Configure Web Services Transaction support in a secure environment
If we use Web Services Atomic Transaction (WS-AT) or Web Services Business Activity (WS-BA) support when administrative security is enabled, we might have to change the default transaction service configuration. We can disable the transaction coordination authorization setting, create a new web container transport chain, or do both.
We might disable transaction coordination authorization to interoperate with other servers, but we do not want to use the transaction manager in the Common Criteria EAL4 evaluated configuration (the default when administrative security is set). When transaction coordination authorization is disabled, WebSphere Application Server does not automatically reject secure WS-Transactions protocol messages.
(iSeries) We might disable transaction coordination authorization to interoperate with other servers and we do not want to set up security for the transaction manager to support the Common Criteria EAL4 evaluated configuration. When transaction coordination authorization is disabled, WAS does not automatically reject secure WS-Transactions protocol messages.
We might configure a new web container transport chain for use by WS-Transactions in the following situations:
- You want to use an alternative port number for WS-AT or WS-BA protocol messages.
- You want to interoperate with a non-WAS that requires client certificate authentication on the SSL connection used for protocol messages.
The transaction service, by default, selects a suitable web container transport chain from the list of those configured and uses it for protocol messages. We can configure a new transport chain and specify our own settings. For example, we can specify an alternative SSL configuration that requires client certificate authentication, which is then used specifically for WS-Transactions protocol messages.
Tasks
- Optionally, use the following steps to disable transaction coordination authorization.
- In the administrative console, click...
Servers > Server Types > WebSphere application servers > server > [Container Settings] Container Services > Transaction Service.
- Clear the Enable transaction coordination authorization check box.
- Click Apply or OK.
- Save changes to the master configuration.
- Optionally, use the following steps to create a new web container transport chain.
- In the administrative console, click...
Servers > Application servers > server > [Container Settings] Web Container Settings > Web container transport chains.
- Click New to create a new transport chain.
- Type a name for the transport chain.
- From the Transport chain template list, select an appropriate template.
- Click Next to select a new port for the chain.
- Type a name, host, and port number for the port. For a secure chain, the host must match the common name in the certificate used.
- Click Next, confirm the settings, then click Finish.
- Save our changes to the master configuration.
- If necessary, create a new SSL configuration and associate it with the SSL channel associated with the new chain. For more information, see Create a Secure Sockets Layer configuration. We are now ready to configure the transaction service to use the new transport chain.
- Click Servers > Application servers > server > [Container Settings] Container Services > Transaction Service.
- In the External WS-Transaction HTTP(S) URL prefix section, click Select prefix, then select the web container transport chain that we have just created from the list.
If we are using an intermediary, such an HTTP proxy, in front of the application server, click Specify custom prefix, then type the external endpoint URL information for the intermediary node in the field. See Enable WAS to use an intermediary node for web services transactions.
- Click Apply or OK, then save the changes to the master configuration.
- After you save all the configuration changes, restart the server for the changes to take effect.
We configured the system to use WS-AT or WS-BA in a secure environment.
Use the transaction service Create a Secure Sockets Layer configuration Enable WAS to use an intermediary node for web services transactions Example: Configuring IBM HTTP server as an intermediary node for web services transactions Common Criteria (EAL4) support (iSeries)
Common Criteria portal