Trust anchor settings
Specify the trust anchor configuration. These trust anchor certificates are used to validate the X.509 certificate that is embedded in the SOAP message.
Use this information to configure a trust anchor. Trust anchors point to keystores that contain trusted root or self-signed certificates. This information enables us to specify a name for the trust anchor and the information needed to access a keystore. The application binding uses this name to reference a predefined trust anchor definition in the binding file (or the default).
We can configure a trust anchor when we are editing a default cell or server binding. We can also configure application specific bindings for tokens and message parts required by the policy set.
To view this administrative console page when we are editing a default cell binding:
- Click Services > Policy sets > Default policy set bindings.
- Click the WS-Security policy in the Policies table.
- Click the Keys and certificates link in the Main message security policy bindings section.
- Click a name link in the Name column of the Trust anchor table.
To view this administrative console page when we are configuring application specific bindings for tokens and message parts that are required by the policy set:
- Click Applications > Application Types > WebSphere enterprise applications.
- Select an application containing web services. The application must contain a service provider or a service client.
- Click the Service provider policy sets and bindings link or the Service client policy sets and bindings in the Web Services Properties section.
- Select a binding. We must have previously attached a policy set and assigned an application specific binding.
- Click the WS-Security policy in the Policies table.
- Click the Keys and certificates link in the Main message security policy bindings section.
- Click a name link in the Name column of the Trust anchor table.
This administrative console page applies only to JAX-WS applications.
Name
Unique name used by the application binding to reference a predefined trust anchor definition in the default binding.
A trust anchor specifies the keystore containing trusted root certificates. This field displays the name for the trust anchor being used edited. For a new trust anchor configuration, enter a unique name.
Keystore files contain public and private keys, root certificate authority (CA) certificates, the intermediate CA certificate, and so on. Keys that are retrieved from the keystore files are used to sign and validate or encrypt and decrypt messages or message parts.
Information Value Data type: String
Centrally managed keystore
To use a centrally managed keystore. After selecting the Centrally managed keystore option, choose one of the centrally managed keystore names from the list. Centrally managed keystores can be managed in the administrative console by clicking these links:
Security > SSL certificate and key management > Key stores and certificates.
Click the radio button to enable the Name field. Select a keystore from the list.
Information Value Data type: Radio button Default value: Unselected
External keystore
Specifies a keystore using a keystore path, keystore type and keystore password. The keystore file format is determined by the keystore type. The default trust anchor in the default binding uses an external keystore.
Select the radio button to enable an external keystore.
Information Value Data type: Radio button Default value: Selected
- Full path
- Full path to the location of the keystore.
If the keystore is file-based, the location can reference any path in the file system of the node where the trust anchor keystore is located. The trust anchor defined in the default bindings is:
${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ksDo not use the sample keystore files in a production environment. These samples are provided for testing purposes only.
Information Value Data type: String
- Type
- Type of keystore when the external keystore is enabled.
The type specifies the implementation for keystore management. Click a keystore type from the list provided. The selection list is returned by java.security.Security.getAlgorithms("KeyStore").
The IBM Java Cryptography Extension (IBMJCE) supports the following file-based keystore types: JKS, JCEKS,PKCS12, and CMSKS.
- Use the JKS option if we are not using Java Cryptography Extensions (JCE).
- Use the JCEKS option if we are using Java Cryptography Extensions.
- Use the PKCS12 option if your keystore uses the PKCS#12 file format.
- A key.p12 file or a trust.p12 file are examples of PKCS12 type keystores.
- Use the CMSKS option if your keystore uses the Certificate Management Services (CMS) format.
- Password
- Password needed to access the keystore file.
Use the password to protect the keystore. The password is used to access the named keystore and the password is also the default password used to store keys within the keystore.
The default trust anchor in default binding uses an external keystore. The password for the external keystore is: server. IBM recommends that we change the default password as soon as possible.
Information Value Data type: String Default value: WebAS or cell name
- Confirm password
- Confirms the password entered in the Password field.
Enter the password used to open the keystore file or device again. By entering the same password that was entered in the Password field again, you confirm the password.
Information Value Data type: String
Define and manage policy set bindings Manage policy sets Keys and certificates Application policy sets collection Application policy set settings Search attached applications collection Policy set bindings settings