Default configuration
You can use sample configurations with the console for testing purposes. The configurations specified are reflected on the cell or server level.
This information describes the sample default bindings, keystores, key locators, collection certificate store, trust anchors, and trusted ID evaluators.
Do not use these configurations in a production environment as they are for sample and testing purposes only. To make modifications to these sample configurations, it is recommended that you use the console provided by WAS.
For a Web services security-enabled application, correctly configure a deployment descriptor and a binding. In WebSphere Application Server V6 and later, one set of default bindings is shared by the applications to make application deployment easier. The default binding information for the cell level and the server level can be overridden by the binding information on the application level. The Application Server searches for binding information for an application on the application level before searching the server level, and then the cell level.
Default generator binding
WebSphere Application Server V6.x and later provide a sample set of default generator bindings. The default generator bindings contain both signing information and encryption information. The sample signing information configuration is called gen_signinfo and contains the following configurations:
- Uses the following algorithms for the gen_signinfo configuration:
- Signature method: http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Canonicalization method: http://www.w3.org/2001/10/xml-exc-c14n#
- References the gen_signkeyinfo signing key information. The following information pertains to the gen_signkeyinfo configuration:
- Contains a part reference configuration that is called gen_signpart. The part reference is not used in default binding. The signing information applies to all of the Integrity or Required Integrity elements within the deployment descriptors and the information is used for naming purposes only. The following information pertains to the gen_signpart configuration:
- Uses the transform configuration called transform1. The following transforms are configured for the default signing information:
- Uses the http://www.w3.org/2001/10/xml-exc-c14n# algorithm
- Uses the http://www.w3.org/2000/09/xmldsig#sha1 digest method
- Uses the security token reference, which is the configured default key information.
- Uses the SampleGeneratorSignatureKeyStoreKeyLocator key locator. For more information on this key locator, see Sample key locators.
- Uses the gen_signtgen token generator, which contains the following configuration:
- Contains the X.509 token generator, which generates the X.509 token of the signer.
- Contains the gen_signtgen_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509 value type local name value.
- Uses X.509 Callback Handler. The callback handler calls the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks keystore.
- The keystore password is client.
- The alias name of the trusted certificate is soapca.
- The alias name of the personal certificate is soaprequester.
- The key password client issued by intermediary certificate authority Int CA2, which is in turn issued by soapca.
The sample encryption information configuration is called gen_encinfo and contains the following configurations:
- Uses the following algorithms for the gen_encinfo configuration:
- Data encryption method: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- Key encryption method: http://www.w3.org/2001/04/xmlenc#rsa-1_5
- References the gen_enckeyinfo encryption key information. The following information pertains to the gen_enckeyinfo configuration:
- Uses the key identifier as the default key information.
- Contains a reference to the SampleGeneratorEncryptionKeyStoreKeyLocator key locator. For more information on this key locator, see Sample key locators.
- Uses the gen_signtgen token generator, which has the following configuration:
- Contains the X.509 token generator, which generates the X.509 token of the signer.
- Contains the gen_enctgen_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509 value type local name value.
- Uses X.509 Callback Handler. The callback handler calls the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks keystore.
- The keystore password is storepass.
- The secret key CN=Group1 has an alias name of Group1 and a key password of keypass.
- The public key CN=Bob, O=IBM, C=US has an alias name of bob and a key password of keypass.
- The private key CN=Alice, O=IBM, C=US has an alias name of alice and a key password of keypass.
Default consumer binding
WAS V6 and later provide a sample set of default consumer binding. The default consumer binding contain both signing information and encryption information. The sample signing information configuration is called con_signinfo and contains the following configurations:
- Uses the following algorithms for the con_signinfo configuration:
- Signature method: http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Canonicalization method: http://www.w3.org/2001/10/xml-exc-c14n#
- Uses the con_signkeyinfo signing key information reference. The following information pertains to the con_signkeyinfo configuration:
- Contains a part reference configuration that is called con_signpart. The part reference is not used in default binding. The signing information applies to all of the Integrity or RequiredIntegrity elements within the deployment descriptors and the information is used for naming purposes only. The following information pertains to the con_signpart configuration:
- Uses the transform configuration called reqint_body_transform1. The following transforms are configured for the default signing information:
- Uses the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- Uses the http://www.w3.org/2000/09/xmldsig#sha1 digest method.
- Uses the security token reference, which is the configured default key information.
- Uses the SampleX509TokenKeyLocator key locator. For more information on this key locator, see Sample key locators.
- References the con_signtcon token consumer configuration. The following information pertains to the con_signtcon configuration:
- Uses the X.509 Token Consumer, which is configured as the consumer for the default signing information.
- Contains the signtconsumer_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509 value type local name value.
- Contains a JAAS configuration called system.wssecurity.X509BST that references the following information:
- Trust anchor: SampleClientTrustAnchor
- Collection certificate store: SampleCollectionCertStore
The encryption information configuration is called con_encinfo and contains the following configurations:
- Uses the following algorithms for the con_encinfo configuration:
- Data encryption method: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- Key encryption method: http://www.w3.org/2001/04/xmlenc#rsa-1_5
- References the con_enckeyinfo encryption key information. This key actually decrypts the message. The following information pertains to the con_enckeyinfo configuration:
- Uses the key identifier, which is configured as the key information for the default encryption information.
- Contains a reference to the SampleConsumerEncryptionKeyStoreKeyLocator key locator. For more information on this key locator, see Sample key locators.
- References the con_enctcon token consumer configuration. The following information pertains to the con_enctcon configuration:
- Uses the X.509 token consumer, which is configured for the default encryption information.
- Contains the enctconsumer_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509 value type local name value.
- Contains a JAAS configuration called system.wssecurity.X509BST.
Sample keystore configurations
WebSphere Application Server provides the following keystores. You can work with these keystores outside of the Application Server by using the iKeyman utility or the key tool.
- The iKeyman utility is located in the following directory: app_server_root/bin/ikeyman
- The key tool is located in the following directory: app_server_root/java/jre/bin/keytool
WAS provides the following keystores. You can work with these keystores outside of the Application Server by using the iKeyman utility or the key tool.
- The iKeyman utility is located in the following directory: app_server_root\bin\ikeyman.sh
- The key tool is located in the following directory: app_server_root\java\jre\bin\keytool.sh
The following sample keystores are for testing purposes only; do not use these keystores in a production environment:
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
- The keystore format is JKS.
- The keystore password is client.
- The trusted certificate has a soapca alias name.
- The personal certificate has a soaprequester alias name and a client key password that is issued by the Int CA2 intermediary certificate authority, which is, in turn, issued by soapca.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
- The keystore format is JKS.
- The keystore password is server.
- The trusted certificate has a soapca alias name.
- The personal certificate has a soapprovider alias name and a server key password that is issued by the Int CA2 intermediary certificate authority, which is, in turn, issued by soapca.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks
- The keystore format is JCEKS.
- The keystore password is storepass.
- The CN=Group1 DES secret key has a Group1 alias name and a keypass key password.
- The CN=Bob, O=IBM, C=US public key has a bob alias name and a keypass key password.
- The CN=Alice, O=IBM, C=US private key has a alice alias name and a keypass key password.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks
- The keystore format is JCEKS.
- The keystore password is storepass.
- The CN=Group1 DES secret key has a Group1 alias name and a keypass key password.
- The CN=Bob, O=IBM, C=US private key has a bob alias name and a keypass key password.
- The CN=Alice, O=IBM, C=US public key has a alice alias name and a keypass key password.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer
- The intermediary certificate is signed by soapca and it signs both the soaprequester and the soapprovider.
Sample key locators
Key locators are used to locate the key for digital signature, encryption, and decryption. For information on how to modify these sample key locator configurations, see the following articles:
- Configure the key locator using JAX-RPC for the generator binding on the application level
- Configure the key locator using JAX-RPC for the consumer binding on the application level
- Configure the key locator using JAX-RPC on the server or cell level
- SampleClientSignerKey
- This key locator is used by the request sender for a V5.x application to sign the Simple Object Access Protocol (SOAP) message. The signing key name is clientsignerkey, which is referenced in the signing information as the signing key name.
- SampleServerSignerKey
- This key locator is used by the response sender for a V5.x application to sign the SOAP message. The signing key name is serversignerkey, which can be referenced in the signing information as the signing key name.
- SampleSenderEncryptionKeyLocator
- This key locator is used by the sender for a V5.x application to encrypt the SOAP message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks keystore and the com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator keystore key locator. The implementation is configured for the DES secret key. To use asymmetric encryption (RSA), add the appropriate RSA keys.
- SampleReceiverEncryptionKeyLocator
- This key locator is used by the receiver for a V5.x application to decrypt the encrypted SOAP message. The implementation is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks keystore and the com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator keystore key locator. The implementation is configured for symmetric encryption (DES or TRIPLEDES). To use RSA, add the private key CN=Bob, O=IBM, C=US, alias name bob, and key password keypass.
- SampleResponseSenderEncryptionKeyLocator
- This key locator is used by the response sender for a V5.x application to encrypt the SOAP response message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks keystore and the com.ibm.wsspi.wssecurity.config.WSIdKeyStoreMapKeyLocator keystore key locator. This key locator maps an authenticated identity (of the current thread) to a public key for encryption. By default, WebSphere Application Server is configured to map to public key alice, and change WAS to the appropriate user. The SampleResponseSenderEncryptionKeyLocator key locator also can set a default key for encryption. By default, this key locator is configured to use public key alice.
- SampleGeneratorSignatureKeyStoreKeyLocator
- This key locator is used by generator to sign the SOAP message. The signing key name is SOAPRequester, which is referenced in the signing information as the signing key name. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks keystore and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator keystore key locator.
- SampleConsumerSignatureKeyStoreKeyLocator
- This key locator is used by the consumer to verify the digital signature in the SOAP message. The signing key is SOAPProvider, which is referenced in the signing information. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks keystore and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator keystore key locator.
- SampleGeneratorEncryptionKeyStoreKeyLocator
- This key locator is used by the generator to encrypt the SOAP message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks keystore and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator keystore key locator.
- SampleConsumerEncryptionKeyStoreKeyLocator
- This key locator is used by the consumer to decrypt an encrypted SOAP message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks keystore and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator keystore key locator.
- SampleX509TokenKeyLocator
- This key locator is used by the consumer to verify a digital certificate in an X.509 certificate. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks keystore and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator keystore key locator.
Sample collection certificate store
Collection certificate stores are used to validate the certificate path. For information on how to modify this sample collection certificate store, see the following articles:
- Configure the collection certificate store for the generator binding on the application level
- Configure the collection certificate store for the consumer binding on the application level
- Configure the collection certificate on the server or cell level
- SampleCollectionCertStore
- This collection certificate store is used by the response consumer and the request generator to validate the signer certificate path.
Sample trust anchors
Trust anchors are used to validate the trust of the signer certificate. For information on how to modify the sample trust anchor configurations, see the following articles:
- Configure trust anchors for the generator binding on the application level
- Configure trust anchors for the consumer binding on the application level
- Configure trust anchors on the server or cell level
- SampleClientTrustAnchor
- This trust anchor is used by the response consumer to validate the signer certificate. This trust anchor is configure to access the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks keystore.
- SampleServerTrustAnchor
- This trust anchor is used by the request consumer to validate the signer certificate. This trust anchor is configure to access the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks keystore.
Sample trusted ID evaluators
Trusted ID evaluators are used to establish trust before asserting the identity in identity assertion. For information on how to modify the sample trusted ID evaluator configuration, see Configure trusted ID evaluators on the server or cell level.
- SampleTrustedIDEvaluator
- This trusted ID evaluator uses the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl implementation. The default implementation of com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator contains a list of trusted identities. This list, which is used for identity assertion, defines the key name and value pair for the trusted identity. The key name is in the form trustedId_* and the value is the trusted identity. For more information, see the example in Configure trusted ID evaluators on the server or cell level.Complete the following steps to define this information for the cell level in the administrative console:
- Click Security > Web services.
- Under Additional properties, click Trusted ID evaluators > SampleTrustedIDEvaluator.
Related concepts
High-level architecture for Web services security
Related tasks
Configure the key locator using JAX-RPC for the generator binding on the application level
Configure the key locator using JAX-RPC for the consumer binding on the application level
Configure the key locator using JAX-RPC on the server or cell level
Configure the collection certificate store for the generator binding on the application level
Configure the collection certificate store for the consumer binding on the application level
Configure the collection certificate on the server or cell level
Configure trust anchors for the generator binding on the application level
Configure trust anchors for the consumer binding on the application level
Configure trust anchors on the server or cell level
Configure trusted ID evaluators on the server or cell level