+

Search Tips   |   Advanced Search

Configure inbound transports

By using this configuration, we can configure a different transport for inbound security versus outbound security.

Inbound transports refer to the types of listener ports and their attributes that are opened to receive requests for this server. Both Common Secure Interoperability Specification, Version 2 (CSIv2) and Secure Authentication Service (SAS) have the ability to configure the transport.

SAS supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.

(zos) Inbound transports refer to the types of listener ports and their attributes that are opened to receive requests for this server. Both Common Secure Interoperability Specification, Version 2 (CSIv2) and z/OS Secure Authentication Service (z/SAS) have the ability to configure the transport.

Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.

However, the following differences between the two protocols exist:

(zos) CSIv2 and z/SAS support most of the same functions. CSIv2 has the advantage of interoperability with other WebSphere Application Server products and any other platforms that support the CSIv2 protocol.

Complete the following steps to configure the Inbound transport panels in the console:

  1. Click Security > Global security.

  2. Under RMI/IIOP security, click CSIv2 inbound communications.

  3. Under Transport, select SSL-required. We can choose to use either SSL, TCP/IP or both as the inbound transport that a server supports. If we specify TCP/IP, the server only supports TCP/IP and cannot accept SSL connections. If we specify SSL-supported, this server can support either TCP/IP or SSL connections. If we specify SSL-required, then any server that is communicating with this one must use SSL.

  4. Click Apply.

  5. Consider fixing the listener ports configuredd.

    You complete this action in a different panel, but think about this action now. Most endpoints are managed at a single location, which is why they do not display in the Inbound transport panels. Managing end points at a single location helps you decrease the number of conflicts in the configuration when we assign the endpoints. The location for SSL end points is at each server. The following port names are defined in the End points panel and are used for Object Request Broker (ORB) security:

    • CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS - CSIv2 Client Authentication SSL Port

    • CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS - CSIv2 SSL Port

    • SAS_SSL_SERVERAUTH_LISTENER_ADDRESS - SAS SSL Port

    • (zos) ORB_SSL_LISTENER_ADDRESS - SSL Port

    • ORB_LISTENER_PORT - TCP/IP Port

    • (zos) ORB_LISTENER_ADDRESS - IIOP port

    For an application server, click Servers > Application servers > server_name. Under Communications, click Ports. The Ports panel is displayed for the specified server.

    (dist) For a node agent, go to System administration > Node agents > node. Under Additional properties, click Ports. The Ports panel for the node agent and deployment manager already are fixed, but you might consider reassigning the ports. For the deployment manager, click System Administration > dmgr. Under Additional properties, click Ports.

    The Object Request Broker(ORB) on WAS uses a listener port for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) communications, and is statically specified using configuration dialogs or during migration. The ORB_LISTENER_ADDRESS and the BOOTSTRAP_ADDRESS must specify the same port. If we are working with a firewall, specify a static port for the ORB listener and open that port on the firewall so that communication can pass through the specified port. The endPoint property for setting the ORB listener port is: ORB_LISTENER_ADDRESS.

    In the WAS Network Deployment environment, the ORB_LISTENER_ADDRESS end point is specified on the node agent. The location service daemon resides on the node agent and piggybacks onto the ORB listener port, which results in needing the port fixed. Also, add the ORB_LISTENER_ADDRESS to the other application servers to set their ORB listener port. Each ORB has a distinct listener port. In WebSphere Application Server Network Deployment, specify a different listener port. For example, you might specify the following ports:

    • Node agent: ORB_LISTENER_ADDRESS=9000

    • Server1: ORB_LISTENER_ADDRESS=9811

    • Server2: ORB_LISTENER_ADDRESS=9812

    Federated servers can run without the node agent running. When ORB_LISTENER_ADDRESS is set to a value of (0) or greater, the server does not depend on the location service daemon to redirect connections to the server. When you set ORB_LISTENER_ADDRESS, all object references in the namespace specify the connection to the server, not the location service daemon. When the server is running without the node agent, all applications must be accessed through the name server that runs on the application server. The client must change the Java Naming Directory Interface (JNDI) reference to use the host and port of the application server.

    ORB_LISTENER_ADDRESS
    value = 0 The server starts on any available port and does not use the location service daemon.
    value > 0 The server starts on the port specified by the value you enter. The location service daemon is not used.

    Work load management might not work without the node agent running.

    (zos) Complete the following steps using the console to specify the ORB_LISTENER_ADDRESS port or ports.

    Complete the following steps for the node agent and the deployment manager.

    1. Click Servers > Application Servers > server_name. Under Communications, click Ports > New.

    2. Select ORB_LISTENER_ADDRESS from the Port name field in the Configuration panel.

    3. Enter the IP address, the fully qualified Domain Name System (DNS) host name, or the DNS host name by itself in the Host field. For example, if the host name is myhost, the fully qualified DNS name can be myhost.myco.com and the IP address can be 155.123.88.201.

    4. (zos) Enter the IP address or "*" in the Host field. For example the IP address can be 155.123.88.201.

      Important: DNS host names are not supported for the ORB_LISTENER_ADDRESS value.

    5. Enter the port number in the Port field. The port number specifies the port for which the service is configured to accept client requests. The port value is used with the host name. Using the previous example, the port number might be 9000.

  6. Click Security > Global security. Under RMI/IIOP security, click CSIv2 inbound communications. Select the SSL settings used for inbound requests from CSIv2 clients, and then click Apply. The CSIv2 protocol is used to inter-operate with previous releases. When configuring the keystore and truststore files in the SSL configuration, these files need the right information for inter-operating with previous releases of WAS.

  7. (zos) Click Security > Global security. Under RMI/IIOP security, click z/SAS authentication to select the SSL settings used for inbound requests from z/SAS clients.


Results

The inbound transport configuration is complete. With this configuration, we can configure a different transport for inbound security versus outbound security. For example, if the application server is the first server used by users, the security configuration might be more secure. When requests go to back-end enterprise bean servers, you might lessen the security for performance reasons when you go outbound. With this flexibility, we can design the right transport infrastructure to meet the needs.


What to do next

When you finish configuring security, perform the following steps to save, synchronize, and restart the servers:

  1. Click Save in the console to save any modifications to the configuration.

  2. (dist) Synchronize the configuration with all node agents.

  3. Stop and restart all servers, when synchronized.


Subtopics


Related tasks

  • Configure CSIv2 (CSIV2) inbound and outbound communication settings
  • Configure inbound messages
  • Configure outbound messages

  • Ports settings