By using this configuration, you can configure a different
transport for inbound security versus outbound security.
Before you begin
Inbound
transports refer to the types of listener ports and their attributes
that are opened to receive requests for this server. Both Common Secure
Interoperability Specification, Version 2 (CSIv2) and Secure Authentication
Service (SAS) have the ability to configure the transport.
Important: SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
However,
the following differences between the two protocols exist:
- CSIv2 is much more flexible than SAS, which requires Secure Sockets
Layer (SSL); CSIv2 does not require SSL.
- SAS does not support SSL client certificate authentication, while
CSIv2 does.
- CSIv2 can require SSL connections, while SAS only supports SSL
connections.
- SAS always has two listener ports open: TCP/IP and SSL.
- CSIv2 can have as few as one listener port and as many as three
listener ports. You can open one port for just TCP/IP or when SSL
is required. You can open two ports when SSL is supported, and open
three ports when SSL and SSL client certificate authentication is
supported.
About this task
Complete the following steps to configure the Inbound transport
panels in the administrative console:
Procedure
- Click Security > Global security.
- Under RMI/IIOP security, click CSIv2 inbound communications.
- Under Transport, select You can choose to use
either Secure Sockets Layer (SSL), TCP/IP or both as the inbound transport
that a server supports. If you specify TCP/IP, the server only supports
TCP/IP and cannot accept SSL connections. If you specify SSL-supported,
this server can support either TCP/IP or SSL connections. If you specify
SSL-required, then any server communicating with this one must use
SSL.
Note: This option is not available on the z/OS® platform
unless there are both Version 6.0.x and earlier nodes in the cell.
- Click Apply.
- Consider fixing the listener ports that you configured.
You complete this action in a different panel, but think
about this action now. Most endpoints are managed at a single location,
which is why they do not display in the Inbound transport panels.
Managing end points at a single location helps you decrease the number
of conflicts in your configuration when you assign the endpoints.
The location for SSL end points is at each server. The following port
names are defined in the End points panel and are used for Object
Request Broker (ORB) security:
- CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS
- CSIv2 Client Authentication SSL Port
- CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS
- CSIv2 SSL Port
- SAS_SSL_SERVERAUTH_LISTENER_ADDRESS
- SAS SSL Port
- ORB_LISTENER_PORT
- TCP/IP Port
For an application server, click Servers > Application
servers > server_name. Under Communications, click Ports.
The Ports panel is displayed for the specified server.
The Object Request Broker (ORB) on WebSphere® Application Server uses a listener
port for Remote Method Invocation over the Internet Inter-ORB Protocol
(RMI/IIOP) communications, and is statically specified using configuration
dialogs or during migration. If you are
working with a firewall, you must specify a static port for the ORB
listener and open that port on the firewall so that communication
can pass through the specified port. The endPoint property for setting
the ORB listener port is: ORB_LISTENER_ADDRESS.
- Click Servers > Application Servers > server_name.
Under Communications, click Ports > New.
- Select ORB_LISTENER_ADDRESS from the Port
name field in the Configuration panel.
- Enter the IP address, the fully
qualified Domain Name System (DNS) host name, or the DNS host name
by itself in the Host field. For example, if the
host name is myhost, the fully qualified DNS name can be myhost.myco.com and
the IP address can be 155.123.88.201.
- Enter the port number in the Port field.
The port number specifies the port for which the service is
configured to accept client requests. The port value is used with
the host name. Using the previous example, the port number might be
9000.
- Click Security >
Global security. Under RMI/IIOP security, click CSIv2 inbound
communications. Select the SSL settings that are used for inbound
requests from CSIv2 clients, and then click Apply. Remember
that the CSIv2 protocol is used to inter-operate with previous releases.
When configuring the keystore and truststore files in the SSL configuration,
these files need the right information for inter-operating with previous
releases of WebSphere Application Server.
Results
The inbound transport configuration is complete. With this
configuration, you can configure a different transport for inbound
security versus outbound security. For example, if the application
server is the first server that is used by users, the security configuration
might be more secure. When requests go to back-end enterprise bean
servers, you might lessen the security for performance reasons when
you go outbound. With this flexibility you can design the right transport
infrastructure to meet your needs.
What to do next
When you finish configuring security, perform the following
steps to save, synchronize, and restart the servers:
- Click Save in the administrative console to save any modifications
to the configuration.
- Stop and restart all servers, when synchronized.