Transport layer security and secure sockets layer

WebSphere® eXtreme Scale supports both TCP/IP and Transport Layer Security/Secure Sockets Layer (TLS/SSL) for secure communication between clients and servers.

TLS/SSL provides secure communication between the client and server. The communication mechanism that is used depends on the value of the transportType parameter that is specified in the client and server configuration files.

You can set the transportType property in the following client and server configuration files:
Table 1. Transport protocol to use under client transport and server transport settings
Client transportType property Server transportType property Resulting protocol
TCP/IP TCP/IP TCP/IP
TCP/IP SSL-supported TCP/IP
TCP/IP SSL-required Error
SSL-supported TCP/IP TCP/IP
SSL-supported SSL-supported SSL (if SSL fails, then TCP/IP)
SSL-supported SSL-required SSL
SSL-required TCP/IP Error
SSL-required SSL-supported SSL
SSL-required SSL-required SSL

When SSL is used, the SSL configuration parameters must be provided on both the client and server side. In a Java™ SE environment, the SSL configuration is configured in the client or server property files. If the client or server is in a WebSphere Application Server, then you can use WebSphere Application Server's transports security support to configure SSL parameters.

Configuring the orb.properties file for transport security support

You can use TLS/SSL when the transportType property has a value of SSL-Supported.

To support secure transport in a Java Platform, Standard Edition environment, you must modify the ORB properties file file to include the following properties:

# IBM JDK properties  
org.omg.CORBA.ORBClass=com.ibm.CORBA.iiop.ORB
org.omg.CORBA.ORBSingletonClass=com.ibm.rmi.corba.ORBSingleton
javax.rmi.CORBA.StubClass=com.ibm.rmi.javax.rmi.CORBA.StubDelegateImpl
javax.rmi.CORBA.PortableRemoteObjectClass=com.ibm.rmi.javax.rmi.PortableRemoteObject
javax.rmi.CORBA.UtilClass=com.ibm.ws.orb.WSUtilDelegateImpl

# WS Plugins
com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orbimpl.transport.WSTransport
com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orbimpl.WSORBPropertyManager
com.ibm.CORBA.ORBPluginClass.com.ibm.ISecurityUtilityImpl.SecurityPropertyManager

# WS Interceptors
org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ws.objectgrid.corba.ObjectGridInitializer
org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityComponentFactory

# WS ORB & Plugins properties
com.ibm.ws.orb.transport.ConnectionInterceptorName=com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityConnectionInterceptor
com.ibm.ws.orb.transport.WSSSLClientSocketFactoryName=com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl

com.ibm.CORBA.TransportMode=Pluggable
com.ibm.CORBA.ServerName=ogserver

Configuring SSL parameters for eXtreme Scale clients

You can configure SSL parameters for clients in the following ways:

  1. Create a com.ibm.websphere.objectgrid.security.config.SSLConfiguration object by using the com.ibm.websphere.objectgrid.security.config.ClientSecurityConfigurationFactory factory class. For more details, refer to the ClientSecurityConfigurationFactory API Documentation.
  2. Configure the parameters in the client.propeties file, and then use the ClientSecurityConfigurationFactory.getClientSecurityConfiguration(String) method to populate the object instance.

See the section on security client properties in the Client properties file for examples of properties that you can set on a client.

Configuring SSL parameters for eXtreme Scale servers

SSL parameters are configured for servers using a server properties file, such as the examples of server.properties file referred to above. This property file can be passed as a parameter when starting an eXtreme Scale server. For more information about the SSL parameters you can set for eXtreme Scale servers, see Server properties file.

Transport security support in WebSphere Application Server

When an eXtreme Scale client, container server, or catalog server is running in a WebSphere Application Server process, eXtreme Scale transport security is managed by the Application Server CSIV2 transport settings. For the eXtreme Scale client or container server, you should not use eXtreme Scale client or server properties to configure the SSL settings. All the SSL settings should be specified in the WebSphere Application Server configuration.

However, the catalog server is a little different. The catalog server has its own proprietory transport paths which cannot managed by the Application Server CSIV2 transport settings. Therefore, the SSL properties still need to be configured in the server properties file for the catalog server.

Enable transport security for Sun JDK

WebSphere eXtreme Scale requires IBM Java Secure Sockets Extension (IBMJSSE) or the IBM Java Secure Sockets Extension 2 (IBMJSSE2). The IBMJSSE and IBMJSSE2 providers contain a reference implementation supporting SSL and Transport Layer Security (TLS) protocols and an application programming interface (API) framework.

The pure Sun JDK doesn't ship the IBM JSSE and IBM JSSE2 providers, therefore transport security cannot be enabled with a Sun JDK. In order to make this work, a Sun JDK shipped with WebSphere Application Server is required. The WebSphere Application Server shipped Sun JDK contains the IBM JSSE and IBM JSSE2 providers.

Read about configuring an Object Request Broker to be able to use a non-IBM JDK for WebSphere eXtreme Scale. If -Djava.endorsed.dirs is configured, it points to both the objectgridRoot/lib/endorsed and the JRE/lib/endorsed directories. The directory objectgridRoot/lib/endorsed is required so the IBM ORB is used, and the directory JRE/lib/endorsed is required to load the IBM JSSE and IBM JSSE2 providers.

Work with step 4 of the security tutorial to configure your required SSL properties, to create keystores and trust stores, and to start secure servers in WebSphere eXtreme Scale.