted, intermediary certificate files awaiting validation. Validation might consist of checking to see if the certificate is on a certificate revocation list (CRL), checking that the certificate is not expired, and checking that the certificate is issued by a trusted signer.Collection certificate store configuration settings
Use this page to specify the name and the provider for a collection certificate store. A collection certificate store is a collection of non-root, certificate authority (CA) certificates and certificate revocation lists (CRLs). This collection of CA certificates and CRLs is used to check the signature of a digitally signed SOAP message.X.509 certificates collection
Use this page to view a list of untrusted, intermediate certificate files. This collection certificate store is used for certificate path validation of incoming X.509-formatted security tokens.X.509 certificate configuration settings
Use this page to specify a list of untrusted, intermediate certificate files. This collection certificate store is used for certificate path validation of incoming X.509-formatted security tokens.Certificate revocation list collection
Use this page to determine the location of the certificate revocation list (CRL) known to the application server. The Application Server checks the CRL to determine the validity of the client certificate. A certificate that is found in a certificate revocation list might not be expired, but is no longer trusted by the certificate authority (CA) that issued the certificate. The CA might add the certificate to the certificate revocation list if it believes that the client authority is compromised.Certificate revocation list configuration settings
Use this page to specify a list of certificate revocations that check the validity of a certificate. The application server checks the certificate revocation lists (CRL) to determine the validity of the client certificate. A certificate that is found in a certificate revocation list might not be expired, but is no longer trusted by the certificate authority (CA) that issued the certificate. The CA might add the certificate to the certificate revocation list if it believes that the client authority is compromised.


File name: twbs_colcertstgenapp.html