Web Services Atomic Transaction security

Web Services Atomic Transaction (WS-AT) defines its own internal web services that are used as part of the protocol. These internal web services are called during the transaction initiation and during the commitment or rollback processing. Meanwhile WS-AT requires a two-way communication. WS-AT requires a DMZ proxy for Liberty servers to operate in a typical firewall environment and also HTTPS endpoints to get the authorization. The following content describes how to configure proxy and Security Socket Layer (SSL) for WS-AT in Liberty.

Firewall proxy

When Liberty servers are in a typical firewall environment, the servers cannot communicate with each other through firewalls. In this situation, the servers require a DMZ proxy to operate normally. You can define proxy endpoints by configuring the server.xml file.

For example, set IBM HTTP Server (IHS) as the DMZ proxy. In Figure 1, to communicate between two Liberty servers through IHS, perform the following steps:

Configure the IHS plug-in to forward requests to Liberty servers.
- For IHS 1, configure the IHS 1 plug-in to forward requests to Liberty A and add <Uri Name="/ibm/wsatservice/*" /> in the <UriGroup> item.
- For IHS 2, configure the IHS 2 plug-in to forward requests to Liberty B and add <Uri Name="/ibm/wsatservice/*" /> in the <UriGroup> item.
Add the externalURLPrefix parameter to the server.xml file in Liberty:
- In Liberty A, set the externalURLPrefix value as http://proxyserver1:80 for IHS 1 as follows:
```
<wsAtomicTransaction externalURLPrefix="http://proxyserver1:80"/> 
```
- In Liberty B, set the externalURLPrefix value as http://proxyserver2:81 for IHS 2 as follows:
```
<wsAtomicTransaction externalURLPrefix="http://proxyserver2:81"/> 
```

When a fire wall exists between Liberty A and Liberty B, Liberty A can send EPRb1 to Liberty B through IHS 1, but Liberty B receives EPRb instead of EPRb1, and vice versa.

Liberty server communication flowchart — Figure 1. Communication between two Liberty servers through IHS

Security Socket Layer

By default, Liberty servers communicate without SSL. If you require WS-AT security and security information is redirected to a secure port, you must add the appSecurity-2.0 Liberty feature to the server.xml file.

You can configure SSL for WS-AT security according to the following items:

<wsAtomicTransaction SSLEnabled="false" SSLRef="defaultSSLConfig" clientAuth="false"/>

Where:

SSLEnabled: Specifies whether SSL is enabled for WS-AT. Valid values are true and false. The default value is false. Set it to true to enable SSL.

SSLRef: Defines the SSL configuration in the server.xml file. WS-AT requires this SSL configuration to communicate.

clientAuth: Specifies whether clientAuthentication is enabled for WS-AT. Valid values are true and false. The default value is false. Ensure to set the clientAuthenticationSupported value to be true in SSL configuration before you set the clientAuth value to be true to enable clientAuthentication.

Important: The SSL configuration applies at the Liberty server level only.

Tip: In the following code snippet, the default SSLEnabled value is false. If you want to enable both SSL and proxy, set the SSLEnabled value as true and set the externalURLPrefix value as a proxy address that starts with https://.

<wsAtomicTransaction SSLEnabled="false" SSLRef="defaultSSLConfig" externalURLPrefix="" clientAuth="false"/>