CORBA security service

WebSphere provides a security service that supports CORBA C++ clients to access protected enterprise beans over SSL. To access the protected beans, the client is required to prove its identity (by authentication) and role (by authorization) to the secure EJB server. All request messages are also protected.

The security service uses the SSL transport protocol for both client authentication and message protection. Once the client is authenticated, the client's identity may be used for matching the role required by the server's authorization policy with respect to the protected beans. With identity assertion, the server also can assert a client's identity for authorization checking or identity propagation in downstream requests.

WebSphere CORBA C++ clients and servers provide a client-side security service only. They can act as a secure client only to a server that supports SSL and CSIv2 (for example, a WebSphere EJB server).

The following figure describes a typical C++ client security topology:

C++ client security - Topology diagram

SSL
There are different levels of protection for a SSL connection. Client authentication is also optional. Before a client request is dispatched, the security service determines an effective security policy by coalescing both client and server configurations. The effective policy is then used to set the required level of protection that meets the SSL requirements of both client and server. Once the coalesced requirement is set, the ORB then attempts to establish the appropriate SSL connection.

Note: The client configuration is based on the client's security properties while the server configuration is read from the Interoperable Object Reference (IOR). The evaluation of effective security policy is executed at every method request.

Common Secure Interoperability Version 2 Security Protocol (CSIv2)
There are two authentication protocols implemented for the WebSphere EJB server: Secure Association Service (SAS) and Common Secure Interoperability Version 2 (CSIv2). Both protocols are based on the Interoperable Inter-ORB Protocol (IIOP). Because CSIv2 is the strategic protocol, the security service is implemented to support only CSIv2 at the transport layer.
Client Authentication with SSL
Client authentication with SSL is enabled by default. When enabled, the C++ clients must already be configured with a valid SSL certificate, and the certificate's public key must already be imported into the server's truststore file. Using SSL with client authentication is especially important since the server might assert the client's identity for further downstream requests. If the client authentication fails during the SSL handshake, the connection fails immediately and the request is rejected. If the client authentication succeeds and the connection is established, the client's identity is then available at the server side.
Identity Assertion
Extracted identity can be stored into an identity token for identity assertion purposes. Identity assertion is used to assert a caller identity that is different than the authenticated one after a trust is established. With identity assertion, the target can assert a client's identity for authorization check or identity propagation in downstream requests. Check the CSIv2 sections for further information.

To use the security service, configure properties in the C++ client security properties file, scclient.props.


Related concepts
CORBA object services
Related tasks
Specifying run-time properties for CORBA C++ clients and servers



Searchable topic ID:   ccor_secure
Last updated: Jun 21, 2007 8:07:48 PM CDT    WebSphere Business Integration Server Foundation, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/corba/concepts/ccor_secure.html

Library | Support | Terms of Use | Feedback