This scenario illustrates the ability to choose TCP/IP
as the transport when it is appropriate. In some cases, when two servers
are on the same virtual private network (VPN), it can be appropriate
to select TCP/IP as the transport for performance reasons because
the VPN already encrypts the message.
Procedure
- Configure client C for message layer authentication with
an Secure Sockets Layer (SSL) transport.
- Point the client to the sas.client.props file.
Use the com.ibm.CORBA.ConfigURL=file:/C:/was/properties/sas.client.props property.
All further configuration involves setting properties within this
file.
Use the com.ibm.CORBA.ConfigURL=file:/profile_root/properties/sas.client.props property.
The profile_root variable
is to the specific profile you are working with. All further configuration
involves setting properties within this file.
- Enable SSL.
In this case, SSL is supported
but not required.com.ibm.CSI.performTransportAssocSSLTLSSupported=true,
com.ibm.CSI.performTransportAssocSSLTLSRequired=false
- Enable client authentication at the message layer.
In this case, client authentication is supported but not required. com.ibm.CSI.performClientAuthenticationRequired=false,
com.ibm.CSI.performClientAuthenticationSupported=true
- Use the remaining defaults in the sas.client.props file.
- Configure the S1 server.
In the administrative
console, the S1 server is configured for incoming requests to support
message-layer client authentication and incoming connections to support
SSL without client certificate authentication. The S1 server is configured
for outgoing requests to support identity assertion.
It is possible
to enable SSL for inbound connections and disable SSL for outbound
connections. The same is true in reverse.
- Configure S1 for incoming connections.
- Disable identity assertion.
- Enable user ID and password authentication.
- Enable SSL.
- Disable SSL client certificate authentication.
- Configure S1 for outgoing connections.
- Disable identity assertion.
- Enable user ID and password authentication.
- Disable SSL.
- Configure the S2 server.
In the administrative
console, the S2 server is configured for incoming requests to support
identity assertion and to accept SSL connections. Configuration for
outgoing requests and connections are not relevant for this scenario.
- Disable identity assertion.
- Enable user ID and password authentication.
- Disable SSL.