Using a Custom Keystore for the Liberty Token Profile
See Also
If you are using the Liberty Token Profile to secure your application, you must perform the configuration steps in this topic to avoid any failures at runtime.
To use a custom keystore for the Liberty token profile:
- In the Services window, stop the application server if it is running.
- Export the certificate for the amserver alias by doing the following:
- Navigate to the application-server-installation-directory\domains\domain1\configdirectory.
If you did not accept the defaults for the Access Manager configuration during the installation of the IDE, you must navigate to the flatfile directory you specified during the manual configuration.
- In the directory, locate the keystore.jks file.
- Export the certificate for the amserver alias using the following keytool command:
keytool -export -keystore keystore.jks -alias amserver -rfc -file server.cer
This command automatically saves the x509 certificate into a file called server.cer.
- The password for the keystore.jks file that is stored in the amflatfiledir is secret.
- Export the certificate for the custom key alias, to be used by the web service client to sign the SOAP messages, by doing the following:
- Navigate to the directory where the custom keystore is located.
- Export the certificate for the custom key alias using the following keytool command:
keytool -export -keystore customkeystore.jks -alias key-alias -rfc -file client.cer
This command automatically saves the X509 certificate into a file called client.cer.
You will use the same alias in the com.sun.identity.liberty.wsc.cert.alias property in Step 6.
- Import the certificates by doing the following:
- Import server.cer that you created in Step 2 in the custom keystore file by using the following keytool command:
keytool -import -keystore customkeystore.jks -alias amdisco -file server.cer
The web service provider that uses a custom keystore uses this imported certificate to trust the Access Manager liberty discovery service.
- Import client.cer that you created in Step 3 in the Access Manager keystore file by using the following keytool command:
keytool -import -keystore keystore.jks -alias custom-alias -file client.cer
See Step 2 for the location of the Access Manager keystore file.
The discovery service uses this imported certificate to generate a token for the web service client.
- The password for the keystore.jks file that is stored in the amflatfiledir is secret.
- Navigate to the application-server-installation-directory\addons\amserver directory and open the AMConfig.properties file.
- Find the following line:
com.sun.identity.liberty.ws.wsc.certalias=amclient
and change it to:
com.sun.identity.liberty.ws.wsc.certalias=alias-of-the-private-key-in-the-custom-keystore
The alias-of-the-private-key-in-the-custom-keystore is the same key-alias you used in Step 3 above.
This certificate is used by the web service client using Liberty X509/SAML profiles for signing the SOAP messages.
- Find the following line:
com.sun.identity.liberty.ws.trustedca.certaliases=amserver:host-name
and change it to:
com.sun.identity.liberty.ws.trustedca.certaliases=amdisco:host-name
- amdisco is the alias you used to import the certificate in Step 4.
- If you did not change the default installation values, host-name in the above line will be localhost.
- Save your changes and close the AMConfig.properties file.
- In the Services window, restart the application server.
- See Also
- Configuring Security Mechanism Profiles for Sun Java System Access Manager Instances
- Configuring Support for the Liberty SAML Token Profile
- Edit security-mechanism Profile dialog box
- Enabling the Liberty Security Mechanism for Web Service Clients
- Enabling the Liberty Security Mechanism for Web Service Providers
Legal Notices