WebSphere® eXtreme Scale supports both TCP/IP and Transport Layer Security/Secure Sockets Layer (TLS/SSL) for secure communication between clients and servers.
TLS/SSL provides secure communication between the client and server. The communication mechanism that is used depends on the value of the transportType parameter that is specified in the client and server configuration files.
Client transportType property | Server transportType property | Resulting protocol |
---|---|---|
TCP/IP | TCP/IP | TCP/IP |
TCP/IP | SSL-supported | TCP/IP |
TCP/IP | SSL-required | Error |
SSL-supported | TCP/IP | TCP/IP |
SSL-supported | SSL-supported | SSL (if SSL fails, then TCP/IP) |
SSL-supported | SSL-required | SSL |
SSL-required | TCP/IP | Error |
SSL-required | SSL-supported | SSL |
SSL-required | SSL-required | SSL |
When SSL is used, the SSL configuration parameters must be provided on both the client and server side. In a Java™ SE environment, the SSL configuration is configured in the client or server property files. If the client or server is in a WebSphere Application Server, then you can use WebSphere Application Server's transports security support to configure SSL parameters.
You can use TLS/SSL when the transportType property has a value of SSL-Supported.
To support secure transport in a Java Platform, Standard Edition environment, you must modify the ORB properties file file to include the following properties:
# IBM JDK properties org.omg.CORBA.ORBClass=com.ibm.CORBA.iiop.ORB org.omg.CORBA.ORBSingletonClass=com.ibm.rmi.corba.ORBSingleton javax.rmi.CORBA.StubClass=com.ibm.rmi.javax.rmi.CORBA.StubDelegateImpl javax.rmi.CORBA.PortableRemoteObjectClass=com.ibm.rmi.javax.rmi.PortableRemoteObject javax.rmi.CORBA.UtilClass=com.ibm.ws.orb.WSUtilDelegateImpl # WS Plugins com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orbimpl.transport.WSTransport com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orbimpl.WSORBPropertyManager com.ibm.CORBA.ORBPluginClass.com.ibm.ISecurityUtilityImpl.SecurityPropertyManager # WS Interceptors org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ws.objectgrid.corba.ObjectGridInitializer org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityComponentFactory # WS ORB & Plugins properties com.ibm.ws.orb.transport.ConnectionInterceptorName=com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityConnectionInterceptor com.ibm.ws.orb.transport.WSSSLClientSocketFactoryName=com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl com.ibm.CORBA.TransportMode=Pluggable com.ibm.CORBA.ServerName=ogserver
You can configure SSL parameters for clients in the following ways:
See the section on security client properties in the Client properties file for examples of properties that you can set on a client.
SSL parameters are configured for servers using a server properties file, such as the examples of server.properties file referred to above. This property file can be passed as a parameter when starting an eXtreme Scale server. For more information about the SSL parameters you can set for eXtreme Scale servers, see Server properties file.
When an eXtreme Scale client, container server, or catalog server is running in a WebSphere Application Server process, eXtreme Scale transport security is managed by the Application Server CSIV2 transport settings. For the eXtreme Scale client or container server, you should not use eXtreme Scale client or server properties to configure the SSL settings. All the SSL settings should be specified in the WebSphere Application Server configuration.
However, the catalog server is a little different. The catalog server has its own proprietory transport paths which cannot managed by the Application Server CSIV2 transport settings. Therefore, the SSL properties still need to be configured in the server properties file for the catalog server.
WebSphere eXtreme Scale requires IBM Java Secure Sockets Extension (IBMJSSE) or the IBM Java Secure Sockets Extension 2 (IBMJSSE2). The IBMJSSE and IBMJSSE2 providers contain a reference implementation supporting SSL and Transport Layer Security (TLS) protocols and an application programming interface (API) framework.
The pure Sun JDK doesn't ship the IBM JSSE and IBM JSSE2 providers, therefore transport security cannot be enabled with a Sun JDK. In order to make this work, a Sun JDK shipped with WebSphere Application Server is required. The WebSphere Application Server shipped Sun JDK contains the IBM JSSE and IBM JSSE2 providers.
Read about configuring an Object Request Broker to be able to use a non-IBM JDK for WebSphere eXtreme Scale. If -Djava.endorsed.dirs is configured, it points to both the objectgridRoot/lib/endorsed and the JRE/lib/endorsed directories. The directory objectgridRoot/lib/endorsed is required so the IBM ORB is used, and the directory JRE/lib/endorsed is required to load the IBM JSSE and IBM JSSE2 providers.
Work with step 4 of the security tutorial to configure your required SSL properties, to create keystores and trust stores, and to start secure servers in WebSphere eXtreme Scale.