By using this configuration, you can configure a different
transport for inbound security versus outbound security.
Before you begin
Inbound transports refer
to the types of listener ports and their attributes that are opened
to receive requests for this server. Both Common Secure Interoperability
Specification, Version 2 (CSIv2) and z/OS® Secure
Authentication Service (z/SAS) have the ability to configure the transport.
Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
CSIv2 and z/SAS
support most of the same functions. CSIv2 has the advantage of interoperability
with other WebSphere® Application Server products
and any other platforms that support the CSIv2 protocol.
About this task
Complete the following steps to configure the Inbound transport
panels in the administrative console:
Procedure
- Click Security > Global security.
- Under RMI/IIOP security, click CSIv2 inbound communications.
- Under Transport, select SSL-required.
You
can choose to use either Secure Sockets Layer (SSL), TCP/IP or both
as the inbound transport that a server supports. If you specify TCP/IP,
the server only supports TCP/IP and cannot accept SSL connections.
If you specify SSL-supported, this server can support either TCP/IP
or SSL connections. If you specify SSL-required, then any server that
is communicating with this one must use SSL.
- Click Apply.
- Consider fixing the listener ports that you configured.
You complete this action in a different panel, but think
about this action now. Most endpoints are managed at a single location,
which is why they do not display in the Inbound transport panels.
Managing end points at a single location helps you decrease the number
of conflicts in your configuration when you assign the endpoints.
The location for SSL end points is at each server. The following port
names are defined in the End points panel and are used for Object
Request Broker (ORB) security:
- ORB_SSL_LISTENER_ADDRESS -
SSL Port
- ORB_LISTENER_ADDRESS -
IIOP port
For an application server, click Servers > Application servers > server_name.
Under Communications, click Ports. The Ports panel is displayed
for the specified server.
The
Object Request Broker (ORB) on WebSphere Application Server uses a listener
port for Remote Method Invocation over the Internet Inter-ORB Protocol
(RMI/IIOP) communications, and is statically specified using configuration
dialogs or during migration. The ORB_LISTENER_ADDRESS and the BOOTSTRAP_ADDRESS
must specify the same port. If you are working with a firewall,
you must specify a static port for the ORB listener and open that
port on the firewall so that communication can pass through the specified port.
The endPoint property for setting the ORB listener port is: ORB_LISTENER_ADDRESS.
Complete the following steps by using the administrative
console to specify the ORB_LISTENER_ADDRESS port or ports.
- Click Servers > Application Servers > server_name.
Under Communications, click Ports > New.
- Select ORB_LISTENER_ADDRESS from the Port name field
in the Configuration panel.
- Enter the IP address or "*" in the Host field.
For example the IP address can be
155.123.88.201.
Important: DNS host names are not supported for the ORB_LISTENER_ADDRESS
value.
- Enter the port number in the Port field.
The port number specifies the port for which the service is
configured to accept client requests. The port value is used with
the host name. Using the previous example, the port number might be
9000.
- Click Security > Global security.
Under RMI/IIOP security, click z/SAS authentication to select
the SSL settings that are used for inbound requests from z/SAS clients.
Results
The inbound transport configuration is complete. With this configuration, you can configure
a different transport for inbound security versus outbound security. For example, if the application
server is the first server that is used by users, the security configuration might be more secure.
When requests go to back-end enterprise bean servers, you might lessen the security for performance
reasons when you go outbound. With this flexibility, you can design the correct transport
infrastructure to meet your needs.
What to do next
When you finish configuring security, perform the following
steps to save, synchronize, and restart the servers:
- Click Save in the administrative console to save any modifications
to the configuration.
- Stop and restart all servers, when synchronized.