A trust anchor specifies the keystores that contain trusted root
certificates. These certificates are used to validate the X.509 certificate
that is embedded in the SOAP message.
These keystores are used by the following message points to validate the
X.509 certificate that is used for digital signature or XML encryption:
- Request consumer, as defined in the ibm-webservices-bnd.xmi file
- Response consumer, as defined in the ibm-webservicesclient-bnd.xmi file
when a Web service is acting as a client to another Web service
The keystores are critical to the integrity of the digital signature
validation. If the keystores are tampered with, the result of the digital
signature verification is doubtful and compromised. Therefore, it is recommended
that you secure these keystores. The binding configuration specified for the
request consumer in the
ibm-webservices-bnd.xmi file must match the
binding configuration for the request generator in the
ibm-webservicesclient-bnd.xmi file.
The trust anchor is defined as java.security.cert.TrustAnchor in the Java
CertPath application programming interface (API). The Java CertPath API uses
the trust anchor and the certificate store to validate the incoming X.509
certificate that is embedded in the SOAP message. The Web services security
implementation in WebSphere Application Server supports this trust anchor.
In WebSphere Application Server, the trust anchor is represented as a Java
keystore object. The type, path, and password of the keystore are passed to
the implementation through the administrative console or by scripting.