A key locator typically locates a key store in the file system.
You can configure server and cell-level key locators for a specific application
by using the WebSphere Application Server administrative console. You can
configure binding information in the administrative console; however, for
extensions, you must use the Application Server Toolkit.
About this task
Important: There is an important distinction between
Version 5.x and Version 6.0.x and later applications. The information
in this article supports Version 5.x applications only that are used
with WebSphere Application Server Version 6.0.x and later. The information
does not apply to Version 6.0.x and later applications.
The
location of key stores can vary from machine to machine so it is often helpful
to configure a default key locator for a specific machine and reference it
from within the encryption or signing information. This information is found
within the binding configurations of any application installed on the machine.
This suggestion enables you to define a single key locator for all applications
that need to use the same keys. In a Network Deployment environment, you also
can specify the default binding information at the cell level.
Procedure
- Configure default key locators at the server level
- Open the administrative console.
Type http://localhost:port_number/ibm/console in
your Web browser unless you have changed the port number.
Type http://server_name:port_number/ibm/console in your Web browser unless you have changed the port number.
- Click Servers > Application servers > server_name.
- Under Security, click Web services: Default bindings for
Web services security.
- Under Additional properties, click Key locators
- Click New to configure a new key locator. Select the
box next to a key locator name and click Delete to delete a key locator;
or click the name of a key locator to edit its configuration. If
you are configuring a new key locator or editing an existing one, complete
the following steps:
- Specify a name for the key locator in the Key locator name field.
- Specify a name for the key locator class implementation in the Key
locator class name field.
WebSphere Application Server has the following
default key locator class implementations:
- com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
- This class, used by the response sender, maps an authenticated identity
to a key. If encryption is used, this class is used to locate a key to encrypt
the response message. The com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator class
has the capability to map an authenticated identity from the invocation credential
of the current thread to a key that is used to encrypt the message. If an
authenticated identity is present on the current thread, the class maps the
ID to the mapped name. For example, user1 is mapped to mappedName_1.
Otherwise, name="default". When a matching key is not found,
the authenticated identity is mapped to the default key specified in the binding
file.
- com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
- This class, used by the response receiver, request sender, and request
receiver, maps a name to an alias. Encryption uses this class to obtain a
key to encrypt a message and digital signature uses this class to obtain a
key to sign a message. The com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator class
maps a logical name to a key alias in the key store file. For example, key
#105115176771 is mapped to CN=Alice, O=IBM, c=US.
- Specify the password that is used to access the keystore password in the Key
store password field.
This field is optional is the key locator does
not use a keystore.
- Specify the path name that is used to access the keystore in the Key
store path field.
This field is optional is the key locator does not
use a keystore. Use ${USER_INSTALL_ROOT} as
this path expands to the WebSphere Application Server path on your machine.
- Select a keystore type from the Key store type field.
This field
is optional is the key locator does not use a keystore. Use the JKS option
if you are not using the Java Cryptography Extensions (JCE) keystore type,
and use JCEKS if you are using the JCE type.
- Configure default key locators at the cell level.
- Open the administrative console.
Type http://localhost:port_number/ibm/console in
your Web browser unless you have changed the port number.
Type http://server_name:port_number/ibm/console in your Web browser unless you have changed the port number.
- Click Security > Web services.
- Under Additional properties, click Key locators.
- Click New to configure a new key locator; select the
box next to a key locator name and click Delete to delete a key locator;
or click the name of a key locator to edit its configuration. If
you are configuring a new key locator or editing an existing one, complete
the following steps:
- Specify a name for the key locator in the Key locator name field.
- Specify a name for the key locator class implementation in the Key
locator class name field.
WebSphere Application Server has the following
default key locator class implementations:
- com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
- This class, used by the response sender, maps an authenticated identity
to a key. If encryption is used, this class is used to locate a key to encrypt
the response message. The com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator class
has the capability to map an authenticated identity from the invocation credential
of the current thread to a key that is used to encrypt the message. If an
authenticated identity is present on the current thread, the class maps the
ID to the mapped name. For example, user1 is mapped to mappedName_1.
Otherwise, name="default". When a matching key is not found,
the authenticated identity is mapped to the default key specified in the binding
file.
- com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
- This class, used by the response receiver, request sender, and request
receiver, maps a name to an alias. Encryption uses this class to obtain a
key to encrypt a message and digital signature uses this class to obtain a
key to sign a message. The com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator class
maps a logical name to a key alias in the key store file. For example, key
#105115176771 is mapped to CN=Alice, O=IBM, c=US.
- Specify the password that is used to access the keystore password in the Key
store password field.
This field is optional is the key locator does
not use a keystore.
- Specify the path name that is used to access the keystore in the Key
store path field.
This field is optional is the key locator does not
use a keystore. Use ${USER_INSTALL_ROOT} as
this path expands to the WebSphere Application Server path on your machine.
- Select a keystore type from the Key store type field.
This field
is optional if the key locator does not use a keystore. Use the JKS option
if you are not using the Java Cryptography Extensions (JCE) keystore type,
and use JCEKS if you are using the JCE type.