Trust anchors

A trust anchor specifies key stores that contain trusted root certificates that validate the signer certificate.

Important distinction between Version 5.x and Version 6 applications

Note: The information in this article supports version 5.x applications only that are used with WebSphere Application Server Version 6. The information does not apply to version 6 applications.

These key stores are used by the request receiver (as defined in the ibm-webservices-bnd.xmi file) and the response receiver (as defined in the ibm-webservicesclient-bnd.xmi file when Web services is acting as client) to validate the signer certificate of the digital signature. The key stores are critical to the integrity of the digital signature validation. If they are tampered with, the result of the digital signature verification is doubtful and comprised. Therefore, it is recommended that you secure these key stores. The binding configuration specified for the request receiver in the ibm-webservices-bnd.xmi file must match the binding configuration for the response receiver in the ibm-webservicesclient-bnd.xmi file.

The trust anchor is defined as javax.security.cert.TrustAnchor in the Java CertPath application programming interface (API). The Java CertPath API uses the trust anchor and the certificate store to validate the incoming X.509 certificate that is embedded in the SOAP message.

The Web services security implementation in WebSphere Application Server supports this trust anchor. In WebSphere Application Server, the trust anchor is represented as a Java key store object. The type, path, and password of the key store are passed to the implementation through the administrative console or by scripting.

Related concepts
Collection certificate store