By using this configuration, you can configure a different transport
for inbound security versus outbound security.
Before you begin
Outbound transports refers to the transport that is used to
connect to a downstream server. When you configure the outbound transport,
consider the transports that the downstream servers support. If you are considering
Secure Sockets Layer (SSL), also consider including the signers of the downstream
servers in this server truststore file for the handshake to succeed.
When
you select an SSL configuration, that configuration points to keystore and
truststore files that contain the necessary signers.
When
you select an SSL configuration, that configuration points to keystore and
truststore keyrings and keystore and truststore files that contain the necessary
signers.
If you configured client certificate authentication for this server
by completing the following steps, then the downstream servers contain the
signer certificate belonging to the server personal certificate:
- Click Security > Secure administration, applications, and infrastructure.
- Under RMI/IIOP security, click CSIv2 outbound authentication
About this task
Complete the following steps to configure the outbound transport
panels.
Procedure
- Select the type of transport and the SSL settings
by clicking Security > Secure administration, applications, and infrastructure.
Under RMI/IIOP security, click CSIv2 outbound transport. By
selecting the type of transport, you choose the transport to use when connecting
to downstream servers. The downstream servers support the transport that you
choose. If you choose SSL-Supported, the transport that is used is
negotiated during the connection. If both the client and server support SSL,
always select the SSL-Supported option unless the request is considered
a special request that does not require SSL, such as if an object request
broker (ORB) is a request.
- Select the SSL required option if you want
to use Secure Sockets Layer communications with the outbound transport.
If you select the
SSL required option, you
can select either the
Centrally managed or
Use specific SSL alias option.
- Centrally managed
- Enables you to specify an SSL configuration for particular scope such
as the cell, node, server, or cluster in one location. To use the Centrally
managed option, you must specify the SSL configuration for the particular
set of endpoints. The Manage endpoint security configurations and trust zones
panel displays all of the inbound and outbound endpoints that use the SSL
protocol. If you expand the Inbound or Outbound section of the panel and click
the name of a node, you can specify an SSL configuration that is used for
every endpoint on that node. For an outbound transport, you can override the
inherited SSL configuration by specifying an SSL configuration for a particular
endpoint. To specify an SSL configuration for an outbound transport, click Security
> SSL certificate and key management > Manage endpoint security configurations
and trust zones and expand Outbound.
- Use specific SSL alias
- Select the Use specific SSL alias option if you intend to select
one of the SSL configurations in the menu below the option.
This configuration
is used only when SSL is enabled for LDAP. The default is DefaultSSLSettings.
To modify or create a new SSL configuration, complete the steps described
in Creating a Secure Sockets Layer configuration.
Select the SSL that
are settings used for outbound requests to downstream Secure Authentication
Service (SAS) servers. Click Security > Secure administration, applications,
and infrastructure. Under RMI/IIOP security, click SAS outbound transport.
Remember that the SAS protocol allows interoperability with previous
releases. When configuring the keystore and truststore files in the SSL configuration,
these files have the correct information for inter-operating with previous
releases of WebSphere Application Server. For example, a previous release
has a different personal certificate than the Version 6.x release.
If you use the keystore file from the Version 6.x release, you must
add the signer to the truststore file of the previous release. Also, you must
extract the signer for the Version 6.x release and import that signer
into the truststore file of the previous release. Important: SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
Results
The outbound transport configuration is complete. With this configuration,
you can configure a different transport for inbound security versus outbound
security. For example, if the application server is the first server used
by end users, the security configuration might be more secure. When requests
go to back-end enterprise beans servers, you might consider less security
for performance reasons when you go outbound. With this flexibility you can
design a transport infrastructure that meets your needs.
What to do next
When you finish configuring security, perform the following steps
to save, synchronize, and restart the servers.
- Click Save in the administrative console to save any modifications
to the configuration.
Synchronize the configuration
with all node agents.
- Stop and restart all servers, after synchronization.