Configure inbound transports
Inbound transports refer to the types of listener ports and their attributes that are opened to receive requests for this server. Both CSIv2 and SAS have the ability to configure the transport.
However, the following differences between the two protocols exist:
- CSIv2 is much more flexible than SAS, which requires SSL; CSIv2 does not require SSL.
- SAS does not support SSL client certificate authentication, while CSIv2 does.
- CSIv2 can require SSL connections, while SAS only supports SSL connections.
- SAS always has two listener ports open: TCP/IP and SSL.
- CSIv2 can have as few as one listener port and as many as three listener ports. You can open one port for just TCP/IP or when SSL is required. You can open two ports when SSL is supported, and open three ports when SSL and SSL client certificate authentication is supported.
- Click...Security | Global security | Authentication Protocol | CSIv2 inbound transport
By selecting the type of transport, as noted previously, you choose which listener ports you want to open. In addition, you disable the SSL client certificate authentication feature if you choose TCP/IP as the transport.
- Select the SSL settings that correspond to an SSL transport. These SSL settings are defined in the Security > SSL panel and define the SSL configuration including the key ring, security level, ciphers, and so on.
- Consider fixing the listener ports that you configured.
You complete this action in a different panel, but think about this action now. Most end points are managed at a single location, which is why they do not display in the Inbound transport panels. Managing end points at a single location helps you decrease the number of conflicts in your configuration when you assign the endpoints. The location for SSL end points is at each server. The following port names are defined in the End points panel and are used for Object Request Broker (ORB) security:
CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS CSIv2 Client Authentication SSL Port CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS CSIv2 SSL Port SAS_SSL_SERVERAUTH_LISTENER_ADDRESS SAS SSL Port ORB_LISTENER_PORT TCP/IP Port
For an application server, click...Servers | Application servers | servername | Ports
For a node agent, go to...System administration | Node agents | node | Ports
The Ports panel for the node agent and deployment manager already are fixed, but you might consider reassigning the ports. For the deployment manager, click...System Administration | Deployment manager | Ports
The Object Request Broker (ORB) on WAS uses a listener port for Remote Method Invocation over RMI/IIOP communications, which is generally not specified and selected dynamically during run time. If you are working with a firewall, specify a static port for the ORB listener and open that port on the firewall so that communication can pass through the specified port. The endPoint property for setting the ORB listener port is: ORB_LISTENER_ADDRESS.
In the WAS Network Deployment environment, the ORB_LISTENER_ADDRESS end point is specified on the node agent. The location service daemon resides on the node agent and piggybacks onto the ORB listener port, which results in needing the port fixed. Also, add the ORB_LISTENER_ADDRESS to the other application servers to set their ORB listener port. Each ORB has a distinct listener port. In WAS Network Deployment, specify a different listener port. For example, you might specify the following ports:
- Node agent: ORB_LISTENER_ADDRESS=9000
- Server1: ORB_LISTENER_ADDRESS=9811
- Server2: ORB_LISTENER_ADDRESS=9812
In WAS V5.1 and later, federated servers can run without the node agent running. When ORB_LISTENER_ADDRESS is set to a value of zero (0) or greater, the server does not depend on the location service daemon to redirect connections to the server. When you set ORB_LISTENER_ADDRESS, all object references in the namespace specify the connection to the server, not the location service daemon. When the server is running without the node agent, all applications must be accessed through the name server that runs on the application server. The client must change the Java Naming Directory Interface (JNDI) reference to use the host and port of the application server.
ORB_LISTENER_ADDRESS value = 0 The server starts on any available port and does not use the location service daemon. value > 0 The server starts on the port that is specified by the value you enter. The location service daemon is not used.
Note: Work load management might not work without the node agent running.
Complete the following steps using the administrative console to specify the ORB_LISTENER_ADDRESS port or ports.
In the WAS Network Deployment environment, complete the following steps for the node agent and the deployment manager.
- Click...Servers | Application Servers | servername Ports | New
- Select ORB_LISTENER_ADDRESS from the Port name field in the Configuration panel.
- Enter the IP address, the fully qualified DNS host name, or the DNS host name by itself in the Host field. For example, if the host name is myhost, the fully qualified DNS name can be myhost.myco.com and the IP address can be 220.127.116.11.
- Enter the port number in the Port field. The port number specifies the port for which the service is configured to accept client requests. The port value is used with the host name. Using the previous example, the port number might be 9000.
- Click...Security | Global security | Authentication protocol | CSIv2 inbound transport
..and select the SSL settings used for inbound requests from CSIv2 clients.
Remember that the CSIv2 protocol is used to interoperate with previous releases. When configuring the keystore and truststore files in the SSL configuration, these files need the right information for interoperating with previous releases of WAS. For example, a previous release has a different truststore file than the V6 release. If you use the V6 keystore file, add the signer to the truststore file of the previous release for those clients connecting to this server.
The inbound transport configuration is complete. With this configuration, one can configure a different transport for inbound security versus outbound security. For example, if the application server is the first server that is used by users, the security configuration might be more secure. When requests go to back-end enterprise bean servers, you might lessen the security for performance reasons when you go outbound. With this flexibility one can design the right transport infrastructure to meet your needs.
What to do next
When you finish configuring security, perform the following steps to save, synchronize, and restart the servers:
- Click Save in the administrative console to save any modifications to the configuration.
- Synchronize the configuration with all node agents.
- Stop and restart all servers, when synchronized.
CSIv2 transport inbound settings
Secure Authentication Service inbound transport settings