How Oracle WSM (Oracle Web Service Manager) Locates Keystore And Key Passwords
- A JKS keystore file is protected by a keystore password.
- A keystore file consists of zero or more private keys, and zero or more trusted certificates. Each private key has its own password, (although it is common to set the key passwords to be the same as the keystore password). Oracle WSM needs to know both the keystore password and key password.
- The CSF consists of many maps, each with a distinct name. Oracle WSM only uses the map
- Inside each map is a mapping from multiple csf-key entries to corresponding credentials. A csf-key is just a simple name, but there can be many different types of credentials. The most common type of credential is a password credential which is primarily comprised of a username and a password.
Oracle WSM refers to the following csf-keys inside the
keystore-csf-key- This key should contain the keystore password. The username is ignored.
enc-csf-key- This key should contain the encryption key alias as the username, and the corresponding key password.
sign-csf-key- This key should contain the signature key alias as the username, and the corresponding key password.
oracle.wsm.securitymap in the credential store, and the Oracle WSM Java keystore.
keystore.csf.mapproperty points to the Oracle WSM map in the credential store that contains the CSF aliases. In this case
keystore.csf.mapis defined as the recommended name
oracle.wsm.security, but it can be any value.
keystore.pass.csf.keyproperty points to the CSF alias
keystore-csf-keythat is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
keystore.sig.csf.keyproperty points to the CSF alias
sign-csf-keythat is mapped to the username and password of the private key that is used for signing.
keystore.enc.csf.keyproperty points to the CSF alias
enc-csf-keythat is mapped to the username and password of the private key that is used for decryption.