Configure trust anchors

This document describes how to create and configure trust anchors, or trust stores at the application level. The document does not provide information on how to create and configure trust anchors at the server level. Trust anchors defined at the application level have a higher precedence over trust anchors defined at the server level.

For more conceptual information, see Default bindings. For more conceptual information on trust anchors, see Trust anchors.

A trust anchor specifies key stores that contain root-trusted certificates, which validate the signer certificate. These key stores are used by the request receiver (as defined in the ibm-webservices-bnd.xmi file) and the response receiver (as defined in the ibm-webservicesclient-bnd.xmi file when Web services is acting as client) to validate the signer certificate of the digital signature. The key stores are critical to the integrity of the digital signature validation. If they are tampered with, the result of the digital signature verification is doubtful and comprised. Therefore, it is recommended that you secure these key stores. The binding configuration specified for the request receiver in the ibm-webservices-bnd.xmi file must match the binding configuration for the response receiver in the ibm-webservicesclient-bnd.xmi file.

You can create an application-level trust anchor and configure it using the WebSphere Development Studio Client for iSeries or the WebSphere administrative console. This topic describes both approaches.

The following steps assume that you have already created a Web services-enabled application the implements the Java 2 Platform, Enterprise Edition (J2EE) with JSR 109 specification.

Configuring a trust anchor with WebSphere Development Studio Client for iSeries

Perform the following steps to configure the client-side response receiver:

1. Open the webservicesclient.xml file in the Web Services Client Editor of the WebSphere Development Studio Client for iSeries. For more information, see Configure your Web services application.

2. Click the Port Binding tab.

3. Expand the Port Qualified Name Binding section and either select an existing entry or add a new port binding. Click Add to add a new port binding.

4. Expand the Trust Anchor section and click Add. Specify the following information:

   • Enter a unique name within the port binding for the Trust anchor name. The name is used to reference the trust anchor that is defined.
   • Enter the key store password, path, and key store type. The supported key store types are JCE and JCEKS.

   When you start the application, the configuration is validated in the run time while the binding information is loading.

5. Save the file.

Next, perform the following steps to configure the server-side request receiver:

1. Open the webservices.xml file with the Web Services Editor of the WebSphere Development Studio Client for iSeries. For more information, see Configure your Web services application.

2. Click the Bindings tab.

3. In the Web Service Description Bindings section, either select an existing entry or click Add and add a new Web services descriptor.

4. Click the Binding Configurations tab.

5. In the Trust Anchor section, click Add and enter the following information:

   • Enter a unique name within the binding for the Trust anchor name. This unique name is used to reference the trust anchor that is defined.
   • Enter the key store password, path, and key store type. The supported key store types are JCE and JCEKS.

   When you start the application, the configuration is validated in the run time while the binding information is loading.

6. Save the file.

7. Configure the server for request digital signature verification.

8. (Optional) If the Web service is also acting as a client, complete the configuration process for the client-side response receiver. For more information, see Configure the Web services client for response digital signature verification.

Configure a trust anchor with the administrative console

Before completing the following steps, it is assumed that a Web services-enabled enterprise application was deployed to the WebSphere Application Server - Express.

Perform the following steps in the WebSphere administrative console to configure the client-side response receiver and the server-side request receiver:

1. Click Applications --> Enterprise Applications --> enterprise_application, where enterprise_application is the name of your Web services application.

2. In the Related Links section, click Web Modules, and then click the Web services module.

3. (Optional) If the Web service is also acting as a client, edit the response receiver binding information:

   1. Click Web Services: Client Security Bindings.
   2. Under Response Receiver Binding, click Edit.
   3. Under Additional Properties, click Trust Anchors.
   4. Click New to create a new trust anchor, and enter the following information:
      • Enter a unique name within the request receiver binding for the Trust anchor name field. The name is used to reference the trust anchor that is defined.
      • Enter the key store password, path, and key store type.

   When you start the application, the configuration is validated in the run time while the binding information is loading.

4. Edit the request receiver binding information:
   1. Return to the main page for your Web services module.
   2. Click Web Services: Server Security Bindings.
   3. Under Request Receiver Binding, click Edit.
   4. Under Additional Properties, click Trust Anchors.
   5. Click New to create a new trust anchor, and enter the following information:
      • Enter a unique name within the request receiver binding for the Trust anchor name field. The name is used to reference the trust anchor that is defined.
      • Enter the key store password, path and key store type.

   When you start the application, the configuration is validated in the run time while the binding information is loading.

5. Save the configuration.