Items Stored in the Key Database for WS-Security Documents

Policy Server Guides › Policy Server Configuration Guide › Variables › Web Service Variables › Certificate Authorities and Web Services Variables › Items Stored in the Key Database for WS-Security Documents

Items Stored in the Key Database for WS-Security Documents

The following gets stored in the key database:

An enterprise private key and certificate for signing WS-Security documents and generating X509v3 tokens.
Public key certificates that correspond to the private keys used for signing the WS-Security documents and generating the tokens. These certificates are used to validate the WS-Security documents.

A given Policy Server may sign and/or verify WS-Security documents. Keys and certificates for signing and validation can be added to the same key database, depending on what the Policy Server is doing.

The following table shows which objects you need to add to the smkeydatabase to handle WS-Security signing and validation requirements.

Function	WS-Security Token Type	Required Database Objects
Signing	All	Private key and certificate of Web service host enterprise.
Generating X509 Tokens	X509v3	Private key and certificate of Web service host enterprise.
Signature Validation	SAML Assertion; Sender Vouches	Certificate of issuing Web service consumer application.
	SAML Assertion; Holder-of-key	Certificates of XML request subject and issuing Web service consumer application.
	X.509v3; Username (if signed)	Certificate of trusted issuer.

You add items to the smkeydatabase using the SiteMinder utility named smkeytool. Read about the smkeydatabase and smkeytool before making modifications.