Set server and cell level key locators using the admin console
A key locator typically locates a key store in the file system. Configure server and cell-level key locators for a specific application by using the WAS admin console. Configure binding information in the admin console; however, for extensions, use an assembly tool.
There is an important distinction between Version 5.x and V6.0.x and later applications. The information in this article supports V5.x applications only that are used with WAS V6.0.x and later. The information does not apply to V 6.0.x and later applications.
The location of key stores can vary from machine to machine so it is often helpful to configure a default key locator for a specific machine and reference it from within the encryption or signing information. This information is found within the binding configurations of any application installed on the machine. This suggestion enables you to define a single key locator for all applications that need to use the same keys. In an ND environment, you also can specify the default binding information at the cell level.
- Set default key locators at the server level
- Open the admin console.
Type http://localhost:port_number/ibm/console in your Web browser unless we have changed the port number.
- Click Servers > Server Types > WebSphere application servers > server_name.
- Under Security, click JAX-WS and JAX-RPC security runtime.
In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security
- Under Additional properties, click Key locators
- Click New to configure a new key locator. Select the box next to a key locator name and click Delete to delete a key locator; or click the name of a key locator to edit its configuration. If we are configuring a new key locator or editing an existing one...
- Specify a name for the key locator in the Key locator name field.
- Specify a name for the key locator class implementation in the Key locator class name field.WAS has the following default key locator class implementations:
- com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
- This class, used by the response sender, maps an authenticated identity to a key. If encryption is used, this class is used to locate a key to encrypt the response message. The com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator class has the capability to map an authenticated identity from the invocation credential of the current thread to a key used to encrypt the message. If an authenticated identity is present on the current thread, the class maps the ID to the mapped name. For example, user1 is mapped to mappedName_1. Otherwise, name="default". When a matching key is not found, the authenticated identity is mapped to the default key specified in the binding file.
- com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
- This class, used by the response receiver, request sender, and request receiver, maps a name to an alias. Encryption uses this class to obtain a key to encrypt a message and digital signature uses this class to obtain a key to sign a message. The com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator class maps a logical name to a key alias in the key store file. For example, key #105115176771 is mapped to CN=Alice, O=IBM, c=US.
- Specify the password used to access the keystore password in the Key store password field.
This field is optional is the key locator does not use a keystore.
- Specify the path name used to access the keystore in the Key store path field.
This field is optional is the key locator does not use a keystore. Use ${USER_INSTALL_ROOT} as this path expands to the WAS path on the machine.
- Select a keystore type from the Key store type field.
This field is optional is the key locator does not use a keystore. Use the JKS option if we are not using the Java Cryptography Extensions (JCE) keystore type, and use JCEKS if we are using the JCE type.
- Set default key locators at the cell level.
- Open the admin console.
Type http://localhost:port_number/ibm/console in your Web browser unless we have changed the port number.
- Click Security > Web services.
- Under Additional properties, click Key locators.
- Click New to configure a new key locator; select the box next to a key locator name and click Delete to delete a key locator; or click the name of a key locator to edit its configuration. If we are configuring a new key locator or editing an existing one...
- Specify a name for the key locator in the Key locator name field.
- Specify a name for the key locator class implementation in the Key locator class name field.WAS has the following default key locator class implementations:
- com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
- This class, used by the response sender, maps an authenticated identity to a key. If encryption is used, this class is used to locate a key to encrypt the response message. The com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator class has the capability to map an authenticated identity from the invocation credential of the current thread to a key used to encrypt the message. If an authenticated identity is present on the current thread, the class maps the ID to the mapped name. For example, user1 is mapped to mappedName_1. Otherwise, name="default". When a matching key is not found, the authenticated identity is mapped to the default key specified in the binding file.
- com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
- This class, used by the response receiver, request sender, and request receiver, maps a name to an alias. Encryption uses this class to obtain a key to encrypt a message and digital signature uses this class to obtain a key to sign a message. The com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator class maps a logical name to a key alias in the key store file. For example, key #105115176771 is mapped to CN=Alice, O=IBM, c=US.
- Specify the password used to access the keystore password in the Key store password field.
This field is optional is the key locator does not use a keystore.
- Specify the path name used to access the keystore in the Key store path field.
This field is optional is the key locator does not use a keystore. Use ${USER_INSTALL_ROOT} as this path expands to the WAS path on the machine.
- Select a keystore type from the Key store type field.
This field is optional if the key locator does not use a keystore. Use the JKS option if we are not using the Java Cryptography Extensions (JCE) keystore type, and use JCEKS if we are using the JCE type.
 
Related concepts
Key locator
Assembly tools
Related tasks
Set key locators using an assembly tool
Set server and cell level key locators
Set the client security bindings using an assembly tool
Set the security bindings on a server acting as a client
Set the server security bindings using an assembly tool
Set the server security bindings
Secure Web services for V5.x applications using XML digital signature 
Related information
keytool - Key and Certificate Management Tool