Before you begin
Inbound
transports refer to the types of listener ports and their attributes that
are opened to receive requests for this server. Both Common Secure Interoperability
Specification, Version 2 (CSIv2) and Secure Authentication Service (SAS) have
the ability to configure the transport.
However, the following differences between
the two protocols exist:
- CSIv2 is much more flexible than SAS, which requires Secure Sockets Layer
(SSL); CSIv2 does not require SSL.
- SAS does not support SSL client certificate authentication, while CSIv2
does.
- CSIv2 can require SSL connections, while SAS only supports SSL connections.
- SAS always has two listener ports open: TCP/IP and SSL.
- CSIv2 can have as few as one listener port and as many as three listener
ports. You can open one port for just TCP/IP or when SSL is required. You
can open two ports when SSL is supported, and open three ports when SSL and
SSL client certificate authentication is supported.
Why and when to perform this task
Complete the following steps to configure the Inbound transport panels
in the administrative console:
Steps for this task
- Click Security > Global security.
- Under Authentication, click Authentication Protocol > CSIv2
inbound transport to select the type of transport and the SSL settings.
By selecting the type of transport, as noted previously, you choose
which listener ports you want to open. In addition, you disable the SSL client
certificate authentication feature if you choose TCP/IP as the transport.
- Select the SSL settings that correspond to an SSL transport.
These SSL settings are defined in the Security > SSL panel
and define the SSL configuration including the key ring, security level, ciphers,
and so on.
- Consider fixing the listener ports that you configured.
You
complete this action in a different panel, but think about this action now.
Most end points are managed at a single location, which is why they do not
display in the Inbound transport panels. Managing end points at a single location
helps you decrease the number of conflicts in your configuration when you
assign the endpoints. The location for SSL end points is at each server. The
following port names are defined in the End points panel and are used for
Object Request Broker (ORB) security:
- CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS
- CSIv2 Client Authentication SSL Port
- CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS
- CSIv2 SSL Port
- SAS_SSL_SERVERAUTH_LISTENER_ADDRESS
- SAS SSL Port
- ORB_LISTENER_PORT
- TCP/IP Port
For an application server, click Servers > Application servers
> server_name . Under Communications, click Ports. The Ports
panel is displayed for the specified server.
The
Object Request Broker (ORB) on WebSphere Application Server uses a listener
port for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI/IIOP)
communications, which is generally not specified and selected dynamically
during run time. If you are working with a firewall, you must specify a static
port for the ORB listener and open that port on the firewall so that communication
can pass through the specified port. The endPoint property for setting the
ORB listener port is: ORB_LISTENER_ADDRESS.
Complete the following steps using the administrative
console to specify the ORB_LISTENER_ADDRESS port or ports.
- Click Servers > Application Servers > server_name.
Under Communications, click Ports > New.
- Select ORB_LISTENER_ADDRESS from the Port name field
in the Configuration panel.
- Enter the IP address, the fully qualified Domain Name System
(DNS) host name, or the DNS host name by itself in the Host field.
For example, if the host name is myhost, the fully qualified
DNS name can be myhost.myco.com and the IP address can be 155.123.88.201.
- Enter the port number in the Port field. The port
number specifies the port for which the service is configured to accept client
requests. The port value is used with the host name. Using the previous example,
the port number might be 9000.
- Click Security
> Global security. Under Authentication, click Authentication protocol
> CSIv2 inbound transport to select the SSL settings used for inbound
requests from CSIv2 clients. Remember that the CSIv2
protocol is used to interoperate with previous releases. When configuring
the keystore and truststore files in the SSL configuration, these files need
the right information for interoperating with previous releases of WebSphere
Application Server. For example, a previous release has a different truststore
file than the Version 6 release. If you use the Version 6 keystore file, add
the signer to the truststore file of the previous release for those clients
connecting to this server.
Result
The inbound transport configuration is complete. With this configuration,
you can configure a different transport for inbound security versus outbound
security. For example, if the application server is the first server that
is used by users, the security configuration might be more secure. When requests
go to back-end enterprise bean servers, you might lessen the security for
performance reasons when you go outbound. With this flexibility you can design
the right transport infrastructure to meet your needs.
What to do next
When you finish configuring security, perform the following steps
to save, synchronize, and restart the servers:
- Click Save in the administrative console to save any modifications
to the configuration.
- Stop and restart all servers, when synchronized.