Configure the collection certificate store for the generator binding on the application level
Overview
A collection certificate store is a collection of non-root, certificate authority (CA) certificates and certificate revocation lists (CRLs). This collection of CA certificates and CRLs is used to check for a valid signature in a digitally signed SOAP message.
Configure a collection certificate for the generator bindings on the application level
- Locate the collection certificate store configuration panel in the administrative console.
Applications | Application Types | WebSphere enterprise applications | application_name | Manage modules | URI_name | Web Services Security Properties
For the request generator (sender) binding, click...
Web services: Client security bindings | Request generator (sender) binding | Edit custom | Additional properties | Collection certificate store.
For the response generator (sender) binding, click...
Web services: Server security bindings | Response generator (sender) binding | Edit custom | Additional properties | Collection certificate store.
- Specify the Certificate store name.
Click New to create a collection certificate store configuration, select the box next to the configuration and click Delete to delete an existing configuration, .or click the name of an existing collection certificate store configuration to edit its settings. For a new configuration, enter a name in the Certificate store name field.
The name of the collection certificate store must be unique to the level of the application server. For example, if we create the collection certificate store for the application level, the store name must be unique to the application level. The name specified in the Certificate store name field is used by other configurations to refer to a predefined collection certificate store. WebSphere Application Server searches for the collection certificate store based on proximity.
For example, if an application binding refers to a collection certificate store named cert1, the Application Server searches for cert1 at the application level before searching the server level and then the cell level.
- Specify a certificate store provider in the Certificate store provider field.
WAS supports the IBMCertPath certificate store provider. To use another certificate store provider, define the provider implementation in the provider list within the (ZOS) (Dist) install_dir/java/jre/lib/security(iSeries) profile_root/properties/java.security file. However, make sure that our provider supports the same requirements of the certificate path algorithm as WAS.
- Click OK and Save to save the configuration.
- Click the name of our certificate store configuration.
After we specify the certificate store provider, specify either the location of a certificate revocation list or the X.509 certificates. However, we can specify both a certificate revocation list and the X.509 certificates for our certificate store configuration.
- Under Additional properties, click Certificate revocation lists.
- Click New to specify a certificate revocation list path, click Delete to delete an existing list reference, or click the name of an existing reference to edit the path.
Specify the fully qualified path to the location where WAS can find your list of certificates that are not valid. For portability reasons, IBM recommends that we use the WebSphere Application Server variables to specify a relative path to the certificate revocation lists (CRL). This recommendation is especially important when we are working in a WAS ND environment. For example, we might use the USER_INSTALL_ROOT variable to define a path such as $USER_INSTALL_ROOT/mycertstore/mycrl1. For a list of supported variables, click Environment > WebSphere variables in the administrative console. The following list provides recommendation for using certificate revocation lists:
- If CRLs are added to the collection certificate store, add the CRLs for the root certificate authority and each intermediate certificate, if applicable.
When the CRL is in the certificate collection store, the certificate revocation status for every certificate in the chain is checked against the CRL of the issuer.
- When the CRL file is updated, the new CRL does not take effect until you restart the web service application.
- Before a CRL expires, we must load a new CRL into the certificate collection store to replace the old CRL.
An expired CRL in the collection certificate store results in a certificate path (CertPath) build failure.
- Click OK and Save to save the configuration.
- Return to the collection certificate store configuration panel.
To access the panel:
- Click...
Applications | Application Types | WebSphere enterprise applications | application_name | Under Manage modules | URI_name
- Under Web Services Security properties, we can access the key information for the request generator and response generator bindings.
For the request generator (sender) binding, click...
Web services: Client security bindings | Request generator (sender) binding | Edit custom
For the response generator (sender) binding, click...
Web services: Server security bindings | Response generator (sender) binding | Edit custom
- Under Additional properties, click Collection certificate store > certificate_store_name.
- Under Additional properties, click X.509 certificates.
- Click New to create a X.509 certificate configuration, click Delete to delete an existing configuration, or click the name of an existing X.509 certificate configuration to edit its settings.
For a new configuration, enter a name in the Certificate store name field.
- Specify a path in the X.509 certificate path field.
This entry is the absolute path to the location of the X.509 certificate. The collection certificate store is used to validate the certificate path of incoming X.509-formatted security tokens.
Use the USER_INSTALL_ROOT variable as part of path name. For example, we might type: USER_INSTALL_ROOT/etc/ws-security/samples/intca2.cer. Do not use this certificate path for production use. We must obtain our own X.509 certificate from a certificate authority before putting our WAS environment into production.
Click Environment > WebSphere variables in the administrative console to configure the USER_INSTALL_ROOT variable.
- Click OK and then Save to save the configuration.
We have configured the collection certificate store for the generator binding.
What to do next
Specify a similar collection certificate store configuration for the consumer.
Subtopics
- Collection certificate store collection
- Collection certificate store configuration settings
- X.509 certificates collection
- X.509 certificate configuration settings
- Certificate revocation list collection
- Certificate revocation list configuration settings
- Collection certificate store collection
- Collection certificate store configuration settings
- X.509 certificates collection
- X.509 certificate configuration settings
- Certificate revocation list collection
- Certificate revocation list configuration settings
Configure the collection certificate store for the consumer binding on the application level