Configuring client security

After you secure the data grid in the appliance, you must configure the clients so that they can connect to the secured data grid.

About this task

If the appliance is configured to require TLS, the client must be configured for SSL transport and must have an appropriate keystore and truststore. If authentication is required, the client must also be configured with a user ID and password. The specific procedure depends on whether the client is a stand-alone installation or one that runs in a WebSphere® Application Server process.

If you have a stand-alone environment, you must configure a client.properties file that includes settings to pass to the data grid application. If your environment includes WebSphere Application Server, then use WebSphere Application Server tools to configure client security.

Procedure

If the client is a stand-alone installation, use a client properties file to configure the communication between the client and server and the client security configuration. For details about the location and format of this file, see IBM WebSphere DataPower XC10 Appliance security overview.
For information about the security properties that you can configure for Java™ clients or .NET clients, see Client properties file.
If the client is running in a WebSphere Application Server process, then you configure the SSL configuration values, including the keystore and truststore, with WebSphere Application Server tools.
A utility is provided to import the certificate from the appliance keystore into the WebSphere Application Server truststore. For more information, see Configuring Transport Layer Security (TLS) for WebSphere Application Server.

You must configure that WebSphere Application Server truststore to trust the certificate from the appliance keystore. If the appliance is configured for client certificate authentication, or if Object Request Broker (ORB) communication is used, then the appliance truststore must also be configured to trust the certificate from the WebSphere Application Server keystore.

If the appliance is configured to require authentication, the appliance client that runs under WebSphere Application Server must also be configured with authentication credentials. You can configure the client with a properties file, as you do for Java stand-alone clients. However, when the appliance client is installed on WebSphere Application Server, the WebSphere Application Server administrative console is augmented so that you can specify the authentication credentials in the administrative console. With this augmentation, you can configure catalog service domains and specify client authentication properties.
If the client is running in an environment where Federal Information Processing Standard (FIPS) is set on the server, then the client must use the TLS handshake protocol to communicate with the appliance. You cannot use the SSL handshake protocol. The TLS protocol is configured with the setting protocol=TLS or protocol=TLSv1 in the client properties file.
- When XIO is used, and no protocol setting is present in the client properties file, the default setting is SSL and TLS. This setting works when FIPS is enabled on the appliance.
- When ORB communication is used in a stand-alone client, the protocol setting must be set to TLS in the client properties file to communicate with an appliance in FIPS mode.
- When ORB communication is used and the client is running with WebSphere Application Server, WebSphere security settings are used to set the handshake protocol. By default it is set to SSL_TLS, which works when FIPS is enabled on the appliance.
  This setting can be configured to TLS or SSL_TLS by using the WebSphere Application Server administrative console. Click Security > SSL certificate and key management > Manage endpoint security configurations. Select a cell name, then click SSL Configurations > CellDefaultSSLSettings > Quality of protection (QOP) settings. Make sure that the protocol field is set to TLS or SSL_TLS.