WAS v8.5 > Reference > Sets

Trust anchor settings page

Use this page to specify the trust anchor configuration. These trust anchor certificates are used to validate the X.509 certificate that is embedded in the SOAP message.

Use this information to configure a trust anchor. Trust anchors point to keystores containing trusted root or self-signed certificates. This information enables you to specify a name for the trust anchor and the information needed to access a keystore. The application binding uses this name to reference a predefined trust anchor definition in the binding file (or the default).

We can configure a trust anchor when editing a default cell or server binding. We can also configure application specific bindings for tokens and message parts required by the policy set.

To view this dmgr console page when editing a default cell binding:

  1. Click Services > Policy sets > Default policy set bindings.

  2. Click the WS-Security policy in the Policies table.

  3. Click the Keys and certificates link in the Main message security policy bindings section.

  4. Click a name link in the Name column of the Trust anchor table.

To view this dmgr console page when we are configuring application specific bindings for tokens and message parts required by the policy set:

  1. Click Applications > Application Types > WebSphere enterprise applications.

  2. Select an application containing web services. The application must contain a service provider or a service client.

  3. Click the Service provider policy sets and bindings link or the Service client policy sets and bindings in the Web Services Properties section.

  4. Select a binding. You must have previously attached a policy set and assigned a application specific binding.

  5. Click the WS-Security policy in the Policies table.

  6. Click the Keys and certificates link in the Main message security policy bindings section.

  7. Click a name link in the Name column of the Trust anchor table.

This dmgr console page applies only to JAX-WS applications.


Name

Unique name used by the application binding to reference a predefined trust anchor definition in the default binding.

A trust anchor specifies the keystore containing trusted root certificates. This field displays the name for the trust anchor that is being edited. If you are creating a new trust anchor configuration, enter a unique name.

Keystore files contain public and private keys, root certificate authority (CA) certificates, the intermediate CA certificate, and so on. Keys that are retrieved from the keystore files are used to sign and validate or encrypt and decrypt messages or message parts.
Information Value
Data type: String


Centrally managed keystore

Specifies to use a centrally managed keystore. After selecting the Centrally managed keystore option, choose one of the centrally managed keystore names from the list. Centrally managed keystores can be managed in the dmgr console by clicking these links: Security > SSL certificate and key management > Key stores and certificates.

Click the radio button to enable the Name field. Select a keystore from the list.
Information Value
Data type: Radio button
Default: Unselected


External keystore

Specifies a keystore using a keystore path, keystore type and keystore password. The keystore file format is determined by the keystore type. The default trust anchor in the default binding uses an external keystore.

Select the radio button to enable an external keystore.
Information Value
Data type: Radio button
Default: Selected

Full path

Full path to the location of the keystore.

If the keystore is file-based, the location can reference any path in the file system of the node where the trust anchor keystore is located. The trust anchor defined in the default bindings is:

    ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks

Do not use the sample keystore files in a production environment. These samples are provided for testing purposes only.
Information Value
Data type: String

Type

Type of keystore when the external keystore is enabled.

The type specifies the implementation for keystore management. Click a keystore type from the list provided. The selection list is returned by java.security.Security.getAlgorithms("KeyStore").

The IBM Java Cryptography Extension (IBMJCE) supports the following file-based keystore types: JKS, JCEKS,PKCS12, and CMSKS.

  • Use the JKS option if you are not using Java Cryptography Extensions (JCE).

  • Use the JCEKS option if you are using Java Cryptography Extensions.

  • Use the PKCS12 option if the keystore uses the PKCS#12 file format.

    • A key.p12 file or a trust.p12 file are examples of PKCS12 type keystores.

  • Use the CMSKS option if the keystore uses the Certificate Management Services (CMS) format.

Password

Password needed to access the keystore file.

Use the password to protect the keystore. The password is used to access the named keystore and the password is also the default password used to store keys within the keystore.

The default trust anchor in default binding uses an external keystore. The password for the external keystore is: server. It is recommended that you change the default password as soon as possible.
Information Value
Data type: String
Default: WebAS or cell name

Confirm password

Confirms the password entered in the Password field.

Enter the password used to open the keystore file or device again. By entering the same password that was entered in the Password field again, you confirm the password.
Information Value
Data type: String


Related


Define and managing policy set bindings
Manage policy sets


Reference:

Application policy sets page
Application policy set settings
Search attached applications page
Policy set bindings settings


+

Search Tips   |   Advanced Search