ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wsseckeyloc.htm

62 lines
3.7 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Key locators</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="wsseckeyloc"></a>Key locators</h6>
<p>A key locator (com.ibm.wsspi.wssecurity.config.KeyLocator) is a abstraction of the mechanism that retrieves the key for digital signature and encryption. You can use any of the following infrastructure from which to retrieve the keys depending upon the implementation:</p>
<ul>
<li>Java key store file</li>
<li>Database</li>
<li>LDAP server</li>
</ul>
<p>Key locators search the key using some type of a clue. The following types of clues are allowed:</p>
<ul>
<li>A string label of the key, which is explicitly passed through the application programming interface (API). The relationships between each key and its name (string label) is maintained inside the key locator.</li>
<li>The execution context of the key locator; explicit information is not passed to the key locator. A key locators, by itself, determines the appropriate key according to their execution context.</li>
</ul>
<p>For example, key locators can obtain the identity of the caller from the context and can retrieve the public key of the caller for response encryption.</p>
<p><strong>Note:</strong> Current versions of key locators do not support the retrieval of verification keys because current Web services security implementations do not support the secret key-based signature. Since the key locators support the public key-based signature only, the key for verification is embedded in the X.509 certificate as a &lt;BinarySecurityToken&gt; element in the incoming message.</p>
<p><strong>Usage scenarios</strong></p>
<p>This topic describes the usage scenarios for key locators.</p>
<p><strong>Signing</strong></p>
<p>The name of the signing key is specified in the Web services security configuration. This value is passed to the key locator and the actual key is returned. The corresponding X.509 certificate can be returned also.</p>
<p><strong>Verification</strong></p>
<p>As described previously, key locators are not used in signature verification.</p>
<p><strong>Encryption</strong></p>
<p>The name of the encryption key is specified in the Web services security configuration. This value is passed to the key locator and the actual key is returned.</p>
<p><strong>Decryption</strong></p>
<p>The Web services security specification recommends the usage of the key identifier instead of the key name. However, while the algorithm for computing the identifier for the public keys is defined in Internet Engineering Task Force (IETF) Request for Comment (RFC) 3280, there is no agreed upon algorithm for the secret keys. Therefore, the current implementation of Web services security uses the identifier only when public key-based encryption is performed. Otherwise, the ordinal key name is used.</p>
<p>When you use public key-based encryption, the value of key identifier is embedded in the incoming encrypted message. Then, the Web services security implementation searches for all the keys managed by the key locator and decrypts the message using the key whose identifier value matches the one in the message.</p>
<p>When you use secret key-based encryption, the value of key name is embedded in the incoming encrypted message. The Web services security implementation asks the key locator for the key whose name matches the one in the message and decrypts the message using the key.</p>
</body>
</html>