+

Search Tips   |   Advanced Search

Interoperate with a C++ common object request broker architecture client

WebSphere Application Server supports security in the CORBA C++ client to access-protected enterprise beans. If configured, C++ CORBA clients can access protected enterprise bean methods using a client certificate to achieve mutual authentication on WAS applications.

(Dist) We can achieve interoperability of Security Authentication Service between the C++ Common Object Request Broker Architecture (CORBA) client and WAS using Common Secure Interoperability v2 (CSIv2) authentication protocol over Remote Method Invocation over the Internet Inter-ORB Protocol (RMI-IIOP). The CSIv2 security service protocol has authentication, attribute and transport layers. Among the three layers, transport authentication is conceptually simple, however, cryptographically based transport authentication is the strongest. WAS has implemented the transport authentication layer, so that C++ secure CORBA clients can use it effectively in making CORBA clients and protected enterprise bean resources work together.

(ZOS) Interoperability can be achieved between C++ CORBA clients and WAS using the CSIv2 or using the z/OS Secure Authentication Service (z/SAS) protocols. CSIv2 should be used unless interoperability is required with a WAS Version 4.

Important: z/SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell.

(ZOS) See Global security settings.

Security authentication from non-Java based C++ client to enterprise beans. WAS supports security in the CORBA C++ client to access-protected enterprise beans. If configured, C++ CORBA clients can access protected enterprise bean methods using a client certificate to achieve mutual authentication on WAS applications.

To support the C++ CORBA client in accessing protected enterprise beans, complete the following steps:

(Dist)


Tasks

  1. Obtain a valid certificate to represent the client and export its public key to the target enterprise bean server.

    A valid certificate is needed to represent the C++ client. Request a certificate from the certificate authority (CA) or create a self-signed certificate for testing purposes.

    Use the Key Management Utility from the Global Security Kit (GSKit) to extract the public key from the personal certificate and save it in the .arm format.

  2. Prepare a truststore file for WAS.

    Add the extracted client public key in the .arm file from the client to the server key truststore file. The server can now authenticate the client.

    This is done by invoking the Key Management Utility through ikeyman.bat or ikeyman.sh from WAS installation.

  3. Configure WAS to support SSL as the authentication mechanism.

    1. Start the administrative console.
    2. Locate the application server that has the target enterprise bean deployed and configure it to use SSL client certificate authentication.

      If it is a base installation:

      1. Click Security > Global security. Under RMI/IIOP security, click CSIv2 inbound communications. Select Supported for the Basic authentication and Client certificate authentication options. Leave the rest of the options as defaults.

      2. Click OK.

      3. Click Security > Global security. Under RMI/IIOP security, click CSIv2 inbound communications and verify that the SSL-supported option is selected under Transport.

      If it is a WAS ND setting, complete the following steps:

      1. Click Servers > Application Servers > server_where_the_EJB_resides.

      2. Under Security, click Server security.

      3. Select the RMI/IIOP security for this server overrides cell settings option.

      4. Under Additional properties, click CSIv2 inbound communications.

      5. Select Supported for the Basic authentication and Client certificate authentication options. Leave the rest of the options as defaults.

      6. Click Servers > Application Servers > server_where_the_EJB_resides.

      7. Under Security, click Server security.

      8. Under Additional properties, click CSIv2 inbound communications.

      9. Verify that the SSL-Supported option is selected.

      For details, see Configure CSIv2 inbound communications and Configure inbound transports.

    3. Restart the application server.

      The WAS is ready to take a C++ CORBA security client and a mutually authenticated server and client using SSL in the transport layer.

  4. Configure the C++ CORBA client to use a certificate in performing the mutual authentication.

    Client users are accustomed to using property files in their applications because they are helpful in specifying configuration settings. The following list presents important C++ security settings:

    C++ security setting Description
    com.ibm.CORBA.bootstrapHostName=ricebella.austin.ibm.com Specifies the target host name.
    com.ibm.CORBA.securityEnabled=yes Enable security.
    com.ibm.CSI.performTLClientAuthenticationSupported=yes Ensures client is supporting mutual authentication by certificate
    com.ibm.ssl.keyFile=C:/ricebella/etc/DummyKeyRingFile.KDB Specifies which key database file to use.
    com.ibm.ssl.keyPassword=WebAS Specifies the password for opening the key database file. WAS supports a utility called PasswordEncode4cpp to encode the plain password.
    com.ibm.CORBA.translationEnabled=1 Enable the valueType conversion.
    To use the property files in running a C++ client, an environment variable WASPROPS, is used to indicate where a property file or a list of property files exists.

    For the complete set of C++ client properties, see the sample property file scclient.props, which is shipped with the product located in the app_server_root/profiles/profile/etc directory.

  • Configure CSIv2 inbound communications
  • Configure inbound transports