Key information settings

To specify the related configuration need to specify the key for XML digital signature or XML encryption.

To view this admin console page on the cell level for the key information references...

1. Click Security > JAX-WS and JAX-RPC security runtime.

2. Under JAX-RPC Default Generator Bindings or the JAX-RPC Default Consumer Bindings, click Key information.

To view this admin console page on the server level for the key information references...

1. Click Servers > Server Types > WebSphere appservers > server_name.

2. Under Security, click JAX-WS and JAX-RPC security runtime.

   In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security

3. Under JAX-RPC Default Generator Bindings or the JAX-RPC Default Consumer Bindings, click Key information.

4. Click New to create a new configuration or click the configuration name to modify its contents.

To view this admin console page on the application level for the key information references...

This option is available on the application level for V6.0.x applications.

1. Click Applications > Application Types > WebSphere enterprise apps > application_name.

2. Under Modules, click Manage modules > URI_name.

3. Under Additional properties, we can access the signing information for the following bindings:

   • For the Request generator (sender) binding, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom.

   • For the Request consumer (receiver) binding, click Web services: WAS security bindings. Under Request consumer (receiver) binding, click Edit custom.

   • For the Response generator (sender) binding, click Web services: WAS security bindings. Under Response generator (sender) binding, click Edit custom.

   • For the Response consumer (receiver) binding, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom.

4. Under Required properties, click Key information.

5. Click New to create a new configuration or click the configuration name to modify its contents.

Before clicking Properties under Additional properties, enter a value in the Key information name field and select an option for the Key information type and Key locator reference options.

Key information name

Name for the key information configuration.

Key information type

Type of key information. The key information type specifies how to reference security tokens.

This product supports the following types of key information. Each type of key information is described in WS-Security: SOAP Message Security 1.0 (WS-Security 2004)

Table 1. Key information types

Type	Description
Key identifier	The security token is referenced using an opaque value that uniquely identifies the token.
Key name	The security token is referenced using a name that matches an identity assertion within the token.
Security token reference	With this type, the security token is directly referenced.
Embedded token	With this type, the security token reference is embedded.
X509 issuer name and issuer serial	With this type, the security token is referenced by an issuer and serial number of an X.509 certificate

The X.509 issuer name and issuer serial is described in WS-Security: X.509 Certificate Token Profile Version 1.0. The other types are described in WS-Security: SOAP Message Security 1.0 (WS-Security 2004).

If we select Key identifier for the key information type, we can specify values in the following fields on this panel:

• Encoding method
• Calculation method
• Value type namespace URI

• Value type local name

Key locator reference

Reference used to retrieve the key for digital signature and encryption.

Before specifying a key locator reference, configure a key locator. We can specify a signing key configuration for the following bindings:

Table 2. Signing key binding configurations

Binding name	Server level, cell level, or application level	Path
Default generator binding	Cell level	Click Security > JAX-WS and JAX-RPC security runtime. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Default consumer binding	Cell level	Click Security > JAX-WS and JAX-RPC security runtime. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Default generator binding	Server level	Click Servers > Server Types > WebSphere appservers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Default consumer binding	Server level	Click Servers > Server Types > WebSphere appservers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Request sender binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: Client security bindings. Under Request sender binding, click Edit. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Response receiver binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: Client security bindings. Under Response receiver binding, click Edit. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Request receiver binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: WAS security bindings. Under Request receiver binding, click Edit. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Response sender binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: WAS security bindings. Under Response sender binding, click Edit. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Request generator (sender) binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: Client security bindings. Under Request generator (sender) binding, click Edit. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Response consumer (receiver) binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Request consumer (receiver) binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: WAS security bindings. Under Request consumer (receiver) binding, click Edit custom. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Response generator (sender) binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: WAS security bindings. Under Response generator (sender) binding, click Edit custom. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.

Key name reference

Name of the key used for generating digital signature and encryption.

This field is displayed for the default generator and is also displayed for the request generator and response generator for V6.0.x applications.

This field is displayed for the default generator and is also displayed for the request generator and response generator.

Table 3. Key name reference binding configurations

Binding name	Server level, cell level, or application level	Path
Default generator binding	Cell level	Click Security > JAX-WS and JAX-RPC security runtime. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Default generator binding	Server level	Click Servers > Application servers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Request generator (sender) binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: Client security bindings. Under Request generator (sender) binding, click Edit. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.
Response generator (sender) binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: WAS security bindings. Under Response generator (sender) binding, click Edit custom. Under Additional properties, click Key locators. Click New to create a new key locator or click the name of a configured key locator to modify its configuration.

Token reference

Name of a token generator or token consumer used for processing a security token.

The appserver requires this field only when you specify Security token reference or Embedded token in the Key information type field. The Token reference field is also required when you specify a key identifier type for the consumer. Before specifying a token reference, configure a token generator or token consumer. We can specify a token configuration for the following bindings on the following levels:

Table 4. Token reference binding configurations

Binding name	Server level, cell level, or application level	Path
Default generator binding	Cell level	Click Security > JAX-WS and JAX-RPC security runtime. Under JAX-RPC Default Generator Bindings, click Token generators. Click New to create a new token generator or click the name of a configured token generator to modify its configuration.
Default consumer binding	Cell level	Click Security > JAX-WS and JAX-RPC security runtimeWeb services. Under JAX-RPC Default Consumer Bindings, click Token consumers. Click New to create a new token consumer or click the name of a configured token consumer to modify its configuration.
Default generator binding	Server level	Click Servers > Server Types > WebSphere appservers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security Under JAX-RPC Default Generator Bindings, click Token generator. Click New to create a new token generator or click the name of a configured token generator to modify its configuration.
Default consumer binding	Server level	Click Servers > Server Types > WebSphere appservers > server_name. Under Security, click JAX-WS and JAX-RPC security runtime. In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security Under JAX-RPC Default Consumer Bindings, click Token consumer. Click New to create a new token consumer or click the name of a configured token consumer to modify its configuration.
Request generator (sender) binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom. Under Additional properties, click Token generators. Click New to create a new token generator or click the name of a configured token generator to modify its configuration.
Response consumer (receiver) binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom. Under Required properties, click Token consumers. Click New to create a new token consumer or click the name of a configured token consumer to modify its configuration.
Request consumer (receiver) binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: WAS security bindings. Under Request consumer (receiver) binding, click Edit custom. Under Required properties, click Token consumers. Click New to create a new token consumer or click the name of a configured token consumer to modify its configuration.
Response generator (sender) binding	Application level	Click Applications > Application Types > WebSphere enterprise apps > application_name. Under Modules, click Manage modules > URI_name. Click Web services: WAS security bindings. Under Response generator (sender) binding, click Edit custom. Under Additional properties, click Token generators. Click New to create a new token generator or click the name of a configured token generator to modify its configuration.

Encoding method

Encoding method that indicates the encoding format for the key identifier.

This field is valid when you specify Key identifier in the Key information type field. This product supports the following encoding methods:

• http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

• http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

This field is available for the default generator binding only.

Calculation method

This field is valid when you specify Key identifier in the Key information type field. This product supports the following calculation methods:

• http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#ITSHA1

• http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#IT60SHA1

This field is available for the generator binding only.

Value type namespace URI

Namespace URI of the value type for a security token that is referenced by the key identifier.

This field is valid when you specify Key identifier in the Key information type field. When specify the X.509 certificate token, you do not need to specify this option. To specify another token, specify the URI of QName for value type.

This product provides the following predefined value type URIs for the LTPA token:

• http://www.ibm.com/websphere/appserver/tokentype

• http://www.ibm.com/websphere/appserver/tokentype/5.0.2

This field is available for the generator binding only.

Value type local name

Local name of the value type for a security token that is referenced by the key identifier.

When this local name is used with the corresponding namespace URI, the information is called the value type qualified name or QName.

This field is valid when you specify Key identifier in the Key information type field. When specify the X.509 certificate token, IBM recommends that you use the predefined local names. When specify the predefined local names, you do not need to specify the URI of the value type. This product provides the following predefined local names:

X.509 certificate token

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3

X.509 certificates in a PKIPath

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1

A list of X509 certificates and CRLs in a PKCS#7

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7

Lightweight Third Party Authentication (LTPA)

LTPA_PROPAGATION

For LTPA, the value type local name is LTPA. If we enter LTPA for the local name, specify the http://www.ibm.com/websphere/appserver/tokentype/5.0.2 URI value in the Value type URI field as well. For LTPA token propagation, the value type local name is LTPA_PROPAGATION. If we enter LTPA_PROPAGATION for the local name, specify the http://www.ibm.com/websphere/appserver/tokentype URI value in the Value type URI field as well. For the other predefined value types (User name token, X509 certificate token, X509 certificates in a PKIPath, and a list of X509 certificates and CRLs in a PKCS#7), the value for the Value type local name field begins with http://. For example, if we are specifying the user name token for the value type, enter http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken in the Value type local name field and then you do not need to enter a value in the value type URI field.

When you specify a custom value type for custom tokens, we can specify the local name and the URI of the quality name (QName) of the value type. For example, we might specify Custom for the local name and http://www.ibm.com/custom for the URI.

This field is also available for the generator binding only.

---

 

Related tasks

Set the key information using JAX-RPC for the generator binding on the application level

 

Related

Token generator collection
Token consumer collection
Key information collection