Configuring trust anchors on the server or cell level
Prior to completing the steps to configure trust anchors, create the keystore file using the key tool. WebSphere® Application Server provides the key tool in the install_dir/java/jre/bin/keytool file.
This task provides the steps that are needed to configure a list of keystore objects that contain trusted root certificates. These objects are used for certificate path validation of incoming X.509-formatted security tokens. Keystore objects within trust anchors contain trusted root certificates that are used by the CertPath application programming interface (API) to determine whether to trust a certificate chain.
Complete the following steps to configure the trust anchors on the server level:
- Access the default bindings for the server level.
- Click Servers > Application servers > server_name.
- Under Security, click Web services: Default bindings for Web services security.
- Under Additional properties, click Trust anchors.
- Click New to create a trust anchor configuration, click Delete to delete an existing configuration, or click the name of an existing trust anchor configuration to edit its settings. If you are creating a new configuration, enter a unique name for the trust anchor in the Trust anchor name field.
- Specify a password in the Key store password field that is used to access the keystore file.
- Specify the absolute location of the keystore file in the Key store path field. It is recommended that you use the USER_INSTALL_ROOT variable as a portion of the keystore path. To change this predefined variable, click Environment > WebSphere variables. The USER_INSTALL_ROOT variable might display on the second page of variables.
- Specify the type of keystore file in the key store type field. WAS supports the following keystore types:
- JKS
- Use this option if you are not using Java™ Cryptography Extensions (JCE) and your keystore file uses the Java Key Store (JKS) format.
- JCEKS
- Use this option if you are using Java Cryptography Extensions.
- PKCS11KS (PKCS11)
- Use this option if your keystore file uses the PKCS#11 file format. Keystore files that use this format might contain Rivest Shamir Adleman (RSA) keys on cryptographic hardware or might encrypt keys that use cryptographic hardware to ensure protection.
- PKCS12KS (PKCS12)
- Use this option if your keystore file uses the PKCS#12 file format.
- Click OK and Save to save your configuration.
You have configured trust anchors at the server or cell level.