+

Search Tips   |   Advanced Search

Trust anchor settings


To specify the trust anchor configuration. These trust anchor certificates are used to validate the X.509 certificate that is embedded in the SOAP message.

Use this information to configure a trust anchor. Trust anchors point to keystores that contain trusted root or self-signed certificates. This information enables you to specify a name for the trust anchor and the information that is needed to access a keystore. The application binding uses this name to reference a predefined trust anchor definition in the binding file (or the default).

Configure a trust anchor when we are editing a default cell or server binding. We can also configure application specific bindings for tokens and message parts that are required by the policy set.

To view this admin console page when we are editing a default cell binding...

  1. Click Services > Policy sets > Default policy set bindings.

  2. Click the WS-Security policy in the Policies table.

  3. Click the Keys and certificates link in the Main message security policy bindings section.

  4. Click a name link in the Name column of the Trust anchor table.

To view this admin console page when we are configuring application specific bindings for tokens and message parts that are required by the policy set...

  1. Click Applications > Application Types > WebSphere enterprise apps .

  2. Select an application that contains Web services. The application must contain a service provider or a service client.

  3. Click the Service provider policy sets and bindings link or the Service client.policy sets and bindings in the Web Services Properties section.

  4. Select a binding. You must have previously attached a policy set and assigned a application specific binding.

  5. Click the WS-Security policy in the Policies table.

  6. Click the Keys and certificates link in the Main message security policy bindings section.

  7. Click a name link in the Name column of the Trust anchor table.

This admin console panel applies only to Java™ API for XML Web Services (JAX-WS) applications.

Name

Unique name used by the application binding to reference a predefined trust anchor definition in the default binding.

A trust anchor specifies the keystore that contains trusted root certificates. This field displays the name for the trust anchor that is being edited. If we are creating a new trust anchor configuration, enter a unique name.

Keystore files contain public and private keys, root certificate authority (CA) certificates, the intermediate CA certificate, and so on. Keys that are retrieved from the keystore files are used to sign and validate or encrypt and decrypt messages or message parts.

Data type: String

Centrally managed keystore

Specifies to use a centrally managed keystore. After selecting the Centrally managed keystore option, choose one of the centrally managed keystore names from the list. Centrally managed keystores can be managed in the admin console by clicking these links: Security > SSL certificate and key management > Key stores and certificates.

Click the radio button to enable the Name field. Select a keystore from the list.

Data type: Radio button
Default value: Unselected

External keystore

Specifies a keystore using a keystore path, keystore type and keystore password. The keystore file format is determined by the keystore type. The default trust anchor in the default binding uses an external keystore.

Select the radio button to enable an external keystore.

Data type: Radio button
Default value: Selected

Full path

Full path to the location of the keystore.If the keystore is file-based, the location can reference any path in the file system of the node where the trust anchor keystore is located. The trust anchor defined in the default bindings is:

${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks

Do not use the sample keystore files in a production environment. These samples are provided for testing purposes only.

Data type: String

Type

Type of keystore when the external keystore is enabled.

The type specifies the implementation for keystore management. Click a keystore type from the list provided. The selection list is returned by java.security.Security.getAlgorithms("KeyStore"). The IBM Java Cryptography Extension (IBMJCE) supports the following file-based keystore types: JKS, JCEKS,PKCS12, and CMSKS.

  • Use the JKS option if we are not using Java Cryptography Extensions (JCE).

  • Use the JCEKS option if we are using Java Cryptography Extensions.

  • Use the PKCS12 option if the keystore uses the PKCS#12 file format.

    • A key.p12 file or a trust.p12 file are examples of PKCS12 type keystores.

  • Use the CMSKS option if the keystore uses the Certificate Management Services (CMS) format.

Password that is needed to access the keystore file.

Use the password to protect the keystore. The password is used to access the named keystore and the password is also the default password used to store keys within the keystore.

The default trust anchor in default binding uses an external keystore. The password for the external keystore is: server. IBM recommends that you change the default password as soon as possible.

Data type: String
Default value: WebAS or cell name

Confirm password

Confirms the password entered in the field.

Enter the password used to open the keystore file or device again. By entering the same password that was entered in the field again, you confirm the password.

Data type: String





 

Related tasks


Set policy set bindings
Manage policy sets

 

Related


Application policy sets collection
Application policy set settings
Search attached applications collection
Policy set bindings settings
Keys and certificates