Configuring the collection certificate store for the consumer binding
This task describes the steps to specify the collection certificate store for the consumer bindings at the application level using an assembly tool. A collection certificate store is a collection of non-root certificate authority (CA) certificates and certificate revocation lists (CRLs) that is used for validating an X.509 certificate embedded within the received SOAP message. The response consumer is configured for the client and the request consumer is configured for the server. In the following steps, configure either the client-side bindings in step 2 or the server-side bindings in step 3.
- Click Window > Open Perspective > J2EE.
- Optional:
Locate the client-side bindings using the Project Explorer window. The Client Deployment Descriptor window is displayed. This Web service contains the bindings that you need to configure. Complete the following steps to locate the client-side bindings:
- Expand the Web Services > Client section and double-click the name of the Web service.
- Click the WS Binding tab and expand the Security Response Consumer Binding Configuration section.
- Optional:
Locate the server-side bindings using the Project Explorer window. The Web Services Editor window is displayed. This Web service contains the bindings that you need to configure. Complete the following steps to locate the server-side bindings:
- Expand the Web Services > Services section and double-click the name of the Web service.
- Click the Binding Configurations tab and expand the Request Consumer Binding Configuration Details section.
- Expand the Certificate Store List > Collection Certificate Store section and click Add.
- Specify a unique certificate store name in the Name field. For example, specify cert1. The name of the collection certificate store must be unique on the level in which it is defined. For example, the name must be unique at the application level. The name specified in the certificate store name field is used by other configurations to refer to a predefined collection certificate store. WebSphere® Application Server looks up the collection certificate store based on proximity. For example, if an application binding refers to certificate store cert1, WAS will look first for cert1 at the application level. If it is not found, it will look at the server level, and finally at the cell level.
- Specify a certificate store provider in the Provider field. The IBMCertPath certificate path provider is supported. To use another certificate path provider, define the provider implementation in the provider list within the java.security file in the Software Development Kit (SDK).
- Click Add under X509 Certificate to specify a fully qualified path to an X.509 certificate, click the name of an existing certificate path entry to edit it, or click Remove to delete it. This collection certificate store is used to validate the certificate path of the incoming X.509-formatted security tokens.
You can use the USER_INSTALL_ROOT variable as part of the path name. For example you might specify ${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer. However, do not use this X.509 certificate path for production use. Obtain your own X.509 certificate from a certificate authority before putting your WAS environment into production.
In the WAS administrative console, you can click Environment > WebSphere Variables to configure the USER_INSTALL_ROOT variable.
- Click Add under CRL to specify the fully qualified path to a certificate revocation list (CRL), click an existing CRL entry to edit it or click Remove to delete it.
For portability reasons, it is recommended that you use the WAS variables to specify a relative path to the certificate revocation list. For example, you might use the USER_INSTALL_ROOT variable to define a path such as ${USER_INSTALL_ROOT}/mycertstore/mycrl. For a list of the supported variables in the WAS administrative console, click Environment > WebSphere Variables.
The following list provides recommendations for using CRLs:
- If CRLs are added to the collection certificate store, add the CRLs for the root certificate authority and each intermediate certificate, if applicable. When the CRL is in the certificate collection store, the certificate revocation status for every certificate in the chain is checked against the CRL of the issuer.
- When the CRL file is updated, the new CRL does not take effect until you restart the Web service application.
- Before a CRL expires, load a new CRL into the certificate collection store to replace the old CRL. An expired CRL in the collection certificate store results in a certificate path (CertPath) build failure.
- Click OK to save your configuration.
Related tasks
Configuring token consumers with an assembly tool