WAS v8.5 > Secure applications > Authenticate users

Configure CSIV2 inbound and outbound communication settings page

WebSphere Application Server enables you to specify Internet Inter-ORB Protocol (IIOP) authentication for both inbound and outbound authentication requests. For inbound requests, we can specify the type of accepted authentication, such as basic authentication. For outbound requests, we can specify properties such as type of authentication, identity assertion or login configurations used for requests to downstream servers. To configure Common Secure Interoperability v2 (CSIV2) and SAS.

SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell.

1. Determine how to configure security inbound and outbound at each point in your infrastructure.

   For example, you might have a Java client communicating with an EJB application server, which in turn communicates to a downstream EJB application server.

   The Java client utilizes the sas.client.props file to configure outbound security. Pure clients must configure outbound security only.

   The upstream EJB application server configures inbound security to handle the correct type of authentication from the Java client. The upstream EJB application server utilizes the outbound security configuration when going to the downstream EJB application server.

   This type of authentication might be different than what you expect from the Java client into the upstream EJB application server. Security might be tighter between the pure client and the first EJB server, depending on your infrastructure. The downstream EJB server utilizes the inbound security configuration to accept requests from the upstream EJB server. These two servers require similar configuration options as well. If the downstream EJB application server communicates to other downstream servers, the outbound security might require a special configuration.

2. Specify the type of authentication.

   By default, authentication by a user ID and password is performed.

   Both Java client certificate authentication and identity assertion are disabled by default. If you want this type of authentication performed at every tier, use the CSIv2 authentication protocol configuration as is. However, if we have any special requirements where some servers authenticate differently from other servers, consider how to configure CSIv2 to its best advantage.

3. Configure clients and servers.

   Configuring a pure Java client is done through the sas.client.props file, where properties are modified.

   Configuring servers is always done from the dmgr console or scripting, either from the security navigation for cell-level configurations or from the server security of the application server for server-level configurations. If you want some servers to authenticate differently from others, modify some of the server-level configurations. When you modify the server-level configurations, you are overriding the cell-level configurations.

Use CSIV2 inbound communications settings for configuring the type of authentication information contained in an incoming request or transport.

Use CSIV2 outbound communications settings to specify the features that a server supports when acting as a client to another downstream server.

Subtopics

• Configure Common Secure Interoperability v2 inbound communications
  Inbound communications refers to the configuration that determines the type of accepted authentication for inbound requests. This authentication is advertised in the interoperable object reference (IOR) the client retrieves from the name server.
• Configure Common Secure Interoperability v2 outbound communications
  The following choices are available when configuring the Common Secure Interoperability v2 (CSIv2) outbound communications panel.
• Configure inbound transports
  By using this configuration, we can configure a different transport for inbound security versus outbound security.
• Configure outbound transports
  By using this configuration, we can configure a different transport for inbound security versus outbound security.
• Configure inbound messages
  We can use the dmgr console to configure inbound messages for CSIv2.
• Configure outbound messages
  We can use the dmgr console to configure outbound messages for CSIv2.
• Common Secure Interoperability v2 and SAS client configuration
  A secure Java client requires configuration properties to determine how to perform security with a server.
• Example 1: Configuring basic authentication and identity assertion
  This example presents a pure Java client, C, that accesses a secure enterprise bean on server, S1, through user bob. The following steps take you through the configuration of C, S1, and S2.
• Example 2: Configuring basic authentication, identity assertion, and client certificates
  This example is the same as example 1, except for the interaction from client C2 to server S2. Therefore, the configuration of example 1 still is valid, but we have to modify server S2 slightly and add a configuration for client C2. The configuration is not modified for C1 or S1.
• Example 3: Configuring client certificate authentication and RunAs system
  This example presents a pure Java client, C, accessing a secure enterprise bean on S1.
• Example 4: Configuring TCP/IP transport using a virtual private network
  This scenario illustrates the ability to choose TCP/IP as the transport when it is appropriate. In some cases, when two servers are on the same virtual private network (VPN), it can be appropriate to select TCP/IP as the transport for performance reasons because the VPN already encrypts the message.
• Configure Common Secure Interoperability v2 inbound communications
  Inbound communications refers to the configuration that determines the type of accepted authentication for inbound requests. This authentication is advertised in the interoperable object reference (IOR) the client retrieves from the name server.
• Configure Common Secure Interoperability v2 outbound communications
  The following choices are available when configuring the Common Secure Interoperability v2 (CSIv2) outbound communications panel.
• Configure inbound transports
  By using this configuration, we can configure a different transport for inbound security versus outbound security.
• Configure outbound transports
  By using this configuration, we can configure a different transport for inbound security versus outbound security.
• Configure inbound messages
  We can use the dmgr console to configure inbound messages for CSIv2.
• Configure outbound messages
  We can use the dmgr console to configure outbound messages for CSIv2.
• Common Secure Interoperability v2 and SAS client configuration
  A secure Java client requires configuration properties to determine how to perform security with a server.
• Example 1: Configuring basic authentication and identity assertion
  This example presents a pure Java client, C, that accesses a secure enterprise bean on server, S1, through user bob. The following steps take you through the configuration of C, S1, and S2.
• Example 2: Configuring basic authentication, identity assertion, and client certificates
  This example is the same as example 1, except for the interaction from client C2 to server S2. Therefore, the configuration of example 1 still is valid, but we have to modify server S2 slightly and add a configuration for client C2. The configuration is not modified for C1 or S1.
• Example 3: Configuring client certificate authentication and RunAs system
  This example presents a pure Java client, C, accessing a secure enterprise bean on S1.
• Example 4: Configuring TCP/IP transport using a virtual private network
  This scenario illustrates the ability to choose TCP/IP as the transport when it is appropriate. In some cases, when two servers are on the same virtual private network (VPN), it can be appropriate to select TCP/IP as the transport for performance reasons because the VPN already encrypts the message.

Related concepts:

Common Secure Interoperability v2 features

+

Search Tips   |   Advanced Search