Web Services - Configure key locators for the generator binding with an assembly tool

 

+

Search Tips   |   Advanced Search

 

Before you begin

Prior to completing this task, import your application into an assembly tool. For information on how to import your application, see Import enterprise applications. Before configuring a key locator, you should know which key information configuration will reference this key locator. For example, if you configure this key locator for the STRREF key information type, select the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key locator class.

 

Overview

WebSphere Application Server v6.x provides default key locator implementations that one can choose or we can write your own implementation. Custom key locators must implement the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator interface. Using this implementation, one can locate keys within any data source.

Complete the following steps to configure a key locator for the generator using an assembly tool. The purpose of the key locators is to retrieve keys from the keystore for digital signature and encryption. The request generator is configured for the client and the response generator is configured for the server. In the following steps, configure either the client-side bindings in step 2 or the server-side bindings in step 3.

 

Procedure

  1. Start the assembly tool and click Window > Open Perspective > J2EE.

  2. Optional: Locate the client-side bindings using the Project Explorer window. The Client Deployment Descriptor window is displayed. This Web service contains the bindings that we need to configure.

    1. Expand the Web Services > Client section and double-click the name of the Web service.

    2. Click the WS Binding tab and expand the Security Request Generator Binding Configuration section.

  3. Optional: Locate the server-side bindings using the Project Explorer window. The Web Services Editor window is displayed. This Web service contains the bindings that we need to configure.

    1. Expand the Web Services > Services section and double-click the name of the Web service.

    2. Click the Binding Configurations tab and expand the Response Generator Binding Configuration Details section.

  4. Expand the Key locators section and click Add to add a new entry or click Edit to edit a selected entry.

  5. Specify a name for this configuration in the Key locator name field. This configuration name is referenced in the Key locator field of the Key Information dialog.

  6. Select a key locator implementation in the Key locator class field. Select the key locator class that matches the Key Information configuration that references this key locator. The following default key locator class implementations are supported for v6.0.x applications:

    com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator

    This implementation locates and obtains the key from the specified keystore file.

    com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator

    This implementation uses the public key from the certificate of the signer. This class implementation is used by the response generator.

    com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator

    This implementation uses the X.509 security token from the sender message for digital signature validation and encryption. This class implementation is used by the request consumer and the response consumer.

  7. Select the Use key store option to configure a key store for this key locator. Whether we need to configure the key store information for a key locator depends upon the key locator class and your application configuration. For example, if you select the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key locator class in the previous step, configure the key store information for this key locator.

    1. Specify a keystore password in the Key store storepass field. The keystore storepass is the password that is required to access the keystore file.

    2. Specify the path to the keystore file in the Key store path field. The key store path is the directory where the keystore resides. Make sure that wherever you deploy your application that can locate your keystore file. Thus it is recommended that you use ${USER_INSTALL_ROOT} in the path name as this variable expands to the WAS path on your machine.

    3. Select a key store type from the Key store type field. The key store type that you select must match the keystore file that is specified in the Key store path field. The following keystore types are supported:

      JKS

      Use this option if you are not using Java Cryptography Extensions (JCE) and if your keystore file uses the Java Keystore (JKS) format.

      JCEKS

      Use this option if you are using Java Cryptography Extensions.

      PKCS11

      Use this format if your keystore uses the PKCS#11 file format. Keystores using this format might contain RSA keys on cryptographic hardware or might encrypt keys that use cryptographic hardware to ensure protection.

      PKCS12

      Use this option if your keystore uses the PKCS#12 file format.

  8. Click Add under the Key field to add a key entry from the keystore file that you specified in the previous step. This key is used for signature generation or encryption. The key that you specify must match the key that is used for validation or decryption for the consumer.

    1. Specify an alias name for the key in the Alias field. The key alias is used by the key locator to find the key within the keystore file.

    2. Specify the password that is associated with the key in the Key pass field. This password is needed to access the key object within the keystore file.

    3. Specify the key name in the Key name field. For digital signatures, the key name is used in the signing information for the request generator or response generator to determine which key is used to digitally sign the message. For encryption, the key name is used to determine which key is used for encryption. You must specify a fully qualified, distinguished name for the key name. For example, you might specify CN=Bob,O=IBM,C=US.

  9. Click OK to save the configuration.

 

Result

After you configure the key locator and any token generator that you need to configure, one can configure the key information that references this key locator. For more information, see Configuring key information for the generator binding with an assembly tool.

 

See Also

Key locator

 

Related Tasks


Configuring key information for the generator binding with an assembly tool