Configure inbound transport

Inbound transports refer to the types of listener ports and their attributes that are opened to receive requests for this server. With this configuration, you can configure a different transport for inbound security versus outbound security. For example, if the application server is the first server used by end users, the security configuration might be more secure. When requests go to back-end enterprise bean servers, you might lighten up on the security for performance reasons when you go outbound. This flexibility allows you to design the right transport infrastructure to meet your needs.

Both Common Secure Interoperability Specification, Version 2 (CSIv2) and Secure Association Service (SAS) have the ability to configure the transport. However, the following differences between the two protocols exist:

• CSIv2 is much more flexible than SAS, which requires Secure Sockets Layer (SSL); CSIv2 does not require SSL.
• SAS does not support SSL client certificate authentication, while CSIv2 does.
• CSIv2 can require SSL connections, while SAS only supports SSL connections.
• SAS always has two listener ports open: TCP/IP and SSL.
• CSIv2 can have as few as one listener port and as many as three listener ports. You can open one for the cases of just TCP/IP or when SSL is required. You can open two ports when SSL is supported and open three ports when SSL and SSL client certificate authentication is supported.

There are some other combinations for CSIv2, but this just shows the flexibility of the configuration.

To configure the inbound transport, see the following tasks:

• Configure CSIv2 inbound transport
• Configure SAS inbound transport

Configure CSIv2 inbound transport

Complete the following steps in the administrative console:

1. Click Security --> Authentication Protocol --> CSIv2 Inbound Transport to select the type of transport and the SSL settings. By selecting the type of transport, as noted previously, you choose which listener ports you want to open. In addition, you disable the SSL client certificate authentication feature if you choose TCP/IP as the transport.

2. Click OK.

3. Click Save to save your changes to the configuration.

4. Select the SSL settings that correspond to an SSL transport. These SSL settings are defined in the Security --> SSL panel and define the SSL configuration including keystore files, truststore files, file formats, security level, ciphers, cryptographic token selections, and so on.

5. Click OK.

6. Click Save to save your changes to the configuration.

7. Consider reassigning the listener ports you configured. You complete this action in a different panel, but this is the time to think about it. Most end points are managed at a single location, which is why they do not appear here. Managing end points at a single location helps you to avoid conflicts in your configuration when you are assigning them. The location for SSL end points is at the server level. An End Points panel under Additional Properties displays the configuration for that server.

   For example, for an application server, go to Servers --> Application Servers --> server --> End Points, where server is the name of your application server.

   (Network Deployment only) For a node agent, go to System Administration --> Node Agents --> node --> End Points, where node is the name of your node. The end points for the node agent and deployment manager already are fixed, but you might consider reassigning the ports. For the deployment manager, click System Administration --> Deployment Manager --> End Points.

   The following port names are defined in the End Points panels and are used for object request broker (ORB) security:

   • CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS - CSIv2 Client Authentication SSL Port
   • CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS - CSIv2 SSL Port
   • SAS_SSL_SERVERAUTH_LISTENER_ADDRESS - SAS SSL Port
   • ORB_LISTENER_PORT - TCP/IP Port

8. Click OK.

9. Click Save to save your changes to the configuration.

10. (Network Deployment only) Synchronize the configuration with all node agents.

11. Stop and restart all servers.

For more information about the settings, see the administrative console help topic, CSI transport inbound settings.

Configure SAS inbound transport

Complete the following steps in the administrative console:

1. Click Security --> Authentication Protocol --> SAS Inbound to select the SSL settings used for inbound requests from SAS clients.

   Remember that the SAS protocol is used to interoperate with previous releases. When configuring the keystore and truststore files in the SSL configuration, these files need the right information for interoperating with previous releases of WebSphere Application Server. For example, a previous release has a different truststore file than the Version 5 release. If you use the Version 5 keystore file, add the signer to the truststore file of the previous release for those clients connecting to this server.

   For more information about the settings, see the administrative console help topic, SAS transport inbound settings.

2. Click OK.

3. Click Save to save your changes to the configuration.

4. (Network Deployment only) Synchronize the configuration with all node agents.

5. Stop and restart all servers.