Keystores

J2EE agents work with Access Manager to protect resources. However, for security purposes, these two pieces of software can only interact with each other after the J2EE agent authenticates with Access Manager by supplying an agent profile name and password. The agent profiles we are using (wscWSC, LibertyBearerToken, etc.) are configured to use the following keystores, by default:

• The Access Manager Policy Agent 2.2 for Application Server 9.0 / Web Services uses the client keystore shipped with the Java EE SDK, amclientkeystore.jks, as its default client keystore. It is located in javaee.home/addons/accessmanager for installations of Java Application Platform SDK (when Download or Download with JDK is selected), and in javaee.home/addons/amserver for installations of Java Application Platform SDK or Java EE 5 SDK Update 1 (when Download with Tools is selected), and NetBeans Enterprise Pack 5.5

• The single WAR instance of Access Manager uses the server keystore shipped with the Java EE SDK, keystore.jks, for its default keystore. It is located in javaee.home/domains/domain_name/config/amflatfiledir/amserver for installations of Java Application Platform SDK (all downloads), Java EE 5 SDK Update 1 (only when Download with Tools is selected), and NetBeans Enterprise Pack 5.5.

You can configure for a custom keystore, though. The following procedure describes the necessary steps.

For more information on agent profiles, see Agents in Sun Java System Access Manager 7 2005Q4 Administration Guide in the Sun Java System Access Manager 7 2005Q4 Administration Guide

During the installation of the J2EE agent, you must provide a valid agent profile name and the respective password to enable authentication attempts to succeed.

To Configure for a Custom Keystore

1. Export the certificate for the alias amserver using the following command:

   keytool -list -keystore keystore_file -alias amserver -rfc

2. Store the exported X509 certificate, using the RFC format, in a file named server.txt.

3. Export the certificate from your custom keystore using the following command:

   keytool -list -keystore custom_keystore_file -alias key alias -rfc

   key alias is the alias of the private key used by the WSC to sign SOAP messages.

4. Store the exported X509 certificate, using the RFC format, in a file named client.txt.

5. Import the stored amserver certificate into the agent's custom keystore file using the following command:

   keytool -import -keystore custom_keystore_file -alias custom_alias -file server.txt

6. Import the stored custom keystore's certificate into the Access Manager keystore file using the following command:

   keytool -import -keystore custom_keystore_file -alias custom_alias -file client.txt

7. Generate a Discovery Service token for the WSC that will use the custom keystore with the following command:

   keytool -import -keystore custom_keystore.jks -alias amserver -file server.txt

   This allows the WSP which uses the custom keystore to trust the Access Manager Discovery Service.

8. Edit the following properties in the client's AMConfig.properties:

   • com.sun.identity.liberty.ws.wsc.certalias=alias_of_private_key_in_custom_client_keystore

     This certificate is used by the Liberty X509/SAML profiles for signing the SOAP messages.

   • com.sun.identity.liberty.ws.trustedca.certaliases=alias_of_private_key_in_custom_server_keystore:AM_host_name

   AMConfig.properties is located in javaee.home/domains/domain_name/config when the Java Platform, Enterprise Edition (Java EE) 5 SDK is installed and in javaee.home/addons/amserver when the Java EE 5 Tools Bundle is installed.