Key locator settings

 

+

Search Tips   |   Advanced Search

 

The key locators retrieve keys from the keystore file for digital signature and encryption. WAS v7 enables you to plug in a custom key locator configuration.

To specify the settings for a key locator configuration on the cell level...

Security | JAX-WS and JAX-RPC security runtime | Additional properties | Key locators

On the server level...

Servers | Server Types | WebSphere application servers | server_name | Security | JAX-WS and JAX-RPC security runtime | Additional properties | Key locators

On the application level...

Applications | Application Types | WebSphere enterprise apps | application_name | Manage modules | URI_name| WS-Security properties

You can access key locators for the following bindings:

• For the Request generator, click...

  Web services: Client security bindings | Under Request generator (sender) binding | Edit custom | Key locators

• For the Request consumer, click...

  Web services: WAS security bindings | Request consumer (receiver) binding | Edit custom | Key locators

• For the Response generator, click...

  Web services: WAS security bindings | Response generator (sender) binding | Edit custom | Key locators

• For the Response consumer, click...

  Web services: Client security bindings | Response consumer (receiver) binding | Edit custom | Key locators

Under Additional properties, we can access key locators for the following bindings:

• For the Request sender, click...

  Web services: Client security bindings | Request sender binding | Edit | Key locators

• For the Request receiver, click...

  Web services: WAS security bindings | Request receiver binding | Edit | Key locators

• For the Response sender, click...

  Web services: Server security bindings | Response sender binding | Edit | Key locators

• For the Response receiver, click...

  Web services: Client security bindings | Response receiver binding | Edit | Key locators

Key locator name

Name of the key locator.

Data type

String

Key locator class name

Name for the key locator class implementation.

Key locators that are associated with Vs 6 and later applications must implement the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator interface. WAS v7 provides the following default key locator class implementations for Vs 6 and later applications:

com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator

This implementation locates and obtains the key from the specified keystore file.

com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator

This implementation uses the public key from the certificate of the signer. This class implementation is used by the response generator.

Is for the JAX-RPC model only. To implement signer certificate encryption for the JAX-WS model, set a custom property on the callback handler for the encryption token generator.

See, read the topic Callback handler settings.

com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator

This implementation uses the X.509 security token from the sender message for digital signature validation and encryption. This class implementation is used by the request consumer and the response consumer.

WAS v5: Key locators that are associated with V5.x applications must implement the com.ibm.wsspi.wssecurity.config.KeyLocator interface. This product provides the following default key locator class implementations for Version 5.x applications.

com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator

This implementation maps an authenticated identity to a key and is used by the response sender. If encryption is used, this class is used to locate a key to encrypt the response message. The com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator class can map an authenticated identity from the invocation credential of the current thread to a key used to encrypt the message. If an authenticated identity is present on the current thread, the class maps the ID to the mapped name. For example, user1 is mapped to mappedName_1. Otherwise, name="default". When a matching key is not found, the authenticated identity is mapped to the default key specified in the binding file. This implementation supports the following formats: JKS, JCEKS, and PKCS12.

com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator

This implementation maps a name to an alias and is used by the response receiver, request sender, and request receiver. The encryption process uses this class to obtain a key to encrypt a message, and the digital signature process uses this class to obtain a key to sign a message. The com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator class maps a logical name to a key alias in the keystore file. For example, key #105115176771 is mapped to CN=Alice, O=IBM, c=US.

com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator

This implementation uses the signer certificate to encrypt the response. This class implementation is used by the response sender and response receiver.

Data type

String

Key store password

used to access the keystore file.

Key store configuration name

Name of the key store configuration that is defined in the keystore settings in secure communications.

Key store path

Location of the keystore file.

Key store type

Type of keystore file.

JKS

Use this option if we are not using Java Cryptography Extensions (JCE) and if the keystore file uses the Java Keystore (JKS) format.

JCEKS

Use this option if we are using Java Cryptography Extensions.

PKCS11KS (PKCS11)

Use this format if the keystore file uses the PKCS#11 file format. Keystores files that use this format might contain Rivest Shamir Adleman (RSA) keys on cryptographic hardware or might encrypt keys that use cryptographic hardware to ensure protection.

PKCS12KS (PKCS12)

Use this option if the keystore file uses the PKCS#12 file format.

Default	JKS
Range	JKS, JCEKS, PKCS11KS (PKCS11), PKCS12KS (PKCS12)

---

 

Related tasks

Set the key locator using JAX-RPC for the generator binding on the application level

 

Related

Key locator collection
Key collection
Key settings