+

Search Tips   |   Advanced Search

Configure the key information for the generator binding using JAX-RPC on the server or cell level

Use the key information for the default generator to specify the key used by the signing or the encryption information configurations if these bindings are not defined at the application level.

The signing and encryption information configurations can share the same key information, which is why they are both defined on the same level. WebSphere Application Server provides default values for these bindings. However, an administrator must modify these values for a production environment.

We can configure the key information for the generator binding on the server level and the cell level. In the following steps, use the first step to configure the key information on the server level or use the second step to configure the key information on the cell level:

  1. Access the default bindings for the server level.

    1. Click Servers > Server Types > WebSphere application servers > server_name.

    2. Under Security, click JAX-WS and JAX-RPC security runtime.

      In a mixed node cell with a server using WAS v6.1 or earlier, click Web services: Default bindings for Web Services Security.

  2. Click Security > Web services to access the default bindings on the cell level.

  3. Under Default generator bindings, click Key information.

  4. Click New to create a key information configuration, click Delete to delete an existing configuration, or click the name of an existing key information configuration to edit the settings. For a new configuration, enter a unique name for the key configuration in the Key information name field. For example, you might specify sig_keyinfo.

  5. Select a key information type from the Key information type field. WebSphere Application Server supports the following types of key information:

    Key identifier

    This key information type is used when two parties agree on how to create a key identifier. For example, a field of X.509 certificates can be used for the key identifier according to the X.509 profile.

    Key name

    This key information type is used when the sender and receiver agree on the name of the key.

    Security token reference

    This key information type is typically used when an X.509 certificate is used for digital signature.

    Embedded token

    This key information type is used to embed a security token in an embedded element.

    X509 issuer name and issuer serial

    This key information type specifies an X.509 certificate with its issuer name and serial number.

    Select Security token reference if you are using an X.509 certificate for the digital signature. In these steps, it is assumed that Security token reference is selected for this field.

    Important: This key information type must match the key information type specified for the consumer.

  6. Select a key locator reference from the Key locator reference menu. In these steps, assume that the key locator reference is called sig_klocator. The key locator reference is the name of the key locator used to generate the key for digital signature. We must configure a key locator before we can select it in this field. For more information on configuring the key locator, see Configure the key locator using JAX-RPC on the server or cell level.

  7. Click Get keys to view a list of key name references. After you click Get keys, the key names defined in the <sig_klocator> element are shown in the key name reference menu. If we change the key locator reference, click Get keys again to display the list of key names associated with the new key locator.

  8. Select a key name reference from the Key name reference menu. The key name reference specifies the name of the key used for generating the digital signature or for encryption. The Key name reference menu displays a list of key names defined for the selected key locator in the Key locator reference field. For example, select signerkey. It is assumed that signer key is a key name defined for the sig_klocator key locator.

  9. Select a token reference from the Token reference field. The token reference refers to the name of a configured token generator. When a security token is required in the deployment descriptor, the token reference attribute is required. If we select Security token reference in the Key information type field, the token reference is required and we can specify an X.509 token generator. To specify an X.509 token generator, you must have an X.509 token generator configured. To configure an X.509 token generator, see Configure token generators using JAX-RPC to protect message authenticity at the server or cell level. For the remaining steps, it is assumed that an X.509 token generator that is named gen_tcon is already configured.

  10. Optional: Select an encoding method from the Encoding method field This field specifies the encoding format for the key identifier. The encoding method attribute is valid when you select Key identifier as the key information type. WebSphere Application Server supports the following encoding methods:

    • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

    • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

  11. Optional: Select a calculation method from the Calculation method field. The calculation method specifies the calculation algorithm used for the key identifier. This attribute is valid when you select Key identifier as the key information type. WebSphere Application Server supports the following calculation methods:

    • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#ITSHA1

    • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#IT60SHA1

  12. Optional: Specify a Uniform Resource Identifier (URI) of the value type for a security token from the Namespace URI field. The namespace URI is referenced by the key identifier. This attribute is valid when you select Key identifier as the key information type. When specified the X.509 certificate token, we do not need to specify the namespace URI. If another token is specified, specify the namespace URI. For example, we can specify http://www.ibm.com/websphere/appserver/tokentype/5.0.2 for the LTPA token and http://www.ibm.com/websphere/appserver/tokentype for the LTPA_PROPAGATION token.

  13. Optional: Specify the local name of the value type for a security token in the Local name field. The local name is referenced by the key identifier. This attribute is valid when you select Key identifier as the key information type. WebSphere Application Server supports the following local names:

    For an X.509 certificate token

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3

    For X.509 certificates in a PKIPath

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1

    For a list of X.509 certificates and CRLs in a PKCS#7

    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7

    For LTPA

    LTPA

    For LTPA_PROPAGATION

    LTPA_PROPAGATION

  14. Click OK and Save to save the configuration.


Results

You have configured the key information for the generator binding at the server or cell level.


What to do next

Specify a similar key information configuration for the consumer.


Related tasks

  • Configure the key information for the consumer binding using JAX-RPC on the server or cell level
  • Configure the key locator using JAX-RPC on the server or cell level
  • Configure token generators using JAX-RPC to protect message authenticity at the server or cell level