Why and when to perform this task
You can achieve interoperability of Security Authentication Service between the C++ Common Object Request Broker Architecture (CORBA) client and WebSphere Application Server using Common Secure Interoperability Version 2 (CSIv2) authentication protocol over Remote Method Invocation over the Internet Inter-ORB Protocol (RMI-IIOP). The CSIv2 security service protocol has authentication, attribute and transport layers. Among the three layers, transport authentication is conceptually simple, however, cryptographically based transport authentication is the strongest. WebSphere Application Server Enterprise has implemented the transport authentication layer, so that C++ secure CORBA clients can use it effectively in making CORBA clients and protected enterprise bean resources work together.Security authentication from non-Java based C++ client to enterprise beans. WebSphere Application Server supports security in the CORBA C++ client to access protected enterprise beans. If configured, C++ CORBA clients can access protected enterprise bean methods using client certificate to achieve mutual authentication on WebSphere Application Server Enterprise applications.
To support the C++ CORBA client in accessing protected
enterprise beans:
C++ security setting | Description |
---|---|
client_protocol_password | Specifies the password for the user ID. |
client_protocol_user | Specifies the user ID to be authenticated at the target server. |
security_sslKeyring | Specifies the name of the RACF keyring the client will use. The keyring must be defined under the user ID that is issuing the command to run the client. |
To support the C++ CORBA client in accessing protected enterprise beans:
Steps for this task
A valid certificate is needed to represent the C++ client. Request a certificate from the certificate authority (CA) or create a self-signed certificate for testing purposes.
Use the Key Management Utility from the Global Security Kit (GSKit) to extract the public key from the personal certificate and save it in the .arm format. For details, see the related information about how to extract the personal certificate of the public key.
Add the extracted client public key in the .arm file from the client to the server key truststore file. The server can now authenticate the client.
Note: This is done by invoking the Key Management Utility through ikeyman.bat or ikeyman.sh from WebSphere Application Server installation.
For details, see the article on Adding truststore files.If it is a base installation, go to Security > Authentication Protocol > CSIv2 Inbound Authentication then select Supported for Basic Authentication and Client Certificate Authentication and leave the rest as defaults. Go to the CSIv2 Inbound Transport and make sure SSL-Supported is selected.
If it is a Network Deployment setting, go to Server > Application Server > server_name_where_EJB_resides > Server Security > CSI Authentication Inbound. Then select Supported for Basic Authentication and Client Certificate Authentication. Leave the rest as defaults. Go to CSI Transport > Inbound to make sure SSL-Supported is selected.
For details, see the security articles Configuring CSIv2 inbound authentication and Configuring CSIv2 inbound transport.
The WebSphere Application Server is ready to take a C++ CORBA security client and a mutually authenticated server and client by using SSL in the transport layer.
Client users are accustomed to using property files in their applications because they are helpful in specifying configuration settings. The following list presents important C++ security settings:
C++ security setting | Description |
com.ibm.CORBA.bootstrapHostName=ricebella.austin.ibm.com | Specifies the target host name. |
com.ibm.CORBA.securityEnabled=yes | Enables security. |
com.ibm.CSI.performTLClientAuthenticationSupported=yes | Ensures client is supporting mutual authentication by certificate |
com.ibm.CSI.performTransportAssocSSLTLSSupported=yes | Ensures SSL is used, not TCP/IP |
com.ibm.ssl.keyFile=C:/ricebella/etc/DummyKeyRingFile.KDB | Specifies which key database file to use. |
com.ibm.ssl.keyPassword=WebAS | Specifies the password for opening the key database file. WebSphere Application Server supports a utility called PasswordEncode4cpp to encode the plain password. |
com.ibm.CORBA.translationEnabled=1 | Enables the valueType conversion. |
For the complete set of C++ client properties, see the sample property file scclient.props, which is shipped with the product located in the $install_root\etc directory.