Scenario 5: Interoperability with WAS Version 4.x

The purpose of this scenario is to show how secure interoperability can occur between different releases simultaneously while using multiple authentication protocols (Security Authentication Service (SAS) and Common Secure Interoperability V2 (CSIv2)). For WebSphere Application Server V5.x or later to communicate with a WAS V4, V5.x or later server must support either SAS or SAS and CSIv2 as the protocol choice. By choosing SAS and CSIv2, the V5.x or later server also can communicate with other V5.x or later servers that support CSI. If the only servers in your security domain are v5.x or later, it is recommended that you choose CSI as the protocol because this prevents the SAS interceptors from loading. However, a chance exists that any server has to communicate with a previous release of WebSphere Application Server, select the protocol choice of SAS and CSIv2.

 

Configuring the S1 server

The S1 server requires

message layer authentication with an SSL transport. The protocol for the S1 server must be SAS and CSIv2. Configuration for incoming requests for the S1 server is not relevant for this scenario. To configure the S1 server for outgoing connections:

  1. Disable identity assertion.

  2. Enable user ID and password authentication.

  3. Enable SSL.

  4. Disable SSL client certificate authentication.

  5. Set authentication protocol to SAS and CSIv2 in the global security settings.

 

Configuring the S2 server

All previous releases of WAS support the SAS authentication protocol only. No special configuration steps are needed other than enabling global security on the server (S2).

 

Configuring the S3 server

In the administrative

console, the S3 server is configured for incoming requests to support message layer authentication and to accept SSL connections. Configuration for outgoing requests and connections are not relevant for this scenario.

  1. Enable identity assertion.

  2. Disable user ID and password authentication.

  3. Enable SSL.

  4. Disable SSL client authentication.

  5. Set authentication protocol to either CSI or SAS and CSIv2.


 

See Also


Scenario 1: Basic authentication and identity assertion
Scenario 2: Basic authentication, identity assertion, and client certificates
Scenario 3: Client certificate authentication and RunAs system
Scenario 4: TCP/IP transport using a virtual private network