This example presents a pure Java™ client,
C, that accesses a secure enterprise bean on server, S1, through user
bob. The following steps take you through the configuration of C,
S1, and S2.
About this task
The enterprise bean
code on S1 accesses another enterprise bean on server, S2. This configuration
uses identity assertion to propagate the identity of bob to the downstream
server, S2. S2 trusts that bob already is authenticated by S1 because
it trusts S1. To gain this trust, the identity of S1 also flows to
S2 simultaneously and S2 validates the identity by checking the trustedPrincipalList
list to verify that it is a valid server principal. S2 also authenticates
S1.
Procedure
- Configure the client C for message layer authentication
with a Secure Sockets Layer (SSL) transport.
- Point the client to the sas.client.props file.
Use the com.ibm.CORBA.ConfigURL=file:/C:/was/properties/sas.client.props property.
All further configuration involves setting properties within this
file.
Use the com.ibm.CORBA.ConfigURL=file:/profile_root /properties/sas.client.props
property.
The profile_root variable is the specific profile
that you are working with. All further configuration involves setting
properties within this file.
- Enable SSL.
In this case, SSL is supported
but not required: com.ibm.CSI.performTransportAssocSSLTLSSupported=true,
com.ibm.CSI.performTransportAssocSSLTLSRequired=false
- Enable client authentication at the message layer.
In this case, client authentication is supported but not
required: com.ibm.CSI.performClientAuthenticationRequired=false,
com.ibm.CSI.performClientAuthenticationSupported=true
- Use all of the remaining defaults in the sas.client.props file.
- Configure the server, S1.
In the administrative
console, server S1 is configured for incoming requests to support
message-layer client authentication and incoming connections to support
SSL without client certificate authentication. Server S1 is configured
for outgoing requests to support identity assertion.
- Configure S1 for incoming connections.
- Disable identity assertion.
- Enable user ID and password authentication.
- Enable SSL.
- Disable SSL client certificate authentication.
- Configure S1 for outgoing connections.
- Enable identity assertion.
- Disable user ID and password authentication.
- Enable SSL.
- Disable SSL client certificate authentication.
- Configure the server, S2.
In the administrative
console, server S2 is configured for incoming requests to support
identity assertion and to accept SSL connections. Complete the following
steps to configure incoming connections. Configuration for outgoing
requests and connections are not relevant for this example.
- Enable identity assertion.
- Disable user ID and password authentication.
- Enable SSL.
- Disable SSL client authentication.