Web Services Atomic Transaction security
Web Services Atomic Transaction (WS-AT) defines its own internal web services that are used as part of the protocol. These internal web services are called during the transaction initiation and during the commitment or rollback processing. Meanwhile WS-AT requires a two-way communication. WS-AT requires a DMZ proxy for Liberty servers to operate in a typical firewall environment and also HTTPS endpoints to get the authorization. The following content describes how to configure proxy and Security Socket Layer (SSL) for WS-AT in Liberty.
Firewall proxy
When Liberty servers are in a typical firewall environment, the servers cannot communicate with each other through firewalls. In this situation, the servers require a DMZ proxy to operate normally. You can define proxy endpoints by configuring the server.xml file.
- Configure the IHS plug-in to forward requests to Liberty servers. For more
information, see Configuring a web server plug-in for
Liberty.
- For IHS 1, configure the IHS 1 plug-in to forward requests to Liberty A and add <Uri Name="/ibm/wsatservice/*" /> in the <UriGroup> item.
- For IHS 2, configure the IHS 2 plug-in to forward requests to Liberty B and add <Uri Name="/ibm/wsatservice/*" /> in the <UriGroup> item.
- Add the externalURLPrefix parameter to the
server.xml file in Liberty:
- In Liberty A, set the externalURLPrefix value as
http://proxyserver1:80 for IHS 1 as
follows:
<wsAtomicTransaction externalURLPrefix="http://proxyserver1:80"/>
- In Liberty B, set the externalURLPrefix value as
http://proxyserver2:81 for IHS 2 as
follows:
<wsAtomicTransaction externalURLPrefix="http://proxyserver2:81"/>
- In Liberty A, set the externalURLPrefix value as
http://proxyserver1:80 for IHS 1 as
follows:

Security Socket Layer
By default, Liberty servers communicate without SSL. If you require WS-AT security and security information is redirected to a secure port, you must add the appSecurity-2.0 Liberty feature to the server.xml file. You can also enable SSL in Liberty according to Securing Liberty and its applications.
<wsAtomicTransaction SSLEnabled="false" SSLRef="defaultSSLConfig" clientAuth="false"/>
Where:- SSLEnabled
- Specifies whether SSL is enabled for WS-AT. Valid values are true and false. The default value is false. Set it to true to enable SSL.
- SSLRef
- Defines the SSL configuration in the server.xml file. WS-AT requires this SSL configuration to communicate.
- clientAuth
- Specifies whether clientAuthentication is enabled for WS-AT. Valid values are true and false. The default value is false. Ensure to set the clientAuthenticationSupported value to be true in SSL configuration before you set the clientAuth value to be true to enable clientAuthentication.
<wsAtomicTransaction SSLEnabled="false" SSLRef="defaultSSLConfig" externalURLPrefix="" clientAuth="false"/>