[AIX HP-UX Linux Solaris Windows]This topic applies only on the i5/OS operating system.

Scenario 4: TCP/IP transport using a virtual private network

This scenario illustrates the ability to choose TCP/IP as the transport when it is appropriate. In some cases, when two servers are on the same virtual private network (VPN), it can be appropriate to select TCP/IP as the transport for performance reasons because the VPN already encrypts the message.

Configuring C

C requires message layer authentication with an Secure Sockets Layer (SSL) transport:
  1. Point the client to the sas.client.props file.

    [AIX HP-UX Linux Solaris Windows] Use the com.ibm.CORBA.ConfigURL=file:/C:/was/properties/sas.client.props property. All further configuration involves setting properties within this file.

    [iSeries] Use the com.ibm.CORBA.ConfigURL=file:/profile_root/properties/sas.client.props property. The profile_root variable is to the specific profile you are working with. All further configuration involves setting properties within this file.

  2. Enable SSL. In this case, SSL is supported but not required: com.ibm.CSI.performTransportAssocSSLTLSSupported=true, com.ibm.CSI.performTransportAssocSSLTLSRequired=false
  3. Enable client authentication at the message layer. In this case, client authentication is supported but not required: com.ibm.CSI.performClientAuthenticationRequired=false, com.ibm.CSI.performClientAuthenticationSupported=true
  4. Use the remaining defaults in the sas.client.props file.

Configuring the S1 server

In the administrative console, the S1 server is configured for incoming requests to support message-layer client authentication and incoming connections to support SSL without client certificate authentication. The S1 server is configured for outgoing requests to support identity assertion.
  1. Configure S1 for incoming connections:
    1. Disable identity assertion.
    2. Enable user ID and password authentication.
    3. Enable SSL.
    4. Disable SSL client certificate authentication.
  2. Configure S1 for outgoing connections:
    1. Disable identity assertion.
    2. Enable user ID and password authentication.
    3. Disable SSL.

It is possible to enable SSL for inbound connections and disable SSL for outbound connections. The same is true in reverse.

Configuring the S2 server

In the administrative console, the S2 server is configured for incoming requests to support identity assertion and to accept SSL connections. Configuration for outgoing requests and connections are not relevant for this scenario.
  1. Disable identity assertion.
  2. Enable user ID and password authentication.
  3. Disable SSL.



Related tasks
Configuring IIOP authentication
Example 1: Configuring basic authentication and identity assertion
Example 2: Configuring basic authentication, identity assertion, and client certificates
Example 3: Configuring client certificate authentication and RunAs system
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 4:28:44 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-mp&topic=rsecscenario4
File name: tsec_scenario4.html