Web Services - Configure the key locator for the consumer binding with an assembly tool

 

+

Search Tips   |   Advanced Search

 

Before you begin

Prior to completing this task, import your application into an assembly tool. For information on how to import your application, see Import enterprise applications. Before configuring a key locator, you should know which key information configuration references this key locator. For example, if you configure this key locator for the STRREF key information type, select the com.ibm.wsspi.wssecurity.keyinfo.X509TokeyKeyLocator key locator class.

 

Overview

WebSphere Application Server v6.x provides default key locator implementations that one can choose or we can write your own implementation. Custom key locators must implement the com.ibm.wsspi.wssecurity.keyinfo.KeyLocator interface. Using this implementation, one can locate keys within any data source.

Complete the following steps to configure a key locator for the consumer using an assembly tool. The purpose of the key locators is to find keys or certificates. The key locator information on the consumer side is used to find the key for validating the digital signature in the received SOAP message or for decrypting the encrypted parts of the message. The response consumer is configured for the client and the request consumer is configured for the server. In the following steps, configure either the client-side bindings in step 2 or the server-side bindings in step 3.

 

Procedure

  1. Start the assembly tool and click Window > Open Perspective > J2EE.

  2. Optional: Locate the client-side bindings using the Project Explorer window. The Client Deployment Descriptor window is displayed. This Web service contains the bindings that we need to configure. Complete the following steps to locate the client-side bindings:

    1. Expand the Web Services > Client section and double-click the name of the Web service.

    2. Click the WS Binding tab and expand the Security Response Consumer Binding Configuration section.

  3. Optional: Locate the server-side bindings using the Project Explorer window. The Web Services Editor window is displayed. This Web service contains the bindings that we need to configure. Complete the following steps to locate the server-side bindings:

    1. Expand the Web Services > Services section and double-click the name of the Web service.

    2. Click the Binding Configurations tab and expand the Request Consumer Binding Configuration Details section.

  4. Expand the Key locators section and click Add to add a new entry or click Edit to edit a selected entry.

  5. Specify a name for this configuration in the Key locator name field. This configuration name is referenced in the Key locator field of the Key Information dialog.

  6. Select a key locator implementation in the Key locator class field. Select the key locator class that matches the Key Information configuration that references this key locator. For example, select the com.ibm.wsspi.wssecurity.keyinfo.X509TokenKeyLocator key locator class if the received SOAP message contains an X.509 certificate that is needed for signature validation. Select the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key locator class if the key that is required for signature validation or decryption needs to be specified using a keystore file. The com.ibm.wsspi.wssecurity.keyinfo.SignerCertKeyLocator key locator class is not used on the consumer side. It is typically used in the response generator configuration for encrypting the response message using the signer key from the request message.

  7. Select the Use key store option to configure a key store for this key locator. Whether we need to configure the key store information for a key locator depends upon the key locator class and your application configuration. For example, if you select the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key locator class in the previous step, configure the key store information for this key locator.

    1. Specify a keystore password in the Key store storepass field. The keystore storepass is the password that is required to access the keystore file.

    2. Specify the path to the keystore file in the Key store path field. The key store path is the directory where the keystore resides. Make sure that wherever you deploy your application that the server can locate your keystore file.

    3. Select a key store type from the Key store type field. The key store type that you select must match the keystore file that is specified in the Key store path field. The following keystore types are supported:

      JKS

      Use this option if you are not using Java Cryptography Extensions (JCE) and if your keystore file uses the Java Keystore (JKS) format.

      JCEKS

      Use this option if you are using Java Cryptography Extensions.

      PKCS11

      Use this format if your keystore uses the PKCS#11 file format. Keystores using this format might contain RSA keys on cryptographic hardware or might encrypt keys that use cryptographic hardware to ensure protection.

      PKCS12

      Use this option if your keystore uses the PKCS#12 file format.

  8. Click Add under the Key field to add a key entry from the keystore file that you specified in the previous step. This key is used for signature validation or decryption. The key that you specify must match the key that is used for digital signing or encryption for the generator. Complete the following steps to add a key entry:

    1. Specify an alias name for the key in the Alias field.

    2. Specify the password that is associated with the key in the Key pass field. This password protects the private key of the key pair that is specified by this key.

    3. Specify the key name in the Key name field. The key name specifies the Distinguished Name (DN) for the owner of the key.

  9. Click OK to save the key locator configuration

 

Result

After you configure the key locator and any token consumer that we need to configure, one can configure the key information that references this key locator.

 

Related Tasks

Configuring key information for the consumer binding with an assembly tool