Example 3: Set client certificate authentication and RunAs system


This example presents a pure Java client, C, accessing a secure enterprise bean on S1.

C authenticates to S1 using SSL client certificates. S1 maps the common name of the distinguished name (DN) in the certificate to a user in the local registry. The user in this case is bob. The enterprise bean code on S1 accesses another enterprise bean on S2.

Because the RunAs mode is system, the invocation credential is set as server1 for any outbound requests.

 

  1. Set client C for transport layer authentication (SSL client certificates).

    1. Point the client to sas.client.props.

      Use the com.ibm.CORBA.ConfigURL=file:/C:/was/properties/sas.client.props property. All further configuration involves setting properties within this file.

    2. Enable SSL.

      In this case, SSL is supported but not required: com.ibm.CSI.performTransportAssocSSLTLSSupported=true, com.ibm.CSI.performTransportAssocSSLTLSRequired=false

    3. Disable client authentication at the message layer. com.ibm.CSI.performClientAuthenticationRequired=false, com.ibm.CSI.performClientAuthenticationSupported=false

    4. Enable client authentication at the transport layer.

      It is supported, but not required. com.ibm.CSI.performTLClientAuthenticationRequired=false, com.ibm.CSI.performTLClientAuthenticationSupported=true

  2. Set the S1 server. In the admin console, S1 is configured for incoming connections to support SSL with client certificate authentication. The S1 server is configured for outgoing requests to support message layer client authentication.

    1. Set S1 for incoming connections.

      1. Disable identity assertion.

      2. Disable user ID and password authentication.

      3. Enable SSL.

      4. Enable SSL client certificate authentication.

    2. Set S1 for outgoing connections.

      1. Disable identity assertion.

      2. Disable user ID and password authentication.

      3. Enable SSL.

      4. Enable SSL client certificate authentication.

  3. Set the S2 server.

    In the admin console, the S2 server is configured for incoming requests to support message layer authentication over SSL. Configuration for outgoing requests is not relevant for this scenario.

    1. Disable identity assertion.

    2. Enable user ID and password authentication.

    3. Enable SSL.

    4. Disable SSL client authentication.

 

Related tasks


Set CSIV2 inbound and outbound communication settings

 

Related


Example 1: Set basic authentication and identity assertion
Example 2: Set basic authentication, identity assertion, and client certificates
Example 4: Set TCP/IP transport using a virtual private network