+

Search Tips   |   Advanced Search

Configure trust anchors on the server or cell level

We can configure a list of keystore objects containing trusted root certificates to be used for certificate path validation of incoming X.509-formatted security tokens.

(dist)(zos) Prior to completing the steps to configure trust anchors, create the keystore file using the key tool. WebSphere Application Server provides the key tool in the install_dir/java/jre/bin/keytool file.

(iseries) Prior to completing the steps to configure trust anchors, create the keystore file using the keytool utility. The keytool utility is available using the QShell Interpreter.

This task provides the steps that are needed to configure a list of keystore objects containing trusted root certificates. These objects are used for certificate path validation of incoming X.509-formatted security tokens. Keystore objects within trust anchors contain trusted root certificates used by the CertPath (API) to determine whether to trust a certificate chain.

We can configure trust anchors on the server level and the cell level. In the following steps, use the first step to access the server-level default bindings and use the second step to access the cell-level bindings.

  1. Access the default bindings for the server level.

    1. Click Servers > Server Types > WebSphere application servers > server_name.

    2. Under Security, click JAX-WS and JAX-RPC security runtime.

      In a mixed node cell with a server using WAS v6.1 or earlier, click Web services: Default bindings for Web Services Security.

  2. Click Security > Web services to access the default bindings on the cell level.

  3. Under Additional properties, click Trust anchors.

  4. Click one of the following to work with trust anchor configuration:

    New

    To create a trust anchor configuration. Enter a unique name for the trust anchor in the Trust anchor name field.

    Delete

    To delete an existing configuration.

    an existing trust anchor configuration

    To edit the settings for an existing trust anchor.

  5. Specify a password in the Key store password field that is used to access the keystore file.

  6. Specify the absolute location of the keystore file in the Key store path field. IBM recommends that you use the USER_INSTALL_ROOT variable as a portion of the keystore path. To change this predefined variable, click Environment > WebSphere variables. The USER_INSTALL_ROOT variable might display on the second page of variables.

  7. Specify the type of keystore file in the key store type field. WebSphere Application Server supports the following keystore types:

    JKS

    Use this option if you are not using Java Cryptography Extensions (JCE) and the keystore file uses the Java Key Store (JKS) format.

    JCEKS

    Use this option if you are using Java Cryptography Extensions.

    (zos) JCERACFKS

    Use JCERACFKS if the certificates are stored in a SAF key ring (z/OS only).

    PKCS11KS (PKCS11)

    Use this option if the keystore file uses the PKCS#11 file format. Keystore files that use this format might contain RSA keys on cryptographic hardware or might encrypt keys that use cryptographic hardware to ensure protection.

    PKCS12KS (PKCS12)

    Use this option if the keystore file uses the PKCS#12 file format.

  8. Click OK and Save to save the configuration.


Results

You have configured trust anchors at the server or cell level.