Trust anchors

A trust anchor specifies keystores containing trusted root certificates that validate the signer certificate. The request receiver and the response receiver use these keystores to validate the signer certificate of the digital signature.

Important: There is an important distinction between Version 5.x and Version 6.0.x and later applications. The information supports Version 5.x applications only used with WAS v6.0.x and later. The information does not apply to Version 6.0.x and later applications.

The request receiver (as defined in the ibm-webservices-bnd.xmi file) and the response receiver (as defined in the ibm-webservicesclient-bnd.xmi file when web services are acting as client) use these keystores to validate the signer certificate of the digital signature. The keystores are critical to the integrity of the digital signature validation. If the keysores are tampered with, the result of the digital signature verification is doubtful and comprised. Therefore, IBM recommends that you secure these keystores. The binding configuration specified for the request receiver in the ibm-webservices-bnd.xmi file must match the binding configuration for the response receiver in the ibm-webservicesclient-bnd.xmi file.

The trust anchor is defined as javax.security.cert.TrustAnchor in the Java CertPath (API). The Java CertPath API uses the trust anchor and the certificate store to validate the incoming X.509 certificate embedded in the SOAP message.

The Web Services Security implementation in WebSphere Application Server supports this trust anchor. In WebSphere Application Server, the trust anchor is represented as a Java keystore object. The type, path, and password of the keystore are passed to the implementation through the administrative console or by scripting.

Related concepts

Collection certificate store

Related tasks

Configure trust anchors using an assembly tool

Configure trust anchors using the administrative console