Trust anchor settings
Use this page to specify the trust anchor configuration. These trust anchor certificates are used to validate the X.509 certificate embedded in the SOAP message.
Trust anchors point to keystores containing trusted root or self-signed certificates. We specify the name for the trust anchor, and the information needed to access a keystore. The application binding uses this name to reference a predefined trust anchor definition in the binding file (or the default).
We can configure a trust anchor when editing a default cell or server binding, or we can configure bindings for specific application token and message parts required by a policy set.
To edit a default cell binding...
Services | Policy sets | Default policy set bindings | WS-Security policy | Main message security policy bindings section | Keys and certificates | Trust anchor name
To set application specific bindings for tokens and message parts that are required by the policy set...
Applications | Application Types | WebSphere enterprise applications | appname | [Service provider policy sets and bindings link | Service client policy sets and bindings] | binding | WS-Security policy | Keys and certificates Trust anchor name
We must have previously attached a policy set and assigned a application specific binding.
This administrative console page applies only to JAX-WS applications.
Name
Unique name used by the application binding to reference a predefined trust anchor definition in the default binding.
A trust anchor specifies the keystore containing trusted root certificates. This field displays the name for the trust anchor that is being edited. For a new trust anchor configuration, enter a unique name.
Keystore files contain public and private keys, root certificate authority (CA) certificates, the intermediate CA certificate, and so on. Keys that are retrieved from the keystore files are used to sign and validate or encrypt and decrypt messages or message parts.
Information Value Data type: String
Centrally managed keystore
Specifies to use a centrally managed keystore. After selecting the Centrally managed keystore option, choose one of the centrally managed keystore names from the list. Centrally managed keystores can be managed in the administrative console by clicking these links: Security > SSL certificate and key management > Key stores and certificates.
Click the radio button to enable the Name field. Select a keystore from the list.
Information Value Data type: Radio button Default value: Unselected
External keystore
Specifies a keystore using a keystore path, keystore type and keystore password. The keystore file format is determined by the keystore type. The default trust anchor in the default binding uses an external keystore.
Select the radio button to enable an external keystore.
Information Value Data type: Radio button Default value: Selected
- Full path
- Full path to the location of the keystore.
If the keystore is file-based, the location can reference any path in the file system of the node where the trust anchor keystore is located. The trust anchor defined in the default bindings is:
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
Do not use the sample keystore files in a production environment. These samples are provided for testing purposes only.
Information Value Data type: String
- Type
- Type of keystore when the external keystore is enabled.
The type specifies the implementation for keystore management. Click a keystore type from the list provided. The selection list is returned by java.security.Security.getAlgorithms("KeyStore").
The IBM Java Cryptography Extension (IBMJCE) supports the following file-based keystore types: JKS, JCEKS,PKCS12, and CMSKS.
- Use the JKS option if you are not using Java Cryptography Extensions (JCE).
- Use the JCEKS option if you are using Java Cryptography Extensions.
- Use the PKCS12 option if the keystore uses the PKCS#12 file format.
- A key.p12 file or a trust.p12 file are examples of PKCS12 type keystores.
- Use the CMSKS option if the keystore uses the Certificate Management Services (CMS) format.
- Password
- Password needed to access the keystore file.
Use the password to protect the keystore. The password is used to access the named keystore and the password is also the default password used to store keys within the keystore.
The default trust anchor in default binding uses an external keystore. The password for the external keystore is: server. IBM recommends that you change the default password as soon as possible.
Information Value Data type: String Default value: WebAS or cell name
- Confirm password
- Confirms the password entered in the Password field.
Enter the password used to open the keystore file or device again. By entering the same password that was entered in the Password field again, you confirm the password.
Information Value Data type: String
Related tasks
Define and manage policy set bindings Manage policy sets using the administrative console
Application policy sets collection
Application policy set settings
Search attached applications collection