Why and when to perform this task
You can achieve interoperability of Security Authentication Service between the C++ Common Object Request Broker Architecture (CORBA) client and WebSphere Application Server using Common Secure Interoperability Version 2 (CSIv2) authentication protocol over Remote Method Invocation over the Internet Inter-ORB Protocol (RMI-IIOP). The CSIv2 security service protocol has authentication, attribute and transport layers. Among the three layers, transport authentication is conceptually simple, however, cryptographically based transport authentication is the strongest. WebSphere Application Server has implemented the transport authentication layer, so that C++ secure CORBA clients can use it effectively in making CORBA clients and protected enterprise bean resources work together.
Security authentication from non-Java based C++ client to enterprise beans. WebSphere Application Server supports security in the CORBA C++ client to access-protected enterprise beans. If configured, C++ CORBA clients can access protected enterprise bean methods using a client certificate to achieve mutual authentication on WebSphere Application Server applications.
C++ security setting | Description |
---|---|
client_protocol_password | Specifies the password for the user ID. |
client_protocol_user | Specifies the user ID to authenticate at the target server. |
security_sslKeyring | Specifies the name of the RACF keyring for the client to use. The keyring must be defined under the user ID that is issuing the command to run the client. |
/WebSphere/V6R0M0/DeploymentManager/profiles/default/config/cells/PLEX1Network/nodes/PLEX1Manager/servers/dmgrSome of the environment file terms are explained below:
To support the C++ CORBA client in accessing protected enterprise beans:
Steps for this task
A valid certificate is needed to represent the C++ client. Request a certificate from the certificate authority (CA) or create a self-signed certificate for testing purposes.
Use the Key Management Utility from the Global Security Kit (GSKit) to extract the public key from the personal certificate and save it in the .arm format. For information on how to extract the personal certificate of the public key, see Extracting public certificates for truststore files.
For details, see Configuring Common Secure Interoperability Version 2 inbound authentication and Configuring inbound transports.
The WebSphere Application Server is ready to take a C++ CORBA security client and a mutually authenticated server and client by using SSL in the transport layer.
C++ security setting | Description |
com.ibm.CORBA.bootstrapHostName=ricebella.austin.ibm.com | Specifies the target host name. |
com.ibm.CORBA.securityEnabled=yes | Enables security. |
com.ibm.CSI.performTLClientAuthenticationSupported=yes | Ensures client is supporting mutual authentication by certificate |
com.ibm.CSI.performTransportAssocSSLTLSSupported=yes | Ensures SSL is used, not TCP/IP |
com.ibm.ssl.keyFile=C:/ricebella/etc/DummyKeyRingFile.KDB | Specifies which key database file to use. |
com.ibm.ssl.keyPassword=WebAS | Specifies the password for opening the key database file. WebSphere Application Server supports a utility called PasswordEncode4cpp to encode the plain password. |
com.ibm.CORBA.translationEnabled=1 | Enables the valueType conversion. |
For the complete set of C++ client properties, see the sample property file scclient.props, which is shipped with the product located in the install_root/profiles/profile_name/etc directory.
Related tasks
Extracting public certificates for truststore files
Configuring Common Secure Interoperability Version 2 inbound authentication
Configuring inbound transports