ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wsseckeylocdef.htm

47 lines
3.2 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Key locator default implementation</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="wsseckeylocdef"></a>Key locator default implementation</h6>
<p>A key locator is an abstraction of the mechanism that retrieves keys for digital signature and encryption. A key locator is implemented by providing a class that implements the com.ibm.wsspi.wssecurity.config.KeyLocator interface. WebSphere Application Server - Express provides the following key locator implementations:</p>
<ul>
<li>com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator</li>
<li>com.ibm.wsspi.wssecurity.config.CertInRequestKeyLocator</li>
<li>com.ibm.wsspi.wssecurity.config.WSIdKeyStoreMapKeyLocator</li>
</ul>
<p><strong>KeyStoreKeyLocator</strong></p>
<p>The KeyStoreKeyLocator retrieves keys from a key store using the java.security.KeyStore class. To retrieve a key, the key locator uses the location, the type of the key store, and a name or label that specifies a particular key. The location and type of key store are provided in the &lt;KeyLocator&gt; element of the Web services security binding file (ws-security.xml, ibm-webservices-bnd.xmi, or ibm-webservicesclient-bnd.xmi).</p>
<p>The name or label of the key to use is determined by the sender or receiver. For example, a request sender that is going to digitally sign a request uses the name of the request receiver to retrieve the public key of the receiver. The KeyStoreKeyLocator is normally used for request sending, request receiving, and response receiving.</p>
<p>Response sending poses a special challenge. A server sends responses to many clients and some of those clients might have multiple keys, which can make it difficult for the server to retrieve the correct key. WebSphere Application Server - Express provides the following key locators to address this situation. These key locators are normally used for response sending.</p>
<ul>
<li><p><strong>CertInRequestKeyLocator</strong>
<br>The CertInRequestKeyLocator uses the certificate that signed the received request to encrypt the response.</p></li>
<li><p><strong>WSIdKeyStoreMapKeyLocator</strong>
<br>The WSIdKeyStoreMapKeyLocator maps the identity of the current thread of execution to a public key name. This public key is then used to encrypt the response. The mapping between the identities and the public key names is specified by properties in the &lt;KeyLocator&gt; element within the Web services security binding file (ws-security.xml or ibm-webservices-bnd.xmi).</p>
<p>Consider the following mapping for an authenticated user ID to a public key, where <tt>id_<em>n</em></tt> represents the authenticated user ID and <tt>mappedName_<em>n</em></tt> represents the public key, and where <em>n</em> has to be matched.</p>
<p>You can also specify a default mapping to map identities for which an explicit mapping is not found. To specify a default, use the default key in the property.</p></li>
</ul>
</body>
</html>