You can configure a key locator for the generator using an assembly
tool. The purpose of the key locators is to retrieve keys from the keystore
for digital signature and encryption. The request generator is configured
for the client and the response generator is configured for the server.
Before you begin
Prior to completing this task, you must import your application into
an assembly tool.
For information on how to import
your application, see Importing
enterprise applications.
Before configuring a key locator, you
should know which key information configuration will reference this key locator.
For example, if you configure this key locator for the STRREF key information
type, select the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key locator
class.
About this task
WebSphere Application Server Version 6 and later provide default
key locator implementations that you can choose or you can write your own
implementation. Custom key locators must implement the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator
interface. Using this implementation, you can locate keys within any data
source.
Complete the following steps. You must configure either the
client-side bindings in step 2 or the server-side bindings in step 3.
Procedure
- Start the assembly tool and click Window > Open Perspective
> J2EE.
- Optional: Locate the client-side bindings using the
Project Explorer window. The Client Deployment Descriptor window
is displayed. This Web service contains the bindings that you need to configure.
- Expand the Web Services > Client section and double-click
the name of the Web service.
- Click the WS Binding tab and expand the Security Request
Generator Binding Configuration section.
- Optional: Locate the server-side bindings using the
Project Explorer window. The Web Services Editor window is displayed.
This Web service contains the bindings that you need to configure.
- Expand the Web Services > Services section and double-click
the name of the Web service.
- Click the Binding Configurations tab and expand the Response
Generator Binding Configuration Details section.
- Expand the Key locators section and click Add to add a new
entry or click Edit to edit a selected entry.
- Specify a name for this configuration in the Key locator name field.
This configuration name is referenced in the Key locator field of the
Key Information dialog.
- Select a key locator implementation in the Key locator class field.
Select the key locator class that matches the Key Information configuration
that references this key locator. The following default key locator class
implementations are supported for Version 6 and later applications:
- com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator
- This implementation locates and obtains the key from the specified keystore
file.
- com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator
- This implementation uses the public key from the certificate of the signer.
This class implementation is used by the response generator.
- com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator
- This implementation uses the X.509 security token from the sender message
for digital signature validation and encryption. This class implementation
is used by the request consumer and the response consumer.
- Select the Use key store option if you need to configure
a key store for this key locator. Whether you need to configure
the key store information for a key locator depends upon the key locator class
and your application configuration. For example, if you select the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator
key locator class in the previous step, configure the key store information
for this key locator.
- Specify a keystore password in the Key store storepass field.
The keystore storepass is the password that is required to access the
keystore file.
- Specify the path to the keystore file in the Key store path
field. The key store path is the directory where the keystore resides.
Make sure that wherever you deploy your application that can locate your keystore
file. Thus it is recommended that you use ${USER_INSTALL_ROOT} in
the path name as this variable expands to the WebSphere Application Server
path on your machine.
- Select a key store type from the Key store type field.
The key store type that you select must match the keystore file that
is specified in the Key store path field. The following keystore types are
supported:
- JKS
- Use this option if you are not using Java Cryptography Extensions (JCE)
policy file and if your keystore file uses the Java Keystore (JKS) format.
- JCEKS
- Use this option if you are using Java Cryptography Extensions policy file.
- JCERACFKS
- Use JCERACFKS if the certificates are stored in a SAF key ring (z/OS only).
- PKCS11
- Use this format if your keystore uses the PKCS#11 file format. Keystores
using this format might contain RSA keys on cryptographic hardware or might
encrypt keys that use cryptographic hardware to ensure protection.
- PKCS12
- Use this option if your keystore uses the PKCS#12 file format.
- Click Add under the Key field to add a key entry from the
keystore file that you specified in the previous step. This key
is used for signature generation or encryption. The key that you specify must
match the key that is used for validation or decryption for the consumer.
- Specify an alias name for the key in the Alias field.
The key alias is used by the key locator to find the key within the
keystore file.
- Specify the password that is associated with the key in the
Key pass field. This password is needed to access the key object
within the keystore file.
- Specify the key name in the Key name field. For digital
signatures, the key name is used in the signing information for the request
generator or response generator to determine which key is used to digitally
sign the message. For encryption, the key name is used to determine which
key is used for encryption. You must specify a fully qualified, distinguished
name for the key name. For example, you might specify CN=Bob,O=IBM,C=US.
- Click OK to save the configuration.