ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wsseccftrustanc.htm

116 lines
7.7 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure trust anchors</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h5><a name="wsseccftrustanc"></a>Configure trust anchors</h5>
<p>This document describes how to create and configure trust anchors, or trust stores at the application level. The document does not provide information on how to create and configure trust anchors at the server level. Trust anchors defined at the application level have a higher precedence over trust anchors defined at the server level.</p>
<p>For more conceptual information, see <a href="wssecoverbind.htm">Default bindings</a>. For more conceptual information on trust anchors, see <a href="wssectrustanc.htm">Trust anchors</a>.</p>
<p>A trust anchor specifies key stores that contain root-trusted certificates, which validate the signer certificate. These key stores are used by the request receiver (as defined in the ibm-webservices-bnd.xmi file) and the response receiver (as defined in the ibm-webservicesclient-bnd.xmi file when Web services is acting as client) to validate the signer certificate of the digital signature. The key stores are critical to the integrity of the digital signature validation. If they are tampered with, the result of the digital signature verification is doubtful and comprised. Therefore, it is recommended that you secure these key stores. The binding configuration specified for the request receiver in the ibm-webservices-bnd.xmi file must match the binding configuration for the response receiver in the ibm-webservicesclient-bnd.xmi file.</p>
<p>You can create an application-level trust anchor and configure it using the WebSphere Development Studio Client for iSeries or the WebSphere administrative console. This topic describes both approaches.</p>
<p>The following steps assume that you have already created a Web services-enabled application the implements the Java 2 Platform, Enterprise Edition (J2EE) with JSR 109 specification.</p>
<p><strong>Configuring a trust anchor with WebSphere Development Studio Client for iSeries</strong></p>
<p>Perform the following steps to configure the client-side response receiver:</p>
<ol>
<li><p>Open the webservicesclient.xml file in the Web Services Client Editor of the WebSphere Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>
<li><p>Click the <strong>Port Binding</strong> tab.</p></li>
<li><p>Expand the <strong>Port Qualified Name Binding</strong> section and either select an existing entry or add a new port binding. Click <strong>Add</strong> to add a new port binding.</p></li>
<li><p>Expand the <strong>Trust Anchor</strong> section and click <strong>Add</strong>. Specify the following information:</p>
<ul>
<li>Enter a unique name within the port binding for the <strong>Trust anchor name</strong>. The name is used to reference the trust anchor that is defined.</li>
<li>Enter the key store password, path, and key store type. The supported key store types are <strong>JCE</strong> and <strong>JCEKS</strong>.</li>
</ul>
<p>When you start the application, the configuration is validated in the run time while the binding information is loading.</p></li>
<li><p>Save the file.</p></li>
</ol>
<p>Next, perform the following steps to configure the server-side request receiver:</p>
<ol>
<li><p>Open the webservices.xml file with the Web Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see <a href="astk.htm">Configure your Web services application</a>.</p></li>
<li><p>Click the <strong>Bindings</strong> tab.</p></li>
<li><p>In the <strong>Web Service Description Bindings</strong> section, either select an existing entry or click <strong>Add</strong> and add a new Web services descriptor.</p></li>
<li><p>Click the <strong>Binding Configurations</strong> tab.</p></li>
<li><p>In the <strong>Trust Anchor</strong> section, click <strong>Add</strong> and enter the following information:</p>
<ul>
<li>Enter a unique name within the binding for the <strong>Trust anchor name</strong>. This unique name is used to reference the trust anchor that is defined.</li>
<li>Enter the key store password, path, and key store type. The supported key store types are <strong>JCE</strong> and <strong>JCEKS</strong>.</li>
</ul>
<p> When you start the application, the configuration is validated in the run time while the binding information is loading.</p></li>
<li><p>Save the file.</p></li>
<li><p><a href="wsseccfsignsvreq.htm">Configure the server for request digital signature verification</a>.</p></li>
<li><p>(Optional) If the Web service is also acting as a client, complete the configuration process for the client-side response receiver. For more information, see <a href="wsseccfsignclres.htm">Configure the Web services client for response digital signature verification</a>.</p></li>
</ol>
<p><strong>Configure a trust anchor with the administrative console</strong></p>
<p>Before completing the following steps, it is assumed that a Web services-enabled enterprise application was deployed to the WebSphere Application Server - Express.</p>
<p>Perform the following steps in the WebSphere administrative console to configure the client-side response receiver and the server-side request receiver:</p>
<ol>
<li><p>Click <strong>Applications --&gt; Enterprise Applications --&gt; <em>enterprise_application</em></strong>, where <em>enterprise_application</em> is the name of your Web services application.</p></li>
<li><p>In the Related Links section, click <strong>Web Modules</strong>, and then click the Web services module.</p></li>
<li><p>(Optional) If the Web service is also acting as a client, edit the response receiver binding information:</p>
<ol type="a">
<li>Click <strong>Web Services: Client Security Bindings</strong>.</li>
<li>Under <strong>Response Receiver Binding</strong>, click <strong>Edit</strong>.</li>
<li>Under <strong>Additional Properties</strong>, click <strong>Trust Anchors</strong>.</li>
<li>Click <strong>New</strong> to create a new trust anchor, and enter the following information:
<ul>
<li>Enter a unique name within the request receiver binding for the <strong>Trust anchor name</strong> field. The name is used to reference the trust anchor that is defined.</li>
<li>Enter the key store password, path, and key store type.</li>
</ul></li>
</ol>
<p>When you start the application, the configuration is validated in the run time while the binding information is loading.</p></li>
<li>Edit the request receiver binding information:
<ol type="a">
<li>Return to the main page for your Web services module.</li>
<li>Click <strong>Web Services: Server Security Bindings</strong>.</li>
<li>Under <strong>Request Receiver Binding</strong>, click <strong>Edit</strong>.</li>
<li>Under <strong>Additional Properties</strong>, click <strong>Trust Anchors</strong>.</li>
<li>Click <strong>New</strong> to create a new trust anchor, and enter the following information:
<ul>
<li>Enter a unique name within the request receiver binding for the <strong>Trust anchor name</strong> field. The name is used to reference the trust anchor that is defined.</li>
<li>Enter the key store password, path and key store type.</li>
</ul></li>
</ol>
<p>When you start the application, the configuration is validated in the run time while the binding information is loading.</p></li>
<li><p>Save the configuration.</p></li>
</ol>
</body>
</html>