X.509 Trust anchor
A trust anchor specifies the key stores that contain trusted root certificates used to validate X.509 certificates embedded in SOAP messages.
When using WAS with JAX-RPC, key stores are implemented with the following message points to validate the X.509 certificate used for digital signature or XML encryption:
- Request consumer, as defined in ibm-webservices-bnd.xmi.
- Response consumer, as defined in the ibm-webservicesclient-bnd.xmi file when a Web service is acting as a client to another Web service.
For WAS V7.0, using JAX-WS, key stores are used by the following message points to validate the X.509 certificate used for digital signature or XML encryption:
- Request consumer, as defined in the inbound keys and certificates of the WS-Security bindings.
- Response consumer, as defined in the inbound keys and certificates of the WS-Security bindings when a Web service is acting as a client to another Web service.
If the key stores are tampered with, the result of the digital signature verification is doubtful and compromised. Therefore, IBM recommends that you secure the key stores. The binding configuration specified for the consumer must match the binding configuration for the generator.
The trust anchor is defined as...
java.security.cert.TrustAnchor
...in the Java CertPath API, which uses the trust anchor and the certificate store to validate the incoming X.509 certificate embedded in the SOAP message. The WS-Security implementation in WAS supports this trust anchor.
In WAS, the trust anchor is represented as a Java key store object. The type, path, and password of the key store are passed to the implementation through the admin console or by scripting.
Related concepts
Collection certificate store
Overview of platform configuration and bindings