Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication > High-level architecture for Web Services Security > Overview of platform configuration and bindings
Key locator
A key locator is an abstraction of the mechanism that retrieves the key for digital signature and encryption. The JAAS Login Module implementation is used to create the security token on the generator side and to validate (authenticate) the security token on the consumer side.
Retrieve keys from one of the following sources, depending upon your implementation:
- Java keystore file
- Database
- Kerberos KDC server (WAS using JAX-WS only)
- Trust service can provide a security context token and key (WAS using JAX-WS only)
Key locators search for the key using some type of a clue. The following types of clues are supported:
- A string label of the key, which is explicitly passed through the API. The relationship between each key and its name (string label) is maintained inside the key locator.
- The implementation context of the key locator; explicit information is not passed to the key locator. A key locator determines the appropriate key according to the implementation context.
WAS Versions 6 and later support a secret key-based signature called HMAC-SHA1. If you use HMAC-SHA1, the SOAP message does not contain a binary security token. In this case, it is assumed that the key information within the message contains the key name used to specify the secret key within the keystore.
Because the key locators support the public key-based signature, the key for verification is embedded in the X.509 certificate as a <BinarySecurityToken> element in the incoming message. For example, key locators can obtain the identity of the caller from the context and can retrieve the public key of the caller for response encryption.
Example
This section describes the usage scenarios for key locators.
Signing
The name of the signing key is specified in the Web Services Security configuration. This value is passed to the key locator and the actual key is returned. The corresponding X.509 certificate also can be returned.
Verification
By default, WAS Versions 6 and later supports the following types of key locators:
KeyStoreKeyLocator
Uses the keystore to retrieve the key used for digital signature and verification or encryption and decryption.
X509CertKeyLocator
Uses an X.509 certificate within a message to retrieve the key for verification or decryption.
SignerCertKeyLocator
Uses the X.509 certificate within the request message to retrieve the key used for encryption in the response message. Encryption
The name of the encryption key is specified in the Web Services Security configuration. This value is passed to the key locator and the actual key is returned. On the server side, you can use the SignerCertKeyLocator to retrieve the key for encryption in the response message from the X.509 certificate in the request message.
Decryption
The Web Services Security specification recommends using the key identifier instead of the key name. However, while the algorithm for computing the identifier for the public keys is defined in Internet Engineering Task Force (IETF) Request for Comment (RFC) 3280, there is no agreed-upon algorithm for the secret keys. Therefore, the current implementation of Web Services Security uses the identifier only when public key-based encryption is performed. Otherwise, the ordinal key name is used.
When you use public key-based encryption, the value of the key identifier is embedded in the incoming encrypted message. Then, the Web Services Security implementation searches for all of the keys managed by the key locator and decrypts the message using the key whose identifier value matches the one in the message.
When you use secret key-based encryption, the value of the key name is embedded in the incoming encrypted message. The Web Services Security implementation asks the key locator for the key with the name that matches the name in the message and decrypts the message using the key.
Keys
Overview of platform configuration and bindings
Related
Key collection
Key configuration settings