WAS v8.5 > Secure applications > Authenticate users > Configure CSIV2 inbound and outbound communication settings

Configure inbound transports

By using this configuration, we can configure a different transport for inbound security versus outbound security.

Inbound transports refer to the types of listener ports and their attributes that are opened to receive requests for this server. Both Common Secure Interoperability Specification, v2 (CSIv2) and Secure Authentication Service (SAS) have the ability to configure the transport.

SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell.

However, the following differences between the two protocols exist:

• CSIv2 is much more flexible than SAS, which requires SSL; CSIv2 does not require SSL.
• SAS does not support SSL client certificate authentication, while CSIv2 does.
• CSIv2 can require SSL connections, while SAS only supports SSL connections.
• SAS always has two listener ports open: TCP/IP and SSL.
• CSIv2 can have as few as one listener port and as many as three listener ports. We can open one port for just TCP/IP or when SSL is required. We can open two ports when SSL is supported, and open three ports when SSL and SSL client certificate authentication is supported.

Complete the following steps to configure the Inbound transport panels in the dmgr console:

1. Click Security > Global security.

2. Under RMI/IIOP security, click CSIv2 inbound communications.

3. Under Transport, select SSL-required. Choose to use either SSL, TCP/IP or both as the inbound transport that a server supports. If we specify TCP/IP, the server only supports TCP/IP and cannot accept SSL connections. If we specify SSL-supported, this server can support either TCP/IP or SSL connections. If we specify SSL-required, then any server communicating with this one must use SSL.

4. Click Apply.
5. Consider fixing the listener ports that you configured.

   You complete this action in a different panel, but think about this action now. Most endpoints are managed at a single location, which is why they do not display in the Inbound transport panels. Managing end points at a single location helps you decrease the number of conflicts in your configuration when we assign the endpoints. The location for SSL end points is at each server. The following port names are defined in the End points panel and are used for Object Request Broker (ORB) security:

   • CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS - CSIv2 Client Authentication SSL Port
   • CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS - CSIv2 SSL Port
   • SAS_SSL_SERVERAUTH_LISTENER_ADDRESS - SAS SSL Port
   • ORB_LISTENER_PORT - TCP/IP Port

   For an application server, click Servers > Application servers > server_name. Under Communications, click Ports. The Ports panel is displayed for the specified server.

   The ORB on WebSphere Application Server uses a listener port for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP) communications, and is statically specified using configuration dialogs or during migration. If you are working with a firewall, specify a static port for the ORB listener and open that port on the firewall so that communication can pass through the specified port. The endPoint property for setting the ORB listener port is: ORB_LISTENER_ADDRESS.

   Complete the following steps using the dmgr console to specify the ORB_LISTENER_ADDRESS port or ports.

   1. Click Servers > appservers > server_name. Under Communications, click Ports > New.

   2. Select ORB_LISTENER_ADDRESS from the Port name field in the Configuration panel.

   3. Enter the IP address, the fully qualified Domain Name System (DNS) host name, or the DNS host name by itself in the Host field. For example, if the host name is myhost, the fully qualified DNS name can be myhost.myco.com and the IP address can be 155.123.88.201.

   4. Enter the port number in the Port field. The port number specifies the port for which the service is configured to accept client requests. The port value is used with the host name. Using the previous example, the port number might be 9000.

6. Click Security > Global security. Under RMI/IIOP security, click CSIv2 inbound communications. Select the SSL settings used for inbound requests from CSIv2 clients, and then click Apply. Remember the CSIv2 protocol is used to inter-operate with previous releases. When configuring the keystore and truststore files in the SSL configuration, these files need the right information for inter-operating with previous releases of WAS.

Results

The inbound transport configuration is complete. With this configuration, we can configure a different transport for inbound security versus outbound security. For example, if the application server is the first server used by users, the security configuration might be more secure. When requests go to back-end enterprise bean servers, you might lessen the security for performance reasons when we go outbound. With this flexibility we can design the right transport infrastructure to meet your needs.

When you finish configuring security, perform the following steps to save, synchronize, and restart the servers:

1. Click Save in the dmgr console to save any modifications to the configuration.
2. Stop and restart all servers, when synchronized.

Subtopics

• Common Secure Interoperability v2 transport inbound settings
  Use this page to specify which listener ports to open and which SSL settings to use. These specifications determine which transport a client or upstream server uses to communicate with this server for incoming requests.
• Secure Authentication Service inbound transport settings
  Use this page to specify transport settings for connections that are accepted by this server using the Secure Authentication Service (SAS) authentication protocol. The SAS protocol is used to communicate securely to enterprise beans with previous releases of the application server.
• Common Secure Interoperability v2 transport inbound settings
  Use this page to specify which listener ports to open and which SSL settings to use. These specifications determine which transport a client or upstream server uses to communicate with this server for incoming requests.
• Secure Authentication Service inbound transport settings
  Use this page to specify transport settings for connections that are accepted by this server using the Secure Authentication Service (SAS) authentication protocol. The SAS protocol is used to communicate securely to enterprise beans with previous releases of the application server.

Related

Configure CSIV2 inbound and outbound communication settings
Configure inbound messages
Configure outbound messages

Reference:

Ports settings

+

Search Tips   |   Advanced Search