CORBA security service
WebSphere provides a security service that supports CORBA C++ clients to
access protected enterprise beans over SSL. To access the protected beans,
the client is required to prove its identity (by authentication) and role
(by authorization) to the secure EJB server. All request messages are also
protected.
The security service uses the SSL transport protocol for both client authentication
and message protection. Once the client is authenticated, the client's identity
may be used for matching the role required by the server's authorization policy
with respect to the protected beans. With identity assertion, the server also
can assert a client's identity for authorization checking or identity propagation
in downstream requests.
WebSphere CORBA C++ clients and servers provide a client-side security
service only. They can act as a secure client only to a server that supports
SSL and CSIv2 (for example, a WebSphere EJB server).
The following figure describes a typical C++ client security topology:

- SSL
- There are different levels of protection for a SSL connection.
Client authentication is also optional. Before a client request is dispatched,
the security service determines an effective security policy by coalescing
both client and server configurations. The effective policy is then used to
set the required level of protection that meets the SSL requirements of both
client and server. Once the coalesced requirement is set, the ORB then attempts
to establish the appropriate SSL connection.
Note: The client configuration
is based on the client's security properties while the server configuration
is read from the Interoperable Object Reference (IOR). The evaluation of effective
security policy is executed at every method request.
- Common Secure Interoperability Version 2 Security Protocol (CSIv2)
- There are two authentication protocols implemented for the WebSphere EJB
server: Secure Association Service (SAS) and Common Secure Interoperability
Version 2 (CSIv2). Both protocols are based on the Interoperable Inter-ORB
Protocol (IIOP). Because CSIv2 is the strategic protocol, the security service
is implemented to support only CSIv2 at the transport layer.
- Client Authentication with SSL
- Client authentication with SSL
is enabled by default. When enabled, the C++ clients must already be configured
with a valid SSL certificate, and the certificate's public key must already
be imported into the server's truststore file. Using SSL with client authentication
is especially important since the server might assert the client's identity
for further downstream requests. If the client authentication fails during
the SSL handshake, the connection fails immediately and the request is rejected.
If the client authentication succeeds and the connection is established, the
client's identity is then available at the server side.
- Identity Assertion
- Extracted identity can be stored into an identity
token for identity assertion purposes. Identity assertion is used to assert
a caller identity that is different than the authenticated one after a trust
is established. With identity assertion, the target can assert a client's
identity for authorization check or identity propagation in downstream requests.
Check the CSIv2 sections for further information.
To use the security service, configure properties in the C++ client security
properties file, scclient.props.

CORBA object services

Specifying run-time properties for CORBA C++ clients and servers
Searchable topic ID:
ccor_secure
Last updated: Jun 21, 2007 8:07:48 PM CDT
WebSphere Business Integration Server Foundation, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/corba/concepts/ccor_secure.html