ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wsseccfkeyloc.htm

147 lines
10 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure a key locator</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h5><a name="wsseccfkeyloc"></a>Configure a key locator</h5>
<p>The purpose of key locators is to find keys or certificates. The method used to find keys or certificates depends upon the key locator implementation. WebSphere Application Server - Express provides the following default implementations:</p>
<ul>
<li>KeyStoreKeyLocator</li>
<li>WSIdKeyStoreMapKeyLocator</li>
<li>CertInRequestKeyLocator</li>
</ul>
<p>Typically, the default implementation that is used for request sending, request receiving, and response receiving is the KeyStoreKeyLocator implementation. The implementation for response sender, however, is usually different because of the need to determine what key to use so that the client understands the response. The server communicates with many clients that might have different keys. Therefore, for the proper response, the response sender typically uses a special key locator implementation. The two key locator implementations that handle this problem for the response sending logic are as follows:</p>
<ul>
<li>WSIdKeyStoreMapKeyLocator</li>
<li>CertInRequestKeyLocator</li>
</ul>
<p>The WSIdKeyStoreMapKeyLocator implementation checks the client credentials to determine which key is mapped and then uses that key for the response. The CertInRequestKeyLocator implementation uses the certificate that signed the received request to encrypt the response.</p>
<p>You can choose which implementation to use for your environment or you can write your own. Custom key locators must implement the com.ibm.wsspi.wssecurity.config.KeyLocator interface. With this implementation, you can locate keys from any data source you choose.</p>
<p>This topic focuses on configuring a key locator. See the following topics for more information:</p>
<ul>
<li><a href="wsseckeyloc.htm">Key locators</a></li>
<li><a href="wsseckeylocdef.htm">Key locator default implementation</a></li>
<li><a href="wssecdevloc.htm">Develop a key locator</a></li>
</ul>
<p>For more information about creating a key store, see <a href="../sec/secjavajsse.htm">Use Java keystore files</a> in the <em>Security</em> topic.</p>
<p>You can configure key locators with the WebSphere Development Studio Client for iSeries or the WebSphere administrative console. See these topics for more information:</p>
<ul>
<li><a href="#astkkey">Configure a key locator in the WebSphere Development Studio Client for iSeries</a></li>
<li><a href="#consoleloc">Configure a key locator in the WebSphere administrative console</a></li>
<li><a href="#locbase">Configure default key locators at the server level in the administrative console</a></li>
</ul>
<p><a name="astkkey"></a><strong>Configure a key locator in the WebSphere Development Studio Client for iSeries</strong></p>
<ol>
<li><p>Open your deployment descriptor file in the WebSphere Development Studio Client for iSeries:</p>
<ul>
<li>For a Web service application, open webservices.xml in the Web Services Editor.</li>
<li>For a Web service client, open webservicesclient.xml in the Web Services Client Editor.</li>
</ul>
<p>For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>
<li><p>Click the <strong>Port Binding</strong> tab in the Web Services Client Editor or the <strong>Binding Configurations</strong> tab in the Web Services Editor.</p></li>
<li><p>Expand one of the <strong>Binding Configuration</strong> sections. For example, expand <strong>Security Request Sender Binding Configuration</strong> section.</p></li>
<li><p>Expand the <strong>Key Locators</strong> section.</p></li>
<li><p>Click <strong>Add</strong> to create a new key locator, or click <strong>Edit</strong> to edit an existing one.</p></li>
<li><p>Enter a key locator name. The name entered for the key locator name is used to refer to the key locator from the<strong> Encryption information</strong> and <strong>Signing Information</strong> sections.</p></li>
<li><p>Enter a key locator class.The key locator class is the implementation of the KeyLocator interface. When using default implementations, select a class from the menu.</p></li>
<li><p>Determine whether to click <strong>Use key store</strong>. The default implementations all use key stores. Select this option when you use the default implementations. Specify the following information:</p>
<ol type="a">
<li><p>Enter a <strong>key store storepass</strong>. The key store storepass is the password to access the key store.</p></li>
<li><p>Enter a <strong>key store path</strong>. The key store path is the location on the file system where the key store resides. Make sure that the location can be found wherever you deploy the application.</p></li>
<li><p>Enter a <strong>key store type</strong>.The valid types to enter are <tt>JKS</tt> and <tt>JCEKS</tt>. JKS is used when you are not using Java Cryptography Extensions (JCE). JCEKS is used when you are using JCE. Although the JCEKS type is more secure, it may decrease performance.</p></li>
<li>Click <strong>Add</strong> to create an entry for a Key in the key store. Specify the following information:
<ol type="i">
<li>Enter a <strong>key alias</strong>. The key alias is a reference to this particular key from the<strong> Signing Information</strong> section.</li>
<li>Enter a <strong>keypass</strong>. The keypass is the password that is associated with the certificate when it is created.</li>
<li>Enter a <strong>key name</strong>. The key name refers to the alias of the certificate as found in the key store.</li>
</ol></li>
</ol><p></p></li>
<li><p>Click <strong>Add</strong> to create a custom property. The property can be used by custom implementations of KeyLocator. For example, you can use properties with the WSIdKeyStoreMapKeyLocator default implementation. The KeyLocator has the following property names:</p>
<ul>
<li><strong>id_</strong>, which maps to a credential user ID</li>
<li><strong>mappedName_</strong>, which maps to the key alias to use for this user name</li>
<li><strong>default</strong>, which maps to a Key alias to use when a credential does not have an associated id_ entry</li>
</ul>
<p>A typical set of properties for this key locator could be <tt>id_1=user1, mappedName_1=key1, id_2=user2, mappedName_2=key2, default=key3</tt>. If user1 or user2 authenticates, then the associated key1 or key2 is used, respectively. However, if none of the user properties authenticate or the user is not user1 or user2, then key3 is used.</p>
<ol>
<li>Enter a <strong>Name</strong>.The name entered is the property name.</li>
<li>Enter a <strong>Value</strong>. This value entered is the property value.</li>
</ol></li>
<li><p>Save the file.</p></li>
<li><p>Repeat the process until you have configured the necessary key locators for your applications.</p></li>
</ol>
<p><a name="consoleloc"></a><strong>Configure a key locator in the WebSphere administrative console</strong></p>
<p>You can configure binding information in the administrative console, but for extensions, you must use the WebSphere Development Studio Client for iSeries.</p>
<p>Perform the following steps in the administrative console to configure a key locator for a specific application:</p>
<ol>
<li><p>Click <strong>Applications --&gt; Enterprise Applications --&gt; <em>application_name</em></strong>, where <em>application_name</em> is the name of your application. Under <strong>Related Items</strong>, click <strong>Web Modules</strong>.</p></li>
<li><p>Click the name of the module you are securing.</p></li>
<li><p>Under <strong>Additional Properties</strong>, click either <strong>Web Services: Client
Security Bindings</strong> or <strong>Web Services: Server Security Bindings</strong> depending on whether you are adding the key locator to the client security bindings or the server security bindings.</p>
<p>If you do not see any entries, return to the WebSphere Development Studio Client for iSeries and configure the security extensions.</p></li>
<li><p>Complete either of the following steps:</p>
<ul>
<li>If you are editing your client security bindings, click <strong>Edit</strong> for either the <strong>Request Sender Binding</strong> or <strong>Response Receiver Binding</strong>.</li>
<li>If you are editing your server security bindings, click <strong>Edit</strong> for either the <strong>Request Receiver Binding</strong> or <strong>Response Sender Binding</strong>.</li>
</ul><p></p></li>
<li><p>Click <strong>Key Locators</strong>. The same information that was used to configure a key locator with the WebSphere Development Studio Client for iSeries applies at this point in the steps. See step 5 in <a href="#astkkey">Configure a key locator in the WebSphere Development Studio Client for iSeries</a>.</p></li>
</ol>
<p><a name="locbase"></a><strong>Configure default key locators at the server level in the administrative console</strong></p>
<p>A key locator typically locates a key store in the file system. The location of key stores can vary from machine to machine so it is often helpful to configure a default key locator for a specific machine and reference it from within the encryption or signing information. This information is found within the binding configurations of any application installed on that machine. This suggestion enables you to define a single key locator for all applications that need to use the same keys.</p>
<p>Perform the following steps in the WebSphere administrative console to configure default key locators at the server level:</p>
<ol>
<li><p>Click <strong>Servers --&gt; Application Servers --&gt; <em>server_name</em></strong>, where <em>server_name</em> is the name of your application server.</p></li>
<li><p>Under <strong>Additional Properties</strong>, click <strong>Web Services: Default bindings for Web Services Security</strong>.</p></li>
<li><p>Click <strong>Key Locators</strong>. The same information that was used to configure a key locator using the WebSphere Development Studio Client for iSeries applies at this point in the steps. See step 5 in <a href="#astkkey">Configure a key locator in the WebSphere Development Studio Client for iSeries</a>.</p></li>
</ol>
</body>
</html>