WebSphere® Application Server enables you
to specify Internet Inter-ORB Protocol (IIOP) authentication for both
inbound and outbound authentication requests. For inbound requests,
you can specify the type of accepted authentication, such as basic
authentication. For outbound requests, you can specify properties
such as type of authentication, identity assertion, or login configurations
that are used for requests to downstream servers.
About this task
Complete the following steps to configure Common Secure
Interoperability Version 2 (CSIV2) and Security Authentication Service
(SAS).
Important: SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
Procedure
- Determine how to configure security inbound and outbound
at each point in your infrastructure.
For example, you
might have a Java™ client communicating with an
Enterprise JavaBeans (EJB) application
server, which in turn communicates to a downstream EJB application
server.
The Java client
uses the sas.client.props file to configure outbound
security. Pure clients must configure outbound security only.
A CSIv2 Java client
uses a configuration file that is specified by the com.ibm.CORBA.ConfigURL Java property to configure outbound security.
The
upstream EJB application server configures inbound security to handle
the correct type of authentication from the Java client.
The upstream EJB application server uses the outbound security configuration when going
to the downstream EJB application server.
This type of authentication
might be different from what you expect from the Java client
into the upstream EJB application server. Security might be tighter
between the pure client and the first EJB server, depending on your
infrastructure. The downstream EJB server uses the inbound security
configuration to accept requests from the upstream EJB server. The
two servers require similar configuration options as well. If the
downstream EJB application server communicates to other downstream
servers, the outbound security might require a special configuration.
- Specify the type of authentication.
By
default, authentication by a user ID and password is performed.
By default, the server
supports authentication with a user ID and password.
Both Java client certificate authentication and identity
assertion are disabled by default. If you want this type of authentication
that is performed at every tier, use the CSIv2 authentication protocol
configuration as is. However, if you have any special requirements
where some servers authenticate differently from other servers, consider
how to configure CSIv2 to its best advantage.
- Configure clients and servers.
Configuring
a pure Java client is done through the sas.client.props file,
where properties are modified.
Configuring a pure Java client
is done through a properties file that is specified by the com.ibm.CORBA.ConfigURL Java property.
Configuring servers is
always done from the administrative console or scripting, either from
the security navigation for cell-level configurations or from the
server security of the application server for server-level configurations.
If you want some servers to authenticate differently from others,
modify some of the server-level configurations. When you modify the
server-level configurations, you are overriding the cell-level configurations.
What to do next
Use CSIV2 inbound communications settings for configuring
the type of authentication information that is contained in an incoming
request or transport.
Use CSIV2 outbound communications
settings to specify the features that a server supports when acting
as a client to another downstream server.