Bus-enabled web services default configuration for accessing a secure bus
By default, the bus-enabled web services component can access a secure service integration bus. This means that your Web services clients, if they provide suitable credentials when making requests, can use bus-enabled web services when bus security is enabled. You can modify or override the default configuration, for example by defining an authentication alias that the service integration resource adapter uses to access the bus.
- Access to a bus is configured through the bus connector role. By default, every bus connector role includes a group called server. Members of this group are authorized to connect to the bus.
- The service integration resource adapter uses a J2C activation specification to communicate with the bus. By default, this activation specification has a Boolean custom property useServerSubject that is set to true. This property allows the service integration resource adapter to connect to the bus as a subject (a member) of the server group.
The server group in the bus connector role
This group controls whether a user is authorized to connect to the bus. The server group can be added or removed by using the administrative console:
This group can also be set by using the following wsadmin command scripts:
removeGroupFromBusConnectorRole
The useServerSubject property
This boolean property is found in the custom properties panel of the J2C activation specification associated with the inbound, outbound or gateway service:
This property can also be set by using wsadmin command scripts.
Disabling and overriding the default configuration
To
disable the default configuration, set the useServerSubject property
to false
rather than removing the server group,
because the service integration resource adapter is not the only system
resource that uses the server subject. If you remove the server group
from the bus connector role, then no system resources can use the
server subject.
You can also override the default configuration by defining an authentication alias that the service integration resource adapter uses to access the bus. Using an authentication alias does not make your configuration more secure. However, you might want to use an alias for consistency of approach if you have other application servers running under WebSphere® Application Server Version 6.0.x, or to support your internal business controls for use of IDs and passwords.
If you configure an authentication alias you need not also disable the default configuration. If an authentication alias exists, it overrides the default configuration. However if you subsequently remove the authentication alias from the activation specification, the default configuration will again take control and (if not disabled) will allow the service integration resource adapter to continue to access the bus.
The following table shows whether the service integration resource adapter can connect to the secured bus, depending on the state of the different properties:
Valid authentication alias | useServerSubject | Server group on bus connector role | Resource adapter can connect? |
---|---|---|---|
Yes | No | No | Yes |
No | Yes | Yes | Yes |
No | No | Yes | No |
No | No | No | No |
No | Yes | No | No |
Yes | Yes | Yes | Yes (using the authentication alias) |