You can configure binding information and key locators
using the WebSphere® Application Server administrative
console.
About this task
Important: There is an important distinction
between Version 5.x and Version 6 and later applications. The
information supports Version 5.x applications only that are
used with WebSphere Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
This task provides instructions on how
to configure key locators using the WebSphere Application
Server administrative console. You can configure binding information
in the administrative console. You must use an assembly tool to configure
extensions. The following steps are used to configure a key locator
in the administrative console for a specific application:
Procedure
- Open the administrative console.
![[AIX Solaris HP-UX Linux Windows]](../images/ngdist.svg)
Type http://localhost:port_number/ibm/console in
your web browser unless you have changed the port number.
Type http://server_name:port_number/ibm/console in
your web browser unless you have changed the port number.
- Click .
- Under Related Items, click either Web Modules or EJB
Modules, depending on the type of module you are securing.
- Click the name of the module you are securing.
- Under Additional Properties, click either Web
services: Client security bindings or Web services:
Server security bindings, depending on whether you are
adding the key locator to the client security bindings or to the server
security bindings. If you do not see any entries, return to the assembly
tool and configure the security extensions.
- Edit the Request Sender Binding, Response Receiver Binding,
Request Receiver Binding, or Response Sender Binding.
- If you are editing your client security bindings, click Edit for
either the Request Sender Binding or the Response Receiver Binding.
- If you are editing your server security bindings, click Edit for
either the Request Receiver Binding or the Response Sender Binding.
- Click Key Locators.
- Click New to configure a new key
locator, select the box next to a key locator name and click Delete to
delete a key locator, or click the name of a key locator to edit its
configuration.
If you are configuring a new key locator
or editing an existing one, complete the following steps:
- Specify a name for the key locator in the Key
Locator Name field.
- Specify a name for the key locator class implementation
in the Key Locator Classname field.
WebSphere Application Server has the following
default key locator class implementations:
- com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
- This class is used by the response sender to map an authenticated
identity to a key. If encryption is used, this class is used to locate
a key to encrypt the response message. The
com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
class
has the capability to map an authenticated identity from the invocation
credential of the current thread to a key that is used to encrypt
the message. If an authenticated identity is present on the current
thread, the class maps the ID to the mapped name. For example, user1
is
mapped to mappedName_1
. Otherwise, name="default".
When a matching key is not found, the authenticated identity is mapped
to the default key specified in the binding file.
- com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
- This class is used by the response receiver, the request sender,
and the request receiver to map a name to an alias. Encryption uses
this class to obtain a key to encrypt a message and digital signature
uses this class to obtain a key to sign a message. The
com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
class
maps a logical name to a key alias in the key store file. For example,
key #105115176771 maps to CN=Alice, O=IBM, C=US.
- Specify the password used to access the key store password
in the Key Store Password field.
This
field is optional because the key locator does not use a key store.
- Specify the path name used to access the key store in
the Key Store Path field.
This
field is optional because the key locator does not use a key store.
Use ${USER_INSTALL_ROOT} because this path
expands to the WebSphere Application Server path on your
machine.
- Select a keystore type from the Key Store
Type field.
This field is optional because
the key locator does not use a key store. Use the JKS option
if you are not using the Java™ Cryptography
Extensions (JCE) policy and use JCEKS if you
are using the JCE policy.