Configure the gateway security bindings
You use the Gateway -> Security option to configure all the security bindings (the tokens, keys, signatures and encryption methods) that are available to the gateway. This information describes the security bindings that are used to secure the SOAP messages that pass between service requesters (clients) and the gateway, and between target services and the gateway.
You receive this security binding information direct from the service requester or target service provider, in the form of an ibm-webservicesclient-bnd.xmi file for the client, and an ibm-webservices-bnd.xmi file for the Web service. You extract the information from these .xmi files, then manually enter it into the gateway security bindings forms that are described below.
- Display the Web services gateway administrative user interface.
- In the navigation pane, click the following link:
Gateway
- Security
The Configure Gateway Security Bindings form is displayed.
This form is divided into eight sections, one for each type of security binding. The following comments apply to every section:
- To add a new binding, click Add new binding_type.
- To amend an existing binding, click on the name of the binding.
- To delete an existing binding, click remove alongside the name of the binding.
- If you choose to add or amend a binding, then a binding information sub-form is displayed. Within this form:
- Help is provided in comments on the sub-form, and in hover-help alongside each field.
- Fields marked on the sub-form with an asterisk (*) are required fields.
- For some bindings, the fields that are required are different depending on whether you are adding or amending a binding.
- Many fields are populated by making a selection from a drop-down list.
- Information entered in one binding information sub-form often appears in a drop-down list in another sub-form.
- When you have finished entering information for a binding, click OK.
- Add, amend or delete Signing Information.
The signing information specifies the configuration for digital signature validation and message signing.
If you choose to add or amend a signing information binding, then the Define Signing Information form is displayed. In this form you enter a name for the binding (if you are adding a new binding), and the following binding details:
- Signature method
- Digest method
- Canonicalization method
- Signing key name
- Signing Key Locator
- Certificate Path (a choice between trusting any certificates, and trusting certificates from a particular Trust Anchor and Certificate Store).
Note: The signing information can also be used for X.509 certificate validation when Authentication Method is IDAssertion and ID Type is X509Certificate in the gateway service configuration. In such cases, fill in the "Certificate Path" fields only.
- Add, amend or delete Encryption Information.
The encryption information specifies the configuration for encrypting and decrypting messages.
If you choose to add or amend an encryption information binding, then the Define Encryption Information form is displayed. In this form you enter a name for the binding (if you are adding a new binding), and the following binding details:
- Add, amend or delete Trust Anchors.
A trust anchor specifies a list of key store configurations that contain root trusted certificates.
If you choose to add or amend a trust anchor, then the Define Trust Anchor form is displayed. In this form you enter a name for the trust anchor (if you are adding a new anchor), and the following details:
Note: These configurations are used for certificate path validation of the incoming X.509-formatted security tokens. The keystore must be created using the Java Development Kit keytool. The ikeyman tool is not supported.
- Add, amend or delete Certificate Stores.
A certificate store specifies a list of untrusted, intermediate certificate files. It is used for certificate path validation of incoming X.509-formatted security tokens.
If you choose to add or amend a certificate store, then the Define Certificate Store form is displayed. In this form you enter a name for the certificate store (if you are adding a new store), and the following details:
- Certificate Store Provider
When you amend an existing certificate store, you are given an extra option to add or remove X.509 certificates from the list of certificates that are contained within this store. When you add an X.509 certificate, you specify the full path for the certificate.
- Add, amend or delete Key Locators.
A key locator specifies a configuration that is used to retrieve keys for signature and encryption. A key locator class can be customized to retrieve keys from other types of repositories. The default implementation retrieves keys from a keystore.
If you choose to add or amend a key locator, then the Define Key Locators form is displayed. In this form you enter a name for the key locator (if you are adding a new key locator), and the following details:
When you amend an existing key locator, you are given two extra options:
- Add or remove key entries. For each additional key, you specify:
Note: You do not need to list all the certificate entries as keys; instead, the distinguished name (DN) of the certificate is used as the search key.
- Add or remove additional properties for the configuration. For each additional property, you specify:
- Add, amend or delete Trusted ID Evaluators.
A trusted ID evaluator determines whether the identity (ID)-asserting authority is trusted.
If you choose to add or amend a trusted ID evaluator, then the Define Trusted ID Evaluator form is displayed. In this form you enter a name for the trusted ID evaluator (if you are adding a new evaluator), and the following details:
- Class name
When you amend an existing trusted ID evaluator, you are given an extra option to add or remove additional properties for the configuration. For each additional property, you specify:
- Add, amend or delete Login Mappings.
A login mapping specifies a configuration for validating security tokens within incoming messages.
If you choose to add or amend a login mapping, then the Define Login Mapping form is displayed. In this form you enter a name for the login mapping (if you are adding a new mapping), and the following details:
- Authentication method
- JAAS Configuration name
- Callback handler factory class name
- Token type local name
- Token type URI
When you amend an existing login mapping, you are given extra options to add or remove additional properties for the configuration, and additional properties for the callback handler factory. For each additional property, you specify:
- Add, amend or delete Login Bindings.
A login binding specifies a configuration for generating security tokens within outgoing messages.
If you choose to add or amend a login binding, then the Define Login Binding form is displayed. In this form you enter a name for the login binding (if you are adding a new binding), and the following details:
- Authentication method
- JAAS Configuration name
- Callback handler factory class name
- Token type local name
- Token type URI
When you amend an existing login binding, you are given extra options to add or remove additional properties for the configuration, and additional properties for the callback handler. For each additional property, you specify:
The Web services gateway and WS-Security
Enabling Web Services Security (WS-Security) for the gateway
Editing the service security configuration
Editing the target service security configuration
Web services gateway troubleshooting tips
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.