Configuring the key locator for the consumer binding with an assembly tool

Before configuring a key locator, you should know which key information configuration references this key locator. For example, if you configure this key locator for the STRREF key information type, select the com.ibm.wsspi.wssecurity.keyinfo.X509TokeyKeyLocator key locator class.

WebSphere® Application Server Version 6 provides default key locator implementations that you can choose or you can write your own implementation. Custom key locators must implement the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator interface. Using this implementation, you can locate keys within any data source.

Complete the following steps to configure a key locator for the consumer using an assembly tool. The purpose of the key locators is to find keys or certificates. The key locator information on the consumer side is used to find the key for validating the digital signature in the received SOAP message or for decrypting the encrypted parts of the message. The response consumer is configured for the client and the request consumer is configured for the server. In the following steps, configure either the client-side bindings in step 2 or the server-side bindings in step 3.

  1. Click Window > Open Perspective > J2EE.

  2. Optional:

    Locate the client-side bindings using the Project Explorer window. The Client Deployment Descriptor window is displayed. This Web service contains the bindings that you need to configure. Complete the following steps to locate the client-side bindings:

    1. Expand the Web Services > Client section and double-click the name of the Web service.

    2. Click the WS Binding tab and expand the Security Response Consumer Binding Configuration section.

  3. Optional:

    Locate the server-side bindings using the Project Explorer window. The Web Services Editor window is displayed. This Web service contains the bindings that you need to configure. Complete the following steps to locate the server-side bindings:

    1. Expand the Web Services > Services section and double-click the name of the Web service.

    2. Click the Binding Configurations tab and expand the Request Consumer Binding Configuration Details section.

  4. Expand the Key locators section and click Add to add a new entry or click Edit to edit a selected entry.

  5. Specify a name for this configuration in the Key locator name field. This configuration name is referenced in the Key locator field of the Key Information dialog.

  6. Select a key locator implementation in the Key locator class field. Select the key locator class that matches the Key Information configuration that references this key locator. For example, select the com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator key locator class if the received Simple Object Access Protocol (SOAP) message contains an X.509 certificate that is needed for signature validation. Select the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key locator class if the key that is required for signature validation or decryption needs to be specified using a keystore file. The com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator key locator class is not used on the consumer side. It is typically used in the response generator configuration for encrypting the response message using the signer key from the request message.

  7. Select the Use key store option if you need to configure a key store for this key locator. Whether you need to configure the key store information for a key locator depends upon the key locator class and your application configuration. For example, if you select the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key locator class in the previous step, configure the key store information for this key locator.

    1. Specify a keystore password in the Key store storepass field. The keystore storepass is the password that is required to access the keystore file.

    2. Specify the path to the keystore file in the Key store path field. The key store path is the directory where the keystore resides. Make sure that wherever you deploy your application that the server can locate your keystore file.

    3. Select a key store type from the Key store type field. The key store type that you select must match the keystore file that is specified in the Key store path field. The following keystore types are supported:

      JKS

      Use this option if you are not using Java™ Cryptography Extensions (JCE) and if your keystore file uses the Java Keystore (JKS) format.

      JCEKS

      Use this option if you are using Java Cryptography Extensions.

      PKCS11

      Use this format if your keystore uses the PKCS#11 file format. Keystores using this format might contain RSA keys on cryptographic hardware or might encrypt keys that use cryptographic hardware to ensure protection.

      PKCS12

      Use this option if your keystore uses the PKCS#12 file format.

  8. Click Add under the Key field to add a key entry from the keystore file that you specified in the previous step. This key is used for signature validation or decryption. The key that you specify must match the key that is used for digital signing or encryption for the generator. Complete the following steps to add a key entry:

    1. Specify an alias name for the key in the Alias field.

    2. Specify the password that is associated with the key in the Key pass field. This password protects the private key of the key pair that is specified by this key.

    3. Specify the key name in the Key name field. The key name specifies the Distinguished Name (DN) for the owner of the key.

  9. Click OK to save the key locator configuration

After you configure the key locator and any token consumer that you need to configure, you can configure the key information that references this key locator. For more information, see Configuring key information for the consumer binding.

 

Related tasks

Configuring key information for the consumer binding