Web Services Atomic Transaction security
Web Services Atomic Transaction (WS-AT) defines its own internal web services that are used as part of the protocol. These internal web services are called during the transaction initiation and during the commitment or rollback processing. Meanwhile WS-AT requires a two-way communication. WS-AT requires a DMZ proxy for Liberty servers to operate in a typical firewall environment and also HTTPS endpoints to get the authorization. The following content describes how to configure proxy and Security Socket Layer (SSL) for WS-AT in Liberty.
Firewall proxy
When Liberty servers are in a typical firewall environment, the servers cannot communicate with each other through firewalls. In this situation, the servers require a DMZ proxy to operate normally. You can define proxy endpoints by configuring the server.xml file.
- Configure the IHS plug-in to forward requests to Liberty servers.
- For IHS 1, configure the IHS 1 plug-in to forward requests to Liberty A and add
<Uri Name="/ibm/wsatservice/*" />
in the<UriGroup>
item. - For IHS 2, configure the IHS 2 plug-in to forward requests to Liberty B and add
<Uri Name="/ibm/wsatservice/*" />
in the<UriGroup>
item.
- For IHS 1, configure the IHS 1 plug-in to forward requests to Liberty A and add
- Add the externalURLPrefix parameter to the server.xml
file in Liberty:
- In Liberty A, set the externalURLPrefix value as
http://proxyserver1:80
for IHS 1 as follows:<wsAtomicTransaction externalURLPrefix="http://proxyserver1:80"/>
- In Liberty B, set the externalURLPrefix value as
http://proxyserver2:81
for IHS 2 as follows:<wsAtomicTransaction externalURLPrefix="http://proxyserver2:81"/>
- In Liberty A, set the externalURLPrefix value as
When a fire wall exists between Liberty A and Liberty B, Liberty A can send EPRb1 to Liberty B through IHS 1, but Liberty B receives EPRb instead of EPRb1, and vice versa.
Security Socket Layer
By default, Liberty servers communicate without SSL. If you require WS-AT security and security
information is redirected to a secure port, you must add the
appSecurity-2.0
Liberty feature to the
server.xml file.
<wsAtomicTransaction SSLEnabled="false" SSLRef="defaultSSLConfig" clientAuth="false"/>
Where:- SSLEnabled
- Specifies whether SSL is enabled for WS-AT. Valid values are true and false. The default value is false. Set it to true to enable SSL.
- SSLRef
- Defines the SSL configuration in the server.xml file. WS-AT requires this SSL configuration to communicate.
- clientAuth
- Specifies whether clientAuthentication is enabled for WS-AT. Valid
values are true and false. The default value is false. Ensure to set the
clientAuthenticationSupported
value to be true in SSL configuration before you set theclientAuth
value to be true to enable clientAuthentication.
SSLEnabled
value is false. If you want to enable both SSL and proxy, set the
SSLEnabled
value as true and set the
externalURLPrefix value as a proxy address that starts with
https://
.<wsAtomicTransaction SSLEnabled="false" SSLRef="defaultSSLConfig" externalURLPrefix="" clientAuth="false"/>