Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication > High-level architecture for Web Services Security > Default configuration


Default sample configurations for JAX-RPC

Use sample configurations with the admin console for testing purposes. The configurations that you specify are reflected on the cell or server level.

This information describes the sample default bindings, key stores, key locators, collection certificate store, trust anchors, and trusted ID evaluators for WAS using the API for XML-based RPC (JAX-RPC) programming model. We can develop web services using JAX-RPC, or for WAS v7 and later, using JAX-WS. Sample default bindings, key stores, key locators, collection certificate store, trust anchors, and trusted ID evaluator may differ depending on which programming model you use.

IBM WAS supports the JAX-WS programming model and JAX-RPC. JAX-WS is the next generation web services programming model extending the foundation provided by JAX-RPC. Using the strategic JAX-WS programming model, development of web services and clients is simplified through support of a standards-based annotations model. Although JAX-RPC and applications are still supported, take advantage of the easy-to-implement JAX-WS programming model to develop new web services applications and clients. bprac

Do not use these configurations in a production environment as they are for sample and testing purposes only.

To make modifications to these sample configurations, IBM recommends that you use the admin console provided by WAS.

For a Web Services Security-enabled application, correctly configure a deployment descriptor and a binding. In WAS, one set of default bindings is shared by the applications to make application deployment easier. The default binding information for the cell level and the server level can be overridden by the binding information on the application level. The Application Server searches for binding information for an application on the application level before searching the server level, and then the cell level.

The following sample configurations are for WAS using the API for XML-based RPC (JAX-RPC) programming model.


Default generator binding

WAS provides a sample set of default generator bindings. The default generator bindings contain both signing information and encryption information.

The sample signing information configuration is called gen_signinfo and contains the following configurations:

The sample encryption information configuration is called gen_encinfo and contains the following configurations:


Default consumer binding

WAS provides a sample set of default consumer binding. The default consumer binding contain both signing information and encryption information.

The sample signing information configuration is called con_signinfo and contains the following configurations:

The encryption information configuration is called con_encinfo and contains the following configurations:



Sample key store configurations

(Windows) WAS provides the following key stores. We can work with these key stores outside of the Application Server by using the iKeyman utility or the key tool.

WAS provides the following key stores. We can work with these key stores outside of the Application Server by using the iKeyman utility or the key tool.

The following sample key stores are for testing purposes only; do not use these key stores in a production environment:



Sample key locators

Key locators are used to locate the key for digital signature, encryption, and decryption. For information on how to modify these sample key locator configurations, see the following articles:

SampleClientSignerKey

This key locator is used by the request sender for a v5.x application to sign the SOAP message. The signing key name is clientsignerkey, which is referenced in the signing information as the signing key name.

SampleServerSignerKey

This key locator is used by the response sender for a Version 5.x application to sign the SOAP message. The signing key name is serversignerkey, which can be referenced in the signing information as the signing key name.

SampleSenderEncryptionKeyLocator

This key locator is used by the sender for a v5.x application to encrypt the SOAP message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks key store and the com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator key store key locator. The implementation is configured for the DES secret key.

To use asymmetric encryption (RSA), add the appropriate RSA keys.

SampleReceiverEncryptionKeyLocator

This key locator is used by the receiver for a v5.x application to decrypt the encrypted SOAP message. The implementation is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks key store and the com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator key store key locator. The implementation is configured for symmetric encryption (DES or TRIPLEDES).

To use RSA, add the private key CN=Bob, O=IBM, C=US, alias name bob, and key password keypass.

SampleResponseSenderEncryptionKeyLocator

This key locator is used by the response sender for a Version 5.x application to encrypt the SOAP response message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks key store and the com.ibm.wsspi.wssecurity.config.WSIdKeyStoreMapKeyLocator key store key locator. This key locator maps an authenticated identity (of the current thread) to a public key for encryption. By default, WAS is configured to map to public key alice, and change WAS to the appropriate user. The SampleResponseSenderEncryptionKeyLocator key locator also can set a default key for encryption. By default, this key locator is configured to use public key alice.

SampleGeneratorSignatureKeyStoreKeyLocator

This key locator is used by generator to sign the SOAP message. The signing key name is SOAPRequester, which is referenced in the signing information as the signing key name. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks key store and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key store key locator.

SampleConsumerSignatureKeyStoreKeyLocator

This key locator is used by the consumer to verify the digital signature in the SOAP message. The signing key is SOAPProvider, which is referenced in the signing information. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks key store and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key store key locator.

SampleGeneratorEncryptionKeyStoreKeyLocator

This key locator is used by the generator to encrypt the SOAP message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks key store and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key store key locator.

SampleConsumerEncryptionKeyStoreKeyLocator

This key locator is used by the consumer to decrypt an encrypted SOAP message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks key store and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key store key locator.

SampleX509TokenKeyLocator

This key locator is used by the consumer to verify a digital certificate in an X.509 certificate. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks key store and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key store key locator.


Sample collection certificate store

Collection certificate stores are used to validate the certificate path. For information on how to modify this sample collection certificate store, see the following articles:

SampleCollectionCertStore

This collection certificate store is used by the response consumer and the request generator to validate the signer certificate path.


Sample trust anchors

Trust anchors are used to validate the trust of the signer certificate. For information on how to modify the sample trust anchor configurations, see the following articles:

SampleClientTrustAnchor

This trust anchor is used by the response consumer to validate the signer certificate. This trust anchor is configure to access the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks key store.

SampleServerTrustAnchor

This trust anchor is used by the request consumer to validate the signer certificate. This trust anchor is configure to access the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks key store.


Sample trusted ID evaluators

Trusted ID evaluators are used to establish trust before asserting the identity in identity assertion. For information on how to modify the sample trusted ID evaluator configuration, see Configure trusted ID evaluators on the server or cell level.

SampleTrustedIDEvaluator

This trusted ID evaluator uses the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl implementation. The default implementation of com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator contains a list of trusted identities. This list, which is used for identity assertion, defines the key name and value pair for the trusted identity. The key name is in the form trustedId_* and the value is the trusted identity. See the example in Configure trusted ID evaluators on the server or cell level.

Complete the following steps to define this information for the cell level in the admin console:

  1. Click Security > Web services.

  2. Under Additional properties, click Trusted ID evaluators > SampleTrustedIDEvaluator.


Default configuration
Configure the key locator using JAX-RPC for the generator binding on the application level
Configure the key locator using JAX-RPC for the consumer binding on the application level
Configure the key locator using JAX-RPC on the server or cell level
Configure the collection certificate store for the generator binding on the application level
Configure the collection certificate store for the consumer binding on the application level
Configure the collection certificate on the server or cell level
Configure trust anchors for the generator binding on the application level
Configure trust anchors for the consumer binding on the application level
Configure trust anchors on the server or cell level
Configure trusted ID evaluators on the server or cell level

+

Search Tips   |   Advanced Search