Key locator configuration settings
Use this page to specify the settings for a key locator configuration. The key locators retrieve keys from the keystore file for digital signature and encryption. This product enables you to plug in a custom key locator configuration. To view the console panel for the key locator collection on the cell level...
- Click Security > Web services.
- Under Additional properties, click Key locators.
- Click New to create a new configuration or click the name of a configuration to modify its settings.
To view this console page for the key locator collection on the server level...
- Click Servers > Application servers > server .
- Under Security, click Web services: Default bindings for Web services security.
- Under Additional properties, click Key locators.
- Click New to create a new configuration or click the name of a configuration to modify its settings.
To use this console page for the key locator collection on the application level...
- Click Applications > Enterprise applications > application.
- Click Manage modules > URI_name.
- Under Web Services Security properties, you can access key locators for the following bindings:
- For the Request generator, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom > Key locators.
- For the Request consumer, click Web services: Server security bindings. Under Request consumer (receiver) binding, click Edit custom > Key locators.
- For the Response generator, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom > Key locators.
- For the Response consumer, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom > Key locators.
Under Additional properties, you can access key locators for the following bindings:
- For the Request sender, click Web services: Client security bindings. Under Request sender binding, click Edit > Key locators.
- For the Request receiver, click Web services: Server security bindings. Under Request receiver binding, click Edit > Key locators.
- For the Response sender, click Web services: Server security bindings. Under Response sender binding, click Edit > Key locators.
- For the Response receiver, click Web services: Client security bindings. Under Response receiver binding, click Edit > Key locators.
- Click New to create a new configuration or click the name of a configuration to modify its settings.
- Key locator name
- Name of the key locator.
Data type String
- Key locator class name
- Name for the key locator class implementation. Key locators that are associated with Versions 6 and later applications must implement the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator interface. This product provides the following default key locator class implementations for Versions 6 and later applications:
- com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator
- This implementation locates and obtains the key from the specified keystore file.
- com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator
- This implementation uses the public key from the certificate of the signer. This class implementation is used by the response generator.
- com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator
- This implementation uses the X.509 security token from the sender message for digital signature validation and encryption. This class implementation is used by the request consumer and the response consumer.
Key locators that are associated with V5.x applications must implement the com.ibm.wsspi.wssecurity.config.KeyLocator interface. This product provides the following default key locator class implementations for V5.x applications.
- com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
- This implementation maps an authenticated identity to a key and is used by the response sender. If encryption is used, this class is used to locate a key to encrypt the response message. The com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator class can map an authenticated identity from the invocation credential of the current thread to a key that is used to encrypt the message. If an authenticated identity is present on the current thread, the class maps the ID to the mapped name. For example, user1 is mapped to mappedName_1. Otherwise, name="default". When a matching key is not found, the authenticated identity is mapped to the default key that is specified in the binding file. This implementation supports the following formats: JKS, JCEKS, and PKCS12.
- com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
- This implementation maps a name to an alias and is used by the response receiver, request sender, and request receiver. The encryption process uses this class to obtain a key to encrypt a message, and the digital signature process uses this class to obtain a key to sign a message. The com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator class maps a logical name to a key alias in the keystore file. For example, key #105115176771 is mapped to CN=Alice, O=IBM, c=US.
- com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator
- This implementation uses the signer certificate to encrypt the response. This class implementation is used by the response sender and response receiver.
Data type String
- Key store password
Password that is used to access the keystore file.
- Key store configuration name
- Name of the key store configuration that is defined in the keystore settings in secure communications.
- Key store path
Location of the keystore file.
- Key store type
Timeype of keystore file.
- JKS
- Use this option if you are not using Java Cryptography Extensions (JCE) and if your keystore file uses the Java Keystore (JKS) format.
- JCEKS
- Use this option if you are using Java Cryptography Extensions.
- PKCS11KS (PKCS11)
- Use this format if your keystore file uses the PKCS#11 file format. Keystores files that use this format might contain Rivest Shamir Adleman (RSA) keys on cryptographic hardware or might encrypt keys that use cryptographic hardware to ensure protection.
- PKCS12KS (PKCS12)
- Use this option if your keystore file uses the PKCS#12 file format.
Default JKS Range JKS, JCEKS, PKCS11KS (PKCS11), PKCS12KS (PKCS12)
Related tasks
Configure the key locator using JAX-RPC for the generator binding on the application level
Related Reference
Key locator collection
Key collection
Key configuration settings
Reference topic