When you install WebSphere Application Server, security
is enabled and every installed service integration bus is secured. To
override the default configuration through which the bus-enabled Web
services component accesses a secure bus, you configure an authentication
alias that the service integration resource adapter uses to access
the bus.
Before you begin
In
WebSphere Application Server Version 6.0, you had to set
the security configuration to allow the bus-enabled Web services component
to work in a secure bus. In this version of the product, the bus-enabled
Web services component can access a secure bus by default.
Note: To use bus-enabled Web services when bus security is enabled, your Web services clients must provide suitable credentials when making requests. Your clients can provide credentials either using WS-Security or using HTTP basic authentication, as described in Authenticating Web services clients using HTTP basic authentication. For HTTP basic authentication, application security must also be enabled and, depending on which of these authentication schemes you use, the endpoint listener application must be appropriately configured as described in Password-protecting inbound services. When you use HTTP basic authentication, you map the AuthenticatedUsers role to the special "AllAuthenticatedUsers" group (or to some other suitable authenticated group or user); when you use WS-Security you do not need to map the endpoint listener AuthenticatedUsers role unless Application Security is enabled, in which case you map the AuthenticatedUsers role to the special "Everyone" group. For more information, see Assigning users and groups to roles.
About this task
The default configuration that
bus-enabled Web services use to access a secure bus is as follows:
- Access to a bus is configured through the bus connector role.
By default, every bus connector role includes a group called server.
Members of this group are authorized to connect to the bus.
- The service integration technologies resource adapter uses a J2C activation
specification to communicate with the bus. By default, this activation specification
has a boolean custom property useServerSubject that is set to "true".
This property allows the service integration technologies resource adapter
to connect to the bus as a subject (a member) of the server group.
For more information,
see Bus-enabled Web services default configuration for accessing a secure bus.
You can override this default configuration by defining an authentication alias that the service integration resource adapter uses to access the bus. Using an authentication alias does not make your configuration more secure. However, you might want to use an alias for consistency of approach if you have other application servers running under WebSphere Application Server Version 6.0, or to support your internal business controls for use of IDs and passwords.
To configure an authentication alias for the
resource adapter to use when it communicates with the bus, use the
administrative console to complete the following steps:
Procedure
- In the navigation pane, click bus_name.
- Create a J2C authentication alias.
- Configure authentication for the resource adapter by completing
the following steps:
- In the administrative console navigation pane, click .
- In the Authentication alias drop-down list, select
the authentication alias that you created.
- Click Apply.
- Optional: Disable the
default authentication configuration.
If you configure an authentication alias you need not also disable the default configuration. If an authentication alias exists, it overrides the default configuration. This
means that if you use an authentication alias that is authorized to
access the bus then the communication will succeed, and if you use
an authentication alias that is not authorized to access the bus then
the communication will fail, irrespective of the default settings. However if you subsequently remove the authentication alias from the activation specification, the default configuration will again take control and (if not disabled) will allow the service integration resource adapter to continue to access the bus. For
more information, see Bus-enabled Web services default configuration for accessing a secure bus.
To
disable the default authentication configuration, complete the following
steps:
- In the administrative console navigation pane, click .
- In the list of custom properties, click useServerSubject
- Change the Value for the useServerSubject property
from "true" to "false".
- Click OK.
- Save your changes to the master configuration.
- Close the administrative console.